Be the first to like this
In December 2012, Yahoo! Inc. suffered a high profile data breach at the hands of a lone hacker. Using SQL injection attacks, the hacker gained full access for the server of the affected domain. Alarmingly, the exploited vulnerability likely belonged to a third party application that was neither coded nor hosted by Yahoo!. Yahoo! was responsible for the third party application's security, yet it only had limited control of the code. This presentation will analyze the tools and methodology employed by the attacker to bypass security, explore the dangers of hosting third party code inherited from partners, vendors, or via acquisitions, and provide procedural and technical steps for securing third party code.