This article was published on April 20, 2012

Ning security hole discovered by hackers, as many as 100 million accounts compromised


Ning security hole discovered by hackers, as many as 100 million accounts compromised

Ning, a DIY social networking platform with 90,000 networks and more than 100 million registered users, has been hacked. Reports are flowing in from Dutch news sites detailing the vulnerability, and according to Nu.nl, as many as all 100m accounts were compromised through a process known as cookie injection. Update: Ning’s response is included at the bottom of this post!

From Nu.nl (via Google Translate):

The problem is with Ning, a platform to create their own social networks. Everyone who registers gets a cookie in the browser provided. Students Angelo Geels and Alex Brouwer overtook then how they could change the content so that they are logged in as a different person to book stood.

From our own sources, we found that it was Dutch students from Mediacollege Amsterdam that discovered the vulnerability in March, and created a video to demonstrate it — not to abuse it maliciously. In other words, this was a demonstration and no data was stolen, unless another, separate group of hackers discovered the security hole as well.

According to the students in question, they filed a similar report over a year ago to Ning, but it had been ignored. It was only just recently discovered that the original vulnerability actually existed across all 90k networks, making it a much riskier issue.

Right now reports are mixed, but it appears Ning has fixed the problem just in time as reports started to surface today. We’ve contacted Ning and are awaiting response.

Hat tip to @faridelnasire

Update: All vulnerabilities have been addressed. Ning has responded:

On April 12th, we received confidential details of a security vulnerability that could allow someone to sign in as an arbitrary Ning user. The intent was not malicious, and to our knowledge and reasonable belief, there has been no unauthorized access to user accounts. The Ning engineering team immediately took several steps: We changed the encryption information to generate a sign-in cookie, and we changed where the information was stored. In addition, we proactively strengthened the encryption algorithm. The changes were then immediately rolled out across the Ning platform starting late last week. Ning Creators and their members may have noticed the protective measures when we forced all users to sign-in again. At this time, we are confident that we have addressed the vulnerability.

We would like to thank the team that identified the vulnerability and collaborated with us to fix it. We take privacy and security very seriously at Ning. We would again like to emphasize that due to the confidential way we were approached, no user accounts have been maliciously compromised.

Get the TNW newsletter

Get the most important tech news in your inbox each week.