Sunday, 29 November 2015

Major Security Flaws In Hacked Toy Manufacturer VTech

The Chinese manufacturer of educational toys VTech where recently the data of 4.8 million adults and 200,000 children were stolen customer data had not properly secured, according to the Australian security expert Troy Hunt that captured customer data analyzed.

Recently managed to get an attacker access to the customer database and approached Vice Magazine. The journalist of the magazine then contacted Hunt to verify the data. Hunt was sent several files, the largest of which was 1,7GB. This file, called parent.csv, he found the details of 4.8 million people. It was e-mail addresses, names, IP address, mailing address and encrypted passwords. The password proved to be hashed with the MD5 algorithm. It is therefore not directly readable, but MD5 has long been considered unsafe because it is easy to 'crack'. This allows an attacker can still retrieve the password.

VTech had not taken additional measures to protect the passwords, such as the use of "salts" and "stretching". However, it is not the only security problem, says Hunt. As the website does not use SSL, so all communications, including passwords, unencrypted occurs. There is no cryptographic protection of sensitive data, the expert noted. The website appears to provide a SQL statement back at login. The attacker said that he had come in via SQL injection, a problem that has been known since 1998 but is ignored by some companies still. Finally Hunt criticizes the extensive use of Flash on the website of VTech.

The expert also manages the website Have I Been Pwned, where Internet users can check whether they appear in the database of hacked websites. The data of the 4.8 million adults from the database of VTech here are now added. That does not apply to the data of 227 000 children who also were in the stolen data. Hunt has not been added. VTech has confirmed a burglary, but do not know how the attacker managed to get inside.

No comments:

Post a Comment