←back to thread

Taking over 60k spyware user accounts with SQL injection

(ericdaigle.ca)
229 points mtlynch | 1 comments | 03 Jul 25 14:56 UTC | HN request time: 0.192s | source
Show context
bspammer ◴[08 Jul 25 16:54 UTC] No.44501795[source]
It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
replies(5): >>44502429 #>>44502756 #>>44504575 #>>44505187 #>>44507272 #
1. imzadi ◴[08 Jul 25 18:37 UTC] No.44502756[source]
I'd be willing to bet that getting their user's passwords is part of their goal. So they would need to be stored somewhere.