What is the basic principle of Library collision and library collision attack

6 month 26 Friday night , Large chat software in China QQ There has been a large-scale number theft , And it is in QQ I was stolen when I was online .

6 month 27 Noon , tencent QQ Issued a statement saying ：6 month 26 On Tuesday night 10 P.m. , Received some user feedback QQ The number was stolen .QQ The security team attached great importance to and immediately launched an investigation , The main reason for the discovery is that users have scanned the game login QR code forged by criminals and authorized login , The login behavior was hijacked and recorded by the gangs , Then it was used by criminals to send bad picture advertisements .

Why scan the game login QR code forged by criminals and authorize login , Will be stolen ？

When you apply for account and password on the new platform , You can usually choose to associate other platform accounts , Direct landing . At this time , This platform will retain the account data of other platforms . After scanning the forged QR code authorization information , Criminals can get your real account password .

In an interview with the news, Yuhang, an expert from the Research Institute of digital technology and black industry, analyzed that ,QQ The ecosystem is relatively open , The user volume is large . Because the ecosystem is very open , User data can not only be licensed to many game platforms , It can also be licensed to other third-party social media platforms , In the process of Authorization , The user's data is also authorized in the past .

The expert analyzed and said ,“ The problems exposed by this incident , More responsibility may not lie in QQ, But in QQ Authorized third-party platform .” The expert said , With so many applications interacting with each other , Do data security, including account security , It will be very difficult .

As experts say , The current Internet environment is very complex , Each platform can mutually authorize information , Why is third-party database security so important ？ Because there is an attack on the Internet, which is the data leaked by a third party, causing other platform accounts to be attacked , Account stolen , This attack is called “ Storehouse ”.

The basic principle of collision Library

Library collision is a common way of network attack , Criminals will use automated systems and cracked login credentials to access online accounts .

In short, hackers collect user and password information that has been leaked on the Internet , Generate corresponding dictionary table , After trying to log in other websites in batch , Get a series of login account password . Many users use the same account and password on different websites , Therefore, hackers can obtain the user's A The account of the website attempts to login B website , This can be interpreted as a collision attack . Library collision attack depends on the repeated use of passwords , Victims often set up the same user for multiple online accounts ID And password combination .

But a prerequisite for successful library collision is to drag the Library .

What is drag library and the relationship between drag library and collision Library ？

The user and password that hackers use to try in hitting the library come from dragging the Library , Drag library is originally a term in the field of database , Exporting data from a database .

Dragging the library is the foundation of hitting the Library , Is a necessary condition for library collision attack . Dragging libraries is much more complex than hitting libraries , There are also many means and methods , Commonly used are social worker streaming library and technology streaming Library . Social workers drag libraries to cheat 、 Website counterfeiting 、 go fishing 、 A heavy purchase 、 Free software theft is the main means ; The technology stream drags the library with intrusion 、 Attack is given priority to , Such as remote Download Database . utilize Web Services Loophole 、 Server Vulnerability , Hang a horse 、 Viruses 、 Trojans, backdoors and other technical means and methods .

After getting the user's information through dragging the Library , The implementation of hit library is relatively simple . Currently, most collision libraries are verified by single script login 、 Distributed script login authentication , Automatic proxy login authentication , Even human flesh verification . meanwhile Sentry MBA or SNIPR And other free automated tools make it easier for criminals to try login information and verify stolen credentials .

Taken together ,“ Storehouse ” It's easy to operate 、 Lower cost , Its attack on the database only needs to go through “ Towing Library ”—— Break the website 、“ Wash the storehouse ”—— Data processing analysis , And then we can do it “ Storehouse ”.

The harm of hitting the Library

2017 year 12 Month to 2019 year 11 during one month ,Akama i The observed 854 Billion 2207 More than ten thousand library attacks , China is API Three malicious login “ Heavy disaster area ” One of .

Because it is based on personal information , However, the large-scale personal information leakage in China has not stopped . And nearly two-thirds of Internet users are reusing their passwords, so it seems simple to hit the Library , But the success rate is very high .

once 12306 The data leakage event is confirmed as a database collision attack , The leaked data includes user accounts 、 Plaintext password 、 Identity information, mailbox and other user information .

The same goes for the theft of JD's account , Only JD's database has not been leaked . Hackers obtain the leaked database through other channels to implement “ Storehouse ” attack , Then successfully obtained the passwords of some JD users .

Conclusion ：

The loss of hitting the library is not a single fault , For individual users, password security awareness is not strong , Setting the password is too simple 、 Multiple websites log in with the same account and password for a long time ; For the platform , Landing time IP Address verification 、 Equipment verification and other security defense measures are not in place ; For regulation , although 《 Personal information protection law 》 It has been introduced , However, there are still large and small dark networks on the Internet selling residents' personal information .

Therefore, individual users should strengthen the protection of account and password , When setting the password , Avoid being too simple 、 Easy to guess ; Get into the habit of changing passwords regularly ; According to the importance of the account 、 Whether it involves the hierarchical management of property , Avoid using more than one yard ; When logging in your personal account on a public device , Don't check “ Remember the password to log in by default “ Options such as , Choose anonymous login whenever possible .

For the platform, you can add IP Address and GPS Cross check , To verify the user's real location ; For the regulatory authorities, we can strengthen the punishment , Deter criminals .