Home
 
»

YouTube’s Sketchies II $40,000 Contest Was Hacked!

26th April 2008, 07:58 am

The Sketchies II video contest, which was sponsored by Toyota and being administered by Marden-Kane Inc. was vulnerable to hackers. The fields on the user authentication interface (judges panel) were not subjected to any validation, allowing a hacker to use a simple SQL injection. This injection allowed the hacker full access to the judging interface. The grand prize for this contest was $40,000! Failing to take precautions for such an event is just plain sloppy and irresponsible. One would think Toyota would have grounds for a lawsuit over this, holding either YouTube or Marden-Kane liable for putting together such a sham of a contest. Comments made by the hacker indicate that the YouTube contest and it’s panel of judges may be a joke. This exploit demonstrated anyone could have manipulated the voting.


An SQL injection is a common mechanism used by hackers to obtain information from a database and it can also be used to gain access to restricted areas of a web site, as seen in the video above. The basic concept is, the hacker is able to submit a portion of code which changes the original SQL query. In the case of the Sketchies II incident, the attacker used a very common string, which changed the query to a true condition.

' OR 1=1 --

The line above is what was used, the leading single quote is used to close the quote set that would normally contain the input variable, OR 1=1 changes the statement to a true condition, and the -- comments out the rest of the original query. Most often, competent programmers would be sure check for characters which might allow this type of attack. Validate those fields folks!

  


Bookmark and Share:
Category: Technology News and Events  |  Comment (RSS)  |  Trackback

One Comment

  1. Sketchie:

    We entered this contest, it was pretty much rigged anyways. The average YouTuber never had a chance of winning, so they really never agnolaged that this happened. It’s pretty funny how a major internet company like YouTube would allow someone to waltz right in with such a simple piece of code. At any rate, thanks for explaining how this happened. there are a ton of videos about the SQL injection right on YouTube, too funny if this is where the person learned it :)

    24 April 2008, 10:11 pm

Leave a comment