MySQL.com Database Compromised Through SQL Injection, Localized Website Versions Also Affected
Hackers have compromised the database of MySQL.com, as well as the French, German, Italian, Japenese and other localized versions of the website, ironically by exploiting an SQL injection vulnerability.
A hacker took credit for the compromise by reporting it on the popular Full Disclosure mailing list. The report included information about the vulnerable parameter, a list of tables from several databases and a list of database users with hashed passwords.
Soon afterwards, another hacker published a more complete report on his blog claiming that it was he and a friend who discovered the vulnerability a few months ago and that it wasn’t supposed to be made public. As proof for his claim he links to a previously private thread on Team Insecurity Romania’s (ISR) forum where the vulnerability has been discussed since January 3, 2011. The disclosure also includes more information like cracked passwords for some database and blog accounts, including that of Robin Schumacher, MySQL’s director of product management.
Mr. Schumacher’s blog password is made up of only four digits, which is why cracking it from the hash was trivial. The password of Kaj Arnö, the former vice president of the MySQL Community in the Database Group at Sun Microsystems, was also disclosed.
The incident proves just how common these vulnerabilities are. If the creators of MySQL, the most widely used database engine in the world, can’t secure their own website against SQL injection attacks, what reasonable expectation of security can one have from websites that aren’t run by experts?
It’s worth pointing out that SQL injection is a very dangerous attack vector. Unlike cross-site scripting, which can be used to inject rogue code into pages, SQLi vulnerabilities can also be exploited to extract sensitive data like private customer information from databases.
Credit: Softpedia.com News
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.