Writing

Software, technology, sysadmin war stories, and more. Feed
Sunday, September 30, 2012

Stop shooting raw MySQL traffic over the Internet!

I have a quandary. What if I discovered yet another game was doing stupid things like running raw MySQL traffic over the Internet? This isn't Super Meat Boy. I covered that back in December. This is something else entirely.

Maybe it's possible to connect using a username and password which is stored plainly in the binary. Maybe you can run queries and even write back to the tables if you really wanted. The program itself certainly does it, and it's not much of a stretch to think that other queries could be run in this fashion.

The question is: do you bother telling them? Given that they were clueless enough to make something this broken and turn it loose to the world, it's possible they would react badly to the news. Instead of handling it properly and cleaning up the mess, they might go crazy and start with the legal threats or worse.

Maybe this is why some of those folks who operate with various 'anonymous' type identifiers just scrape the databases and post the dumps. The problem is exposed in the most visible way possible, and there are fewer chances to connect it back to the original discoverer.

I'm not going to do that, either, but I can see why it happens.

All I know is that if I see you throwing a "SELECT userid FROM users WHERE email='thing.i.made.up'" over the network on port 3306, I'm going to assume you don't know what you're doing.

So there's an idea: an outgoing traffic analyzer which looks for signs of badly written applications. If it spots such traffic like MySQL or Postgres going out, it should grab it and let you see it right away. It might expose a great many things. Put in a whitelist so you can skip your own dev work, and it might be very useful.

Having it contribute to a hall of shame might also be fun. But that's just me.