Kaspersky.com USA Hacked Through SQL-Injection, Breach Exposes Sensitive Database
A security breach at Kaspersky USA has exposed proprietary information about the anti-virus provider’s products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims.
In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing “users, activation codes, lists of bugs, admins, shop, etc.” Kaspersky has declined to comment, but two security experts who reviewed the evidence said the claims appeared convincing.
“This looks very real to me,” Thomas Ptacek, a researcher at security provider Matasano said via instant message a few hours after the post went live. He pointed to the address bar of one screenshot that showed usa.kaspersky.com along with the text “concat_ws(0x3a,ver” to the right of that. “It’s a URL that is being used to alter the database request that’s used to generate the page,” he added.
It seems that a simple modification of a URL exposed the site’s entire database. “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.” The URLs were edited to redact the page’s vulnerable handler, but tools that are easy to come by could help anyone who knows how to use them to identify where the SQL injection weakness is located.
Assuming the hack is for real, it wouldn’t be the first time a Kaspersky site has been hit by a SQL injection attack. In July, Kaspersky’s Malaysian site and several subdomains were defaced by hacker who left pro-Turkish slogans. This breach appears to be more serious because it potentially exposes customer information and could also open Kaspersky’s site to other types of abuse, security experts said.
Update (Feb. 09): A day after a hacker claimed to hack a Kaspersky website and access a database containing proprietary customer information, the security provider issued a terse statement confirming it had experienced a security issue. The statement was released Sunday afternoon:
“On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”
There is a part of the story that Kaspersky leaves out. According to an admin named Tocsixu at the site that exposed the breach, the hacker who originally discovered the vulnerability did so days earlier and only went public after getting no response from more discreet communiques with Kaspersky employees:
“I have sent emails to [email protected], [email protected], and [email protected] warning Kasperky about the problem but I didn’t get any response. After some time, still having no response from Kaspersky, I have published the article on hackersblog.org regarding the vulnerability. This vulnerability could have been critical if it were to be exploited by someone bad intended because several sensitive informations could have been extracted, like usernames, emails, passwords, codes, mysql users & passwords, etc.”
Kaspersky has repeatedly declined to provide details about the breach.
Credit: The Register
More on CyberInsecure:
Print This Post
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.