In this video, explore a detailed example of an injection attack.
- [Instructor] The impact of broken authentication attacks is arguably one of the most severe of all the vulnerability categories in the OWASP top 10. Consider what a malicious person could do if they had the keys to your house or your car or your office. Now consider what someone could do with access to any of your online accounts. If someone that is not you has your login information and can pretend to be you, then they can take any action on your behalf.
Let's take a look at some real-life examples of broken authentication attacks. The first real-life example we're going to talk about is Yahoo. Yahoo's a company that unfortunately has suffered from a number of large public data breaches in the past few years. These have resulted in a measurable and significant cost to the business. In 2017, when Yahoo was acquired by Verizon, Verizon paid 350 million dollars, less than they had originally discussed after the breaches were publicly announced.
Granted, 350 million is only about seven and a half percent of the overall acquisition price of 4.48 billion dollars but it's still a lot of money. The particular Yahoo breach I'm talking about here occurred in 2014. The details are publicly available in this court document from 2017. The breach affected more than 500 million people, which makes it one of the largest data breaches ever. A couple of Russian spies and a couple of cyber criminals targeted Yahoo accounts with the intent of reading through emails to find other sense of information like credit cards, financial documents and login information to other sites and accounts.
One of the main techniques that these hackers used in the attack was social engineering. The official court document reads, in some instances, the conspirators used email messages known as spear phishing messages to trick unsuspecting recipients into giving the co-conspirators access to their computers and accounts. Spear phishing messages typically were designed to resemble emails from trustworthy senders and to encourage the recipient to open attached files or click on hyperlinks in the messages.
Some spear phishing emails attached or linked to files that once opened or downloaded, provided unauthorized access to the recipient's computer. Other spear phishing emails lured the recipient into providing valid login credentials to his or her accounts, thereby allowing the defendants to bypass normal authentication procedures. The fact that this breach affected more than 500 million accounts unfortunately just goes to show easy it is for a hacker to basically trick an unsuspecting user into willingly giving over their account usernames and passwords.