←back to thread

Taking over 60k spyware user accounts with SQL injection

(ericdaigle.ca)
227 points mtlynch | 5 comments | 03 Jul 25 14:56 UTC | HN request time: 0.347s | source
1. bspammer ◴[08 Jul 25 16:54 UTC] No.44501795[source]
It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
replies(5): >>44502429 #>>44502756 #>>44504575 #>>44505187 #>>44507272 #
2. imzadi ◴[08 Jul 25 18:37 UTC] No.44502756[source]
I'd be willing to bet that getting their user's passwords is part of their goal. So they would need to be stored somewhere.
3. andoando ◴[08 Jul 25 22:23 UTC] No.44504575[source]
They probably just didn't care to
4. sbarre ◴[09 Jul 25 00:16 UTC] No.44505187[source]
Something I've learned over the years is that even very talented developers can be really bad at security.

In many cases it's just not something that's taught at school or that is covered in training. So it's a mindset that just isn't there, even when they're great at other parts of the craft.

If you're building anything that is going to be exposed to the public Internet and you aren't, at some point, going through the exercise of "how can people break or abuse or hack this" then you're missing a step for sure.

5. ethan_smith ◴[09 Jul 25 07:41 UTC] No.44507272[source]
Malware developers often prioritize functionality and speed-to-market over security hygiene, operating under the "security through obscurity" fallacy that nobody will bother attacking their infrastructure.