CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 28th, 2011

MySQL.com Database Compromised Through SQL Injection, Localized Website Versions Also Affected

Hackers have compromised the database of MySQL.com, as well as the French, German, Italian, Japenese and other localized versions of the website, ironically by exploiting an SQL injection vulnerability.

A hacker took credit for the compromise by reporting it on the popular Full Disclosure mailing list. The report included information about the vulnerable parameter, a list of tables from several databases and a list of database users with hashed passwords.

Soon afterwards, another hacker published a more complete report on his blog claiming that it was he and a friend who discovered the vulnerability a few months ago and that it wasn’t supposed to be made public. As proof for his claim he links to a previously private thread on Team Insecurity Romania’s (ISR) forum where the vulnerability has been discussed since January 3, 2011. The disclosure also includes more information like cracked passwords for some database and blog accounts, including that of Robin Schumacher, MySQL’s director of product management.

Mr. Schumacher’s blog password is made up of only four digits, which is why cracking it from the hash was trivial. The password of Kaj Arnö, the former vice president of the MySQL Community in the Database Group at Sun Microsystems, was also disclosed.

The incident proves just how common these vulnerabilities are. If the creators of MySQL, the most widely used database engine in the world, can’t secure their own website against SQL injection attacks, what reasonable expectation of security can one have from websites that aren’t run by experts?

It’s worth pointing out that SQL injection is a very dangerous attack vector. Unlike cross-site scripting, which can be used to inject rogue code into pages, SQLi vulnerabilities can also be exploited to extract sensitive data like private customer information from databases.

Credit: Softpedia.com News

Share this item with others:

More on CyberInsecure:
  • New Lateral SQL Injection Method To Hack Oracle Database
  • WordPress Multiple SQL Injection Vulnerabilities
  • RockYou.com SQL Injection Flaw Exposes 32 Million Accounts Passwords
  • The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen
  • Symantec Online Store Hacked, Passwords And Serial Numbers Potentially Exposed

    • Posted in Breaches And Incidents, Data Theft, Hacked, Privacy, Software, SQL Injections, Targeted Attacks, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Monday, March 28th, 2011 at 3:48 am and is filed under Breaches And Incidents, Data Theft, Hacked, Privacy, Software, SQL Injections, Targeted Attacks, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: MySQL.com Database Compromised Through SQL Injection, Localized Website Versions Also Affected

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « «
    » »