Gearing towards WHID 2007 annual report, 2007 I came across many new interesting web hacking incidents that I missed this year and added them to the database (more details at WHID site at http://www.webappsec.org/projects/whid): So what's new at WHID this week? + A lot of problems for web hosting companies: In one of them a subsidiary of British Telecom suffered a major intrusion where someone stole all its clients e-mails, used it for spam and planted malware on their sites. All due to a programming mistake of one their programmers: WHID 2007-75: PlusNet blames itself for webmail spamfest (http://www.webappsec.org/projects/whid/byid_id_2007-75.shtml). Other hosting incidents: WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass malware installation. + The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost someone his very successful domain, stolen by a blackmailer (WHID 2007-72: Gmail CSRF exploited to hijack a domain (http://www.webappsec.org/projects/whid/byid_id_2007-72.shtml) + Our first story from Brazil. It is not new, but the exposure to the project led someone from Brazil to send it to me. It shows how many stories we do not discover due to language barrier: WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others (http://www.webappsec.org/projects/whid/byid_id_2007-78.shtml) + Among the newly defaced: MSNBC in Turkey (WHID 2007-81) & Vodafone in India (WHID 2007-80). If you have more stories - e-mail me! ~ Ofer Ofer Shezaf Work: ofers@xxxxxxxxxx, +972-9-9560036 #212 Personal: ofer@xxxxxxxxxx, +972-54-4431119 VP Security Research, Breach Security Chair, OWASP Israel Leader, ModSecurity Core Rule Set Project Leader, WASC Web Hacking Incidents Database Project
