Widget was hacked... Proof enclosed.

[Rhys]

I would accuse Huck's Army, but we all know they aint smart enough to pull off something like this.

God wouldn't do that.

[mesler]

And for the record, the text following the donor's name was time= which is part of the text file's layout.

The donation feed looks something like this:

count=166691&sum=15814216.0400&donors=Joe|Blow|Cit y|State&time=1197869200

Maybe the donor had an & in their name which should have been encoded. I won't worry about it unless the campaign tells us to worry.

[CasualApathy]

if they successfully hacked it they would have made much more drastic changes to the amount displayed. IF they were trying to decrease it, they would have REALLY decreased it, and same if they were trying to increase it.

Your logic is flawed. If someone wanted to do an attack like this, they would have to leave a lot of doubt, otherwise there would be no debate, we would know that an attack had occurred.

It think we have to find out if somebody saw the surge and pulled the plug using the massive activity as a smokescreen. It seems odd the way donations froze and jumped around.

[kahless]

Gnerally speaking RP has some of the best Tech people around. There is no way in hell they'd leave a hole for a SQL injection attack. That's just amature $#@!.

Don't worry people, computers (and users) under stress can do wiered things. I've seen it all before, they can usually be explained and they're usually harmless.

I agree about the stress issue but mistakes do happen. Just like they forgot to setup reverse DNS for the IP sending out the confirmation email after you donate. Which is why some people are not getting their confirmation emails after donating.

[defcreative]

7 year computer programmer here. ANYWHERE where you submit data in an application has the potential for a SQL injection if you DON'T code against it. You as a Database Admin might also have some power over stopping this, but ultimately it is a proactive solution on either end. YOU may protect your databases from attack, but that does not equate to automatic protection.

That being said, from the snippet shown, I would imagine the scenario already mentioned where the parse character was included in the State field on the submission form was the actual cause.

4 Year programmer and 10 year web/graphics designer here that agrees with you.

[Rhys]

the db probably exports an xml file to the widget using some sort of web service. garaunteed there is a layer between the db and the widget. the widget probably never even gets close to the db.

but could someone capture all the names?

[TXMedStudent]

0 years programmer here.

Ya'll are impressive with this discussion.

[defcreative]

but could someone capture all the names?

Unless it was programmed sloppy I would say almost certainly not.

[Maltheus]

7 year computer programmer here. ANYWHERE where you submit data in an application has the potential for a SQL injection if you DON'T code against it.

Thank you (13 year programmer myself). People here seem to think a lot of goofy things about how secure their data is because the "professionals" are on the job. The real professionals know that screw ups are very common, especially when under constant, absurd deadlines to get things done. I'm not saying that anything happened here, but you're being naive if you thing there's nothing to worry about.

[BeFranklin]

I find it highly UNLIKELY that the flash object is going to accept input characters and be tied to the actual donor database, where this would be a risk. If the programmer allowed that, they should be fired.

More likely: The character seperater they use for the "latest donors" input string was screwed up. ie: somebody submitted a name that had the same character as they use to seperate the data.

SQL injection works when you allow user data to be submitted and executed in some way. The flash widget does not take data. It pushes out data.

If anything it, it would have been a sql injection attack via the submission form, not the widget.

Edit: Nothing to worry about here. This is 11 years of programming experience talking.

What does flash have to do with it? The characters were put into the database that way on the donor page. It was copied to the flash object after the fake hack donation was accepted. Its only incidentally that it was copied to the front page, because whoever did it was a bit of an idiot and didn't mark the "don't show my name on front page". We only hope it didn't work.

[BeFranklin]

the db probably exports an xml file to the widget using some sort of web service. garaunteed there is a layer between the db and the widget. the widget probably never even gets close to the db.

but could someone capture all the names?

Yes, but instead of cleaning the data first, and rejected the name as being impossible, it obviously accepted the donor so it went into the database too. the fact that it also got copied to the widget is incidental.

[Quantumystic]

I think it just jumped AGAIN. This time forward by... ALOT.

Now reading $18,080,000.

[Rhys]

could these just be CC traders again?

[Jobarra]

Thank you (13 year programmer myself). People here seem to think a lot of goofy things about how secure their data is because the "professionals" are on the job. The real professionals know that screw ups are very common, especially when under constant, absurd deadlines to get things done. I'm not saying that anything happened here, but you're being naive if you thing there's nothing to worry about.

