Google Knows Your Wordpress Passwords
Sunday, November 25th, 2007Now that is a headline that grabs your attention. It goes to the point we make here all the time about taking the time to create a headline that grabs the readers attention.
But enough about that. You want to know about Google and your passwords right?
Forgotten your password? Google can find it for you. Unfortunately
There’s a certain amount of crowing associated with hacking the blog of a security team - which might be why a hacker, apparently Russian, broke into the blog of the Cambridge University security team at the Light Blue Touchpaper blog.
He did it via some weaknesses in their Wordpress installation, upgrading himself from a plain “can post” user to an admnistrator of the blog using a zero-day (that is, previously unnoted) vulnerability, via SQL injection.
You shouldn’t, in theory, be able to extract the original text from an MD5 hash. That would take millions, or at least thousands, of computers running all the time.
But Steven Murdoch began thinking. Who is there out there who has thousands of computers running all the time? Um, everyone. And some might be generating MD5 hashes and putting them on the web…
He took the hash - 20f1aeb7819d7858684c898d1e98c1bb - from the database and stuck it into Google. Lo and behold, it turned out to be “Anthony”.
So far, so trivial. Except this: if someone does the same trick on a site that you use, they might be able to get read access to the database. They’ll be able to see the username and email associated with the MD5 hash. And, on the assumption that you use that password repeatedly, such a hacker could trawl the web looking for places you log in.
