Hole in RIAA Site Exposed

A security site that is well-known in the hacker community on Friday exposed a critical error that opened the Recording Industry Association of America's (RIAA) website to attacks.

by Jim Wagner of internetnews.com [September 23, 2002]

The major security breach occurred after the RIAA's Web administrators failed to secure a portion of the site to remote access, opening the door to anyone who wanted to deface the site or upload pirated music files.

The breach in security ironically comes after the RIAA website was the victim of a major defacement a couple weeks ago.

According to a spokesperson for the RIAA, network administrators are looking into the problem in order to close the breach. The vulnerability has now been password-protected.

"It was an oversight that has now been corrected," the spokesperson said, but wouldn't elaborate on what controls were being implemented to avoid future problems.

Officials were unaware of the vulnerability until contacted by internetnews.com, although Zone-H.org has publicized the breach since last night.

"It's amazing the site hasn't been defaced already," said Roberto Preatoni, CEO of Domina Security and founder of the Estonia-based Zone-H.org website, which claims to receive more than 100,000 hits a day.

In an instant-message interview, Preatoni speculated that it is a "strong possibility" that hackers used this very same uber-vulnerability to deface the site back in August.

Online vandals replaced the home page with satirical content aimed at poking fun at an organization widely criticized for trying to shut down peer-to-peer file trading. The hackers were even able to upload pirated music files to the RIAA website and make them available for public download.

The website was shut down for several days following the defacement, while security experts sealed up the breach and closed down remote access to its critical files. However, RIAA officials apparently overlooked the latest vulnerability.

According to Preatoni, who considers himself a "white hat" or ethical hacker, finding the breach was as easy as checking the "robots.txt" file used by every website administrator. The file is used to disallow search engines like Google and AltaVista from using spiders to publicize back-office files.

The Zone-H.org founder said the vulnerability is hard to believe, given the trouble the organization had with defacers in the past.

"In general, if you want to hide a remote access page from Webcrawlers, then you must put it into that robots.txt file," Preatoni said, "(but you must also) have the brains to make the same page not accessible from a remote user by using some IP check or password protection."

— End