RSS Alerts

Related Links

Related Stories

  • Commuter matching website highly vulnerable to SQL injections
    RideMatch.info, a website used by several California-based companies and transportation boards to match commuters on similar routes, has been found to be potentially vulnerable to massive SQL injections that could result in the disclosure of users' personal data.
  • SQL injection attack leads to command execution
    SQL injection will take a new turn later this month at Black Hat Europe, when a security researcher shows how to take control of a database server using the technique.
  • More details emerge on Kaspersky hack
    As more details of the Kaspersky web site hack came to light yesterday, the same hacking forum posted details of a similar SQL injection attack, this time on a Portugese reseller for anti-malware firm BitDefender.
  • Kaspersky site hacked over weekend
    Anti-malware vendor Kaspersky's site was hacked over the weekend, using an SQL injection attack. While admitting that the site was vulnerable, Kaspersky is denying that the vulnerabiity was critical. The hacker nevertheless listed what he said was the full set of tables from the firm's MySQL database.
  • Infosecurity weekly brief - September 15, 2009
    Breaches, threats, protections and security directions - we summarise what's been happening in the world of information security over the past week.

News

Symantec hacked in SQL attack

25 November 2009

Symantec's Japanese support website has been hacked using an SQL injection attack, the company confirmed yesterday.

The SQL vulnerability - found by the same hacker who penetrated Kaspersky's website earlier in the year - exposed Symantec ecommerce customers, whose passwords were stored in clear text. It was discovered using the SQL injection tools Pangolin and SQLMap.

"A secured bad parameter allows full access to Symantec servers, allows access to many sensitive data stored on this server. So, it seems quite strange how a company like Symantec, which sells software and security solutions, the famous Norton for example, wants to protect ourselves[sic]", said the hacker, who goes by the name Unu, on his blog. "Instead, it is not able to protect its own database."

The hacker was able to gain access to the C:/ and D:/ drives of the Windows-based servers hosting the Symantec site, which uses SQL Server. He claims to have exposed the entire table structure for the hacked site, and was able to retrieve user details via an SQL query.

Over 70 000 customers' details were allegedly in the hacked Symantec table, although Unu said that he extracted just five samples, which were obfuscated on the website to avoid compromise. He also claims to have exposed over 152 000 product serial numbers from the hacked Symantec website.

"An SQL injection vulnerability has been identified at pcd.symantec.com. The website facilitates customer support for users of Symantec's Norton-branded products in Japan and South Korea only. At this time, we believe that this incident does not affect Symantec customers anywhere else in the world", said Symantec in a statement, adding that the hacked site affected customer support in the two countries, but that it didn't compromise the Norton software itself.

"Symantec is currently in the process of ensuring that the website is appropriately secured and will bring it back online as soon as possible", Symantec concluded.

In the meantime, it remains unclear how many other hackers with fewer scruples may have accessed the Symantec details using the information posted on Unu's blog, which went up on Monday.

The news drew ridicule from online commenters. One, commenting on news of the Symantec hack posted on Trend Micro's blog, said: "As a matter of fact, if php’s scope wasn’t root/global in this case, the hacker shouldn’t have been able to browse the whole server."

Although he has his own blog, Unu regularly submits hack information to the privately registered Hackers blog, and was responsible for posting information about hacks targeting Orange, and the Daily Telegraph, among others.

 

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water