Agreed. I've seen some stuff happen because people just assumed that since it was a reliable application, there were no problems. Saw a case of SQL injection in a minor intranet product that allowed someone to login as a superuser. Thank goodness it was behind the firewall and only available to company people. It was fixed rather quickly though once found.

[BeFranklin]

I wonder what the gambling sites, who must hate things like this, are going to do. It seems pretty obvious we went well over 6 million, but I wonder if there will be a payout delay.

[idrake]

0 years programmer here.

Ya'll are impressive with this discussion.

This is what happens when we get our geek on.

[Fox McCloud]

it's back up to 18 million.

maybe we really did make it before 11:59PM, and the servers just locked up?

[justinc.1089]

You people are really making me feel great. Thanks for making me worry about getting robbed now.

I don't know crap about this stuff but if it showed up on the widget thing I would think if it was someone hacking something they must have done a sloppy job for it to show up on that where you could see it.....

[LibertyOfOne]

Why would the app even allow any other characters other than letters? I mean some basic input verification code would take care of that.

[mesler]

The widget utilizes the following delimeters:

&^|

Maybe they don't strip all these as they should? None of these characters are evil, they are only potential problems because the programmers chose to use them as decimeters for the fund-raising widget, and even then it's only a cosmetic problem. Yes it's possible something malicious happened, but it's also very possible it was a cosmetic quirk.

[Jobarra]

You people are really making me feel great. Thanks for making me worry about getting robbed now.

I don't know crap about this stuff but if it showed up on the widget thing I would think if it was someone hacking something they must have done a sloppy job for it to show up on that where you could see it.....

Well, if you had just maxxed out your credit card you wouldn't have to worry about this

Why would the app even allow any other characters other than letters? I mean some basic input verification code would take care of that.

Assumptions made in programming can lead to disasterous results. "Gee, this is a basic item, I'm sure someone already coded for it"

[Rhys]

here's my final answer. the widget was actin crazy. now ronpaulgraphs is showing some 0's. I think the web service crashed, started reporting reverted numbers, then came back on line when it redid some math.

[legion]

That doesn't look like SQL injection. It looks like it's probably Shockwave Flash ACtionscript. Thats probably what the widget displays when the site is down. It looks more like what a pointer would be in Flash. I don't actually know anything about Flash programming, but this is a PRETTY GOOD GUESS.

[Dennis Peterson]

Don't see anything there that actually looks like a sql-injection attack. If this was somebody attempting a hack, it doesn't look like they had any idea how to go about it.

Also, on most systems there's a pretty easy defense against such an attack - just use real parameters instead of constructing a dynamic sql string. This is web security 101. Do it this way, and whatever string gets passed in gets saved to the database, period.

Lots of programmers fail to do this, but I kinda suspect we've got better people than that involved here.

[EvilEngineer]

Why would the app even allow any other characters other than letters? I mean some basic input verification code would take care of that.

Time constraints... and accidental oversight. They are the killers in the programming world. The major thing is that major mistakes are rarely publicized, because of how bad they would impact the business and the customer's impression on how secure their transactions are. The speed at which changes have been made to the servers, the site, widgets, etc... all lead to potential holes that hackers love to try and find.

[Dr.3D]

Been programming since 1972..... started with Navy mainframes and worked up from there.

I was worried from the start, there would be a 'Denial of Service' attack and people wouldn't be able to donate.

There are ways to keep bots from crashing servers that way but does anybody know if the RonPaul2008.com sight has protection from this kind of attack?

[szczebrzeszyn]

Time constraints... and accidental oversight. They are the killers in the programming world. The major thing is that major mistakes are rarely publicized, because of how bad they would impact the business and the customer's impression on how secure their transactions are. The speed at which changes have been made to the servers, the site, widgets, etc... all lead to potential holes that hackers love to try and find.

That's why we have prepared statements and we don't give a $#@! about sql injection

[Perry]

We saw that too. Hopefully they were taking that into account.

Unless there really are people named Joe Smi^$100000000000^th

Hey that's me!

[Liberty Star]

Numbers did move back in one glimpse just below 18 range, I'm pretty sure I saw that.

[szczebrzeszyn]

And by the way, it was clearly a feed format or widget parsing problem (maybe some character like '&' in the name etc). Nothing to worry about