Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 23rd, 2009

Intel Website Hacked, Personal Data Exposed Through SQL Injection

A Romanian hacker who goes by the handle “unu” has struck again: this time, he demonstrated how a SQL injection vulnerability left personal information in the form of passports exposed on an Intel Corp. Website.

Unu, who previously exposed SQL injection vulnerabilities in The Wall Street Journal and Kaspersky Lab’s Websites, this time focused on an Intel site that runs online registrations for channel partner events. The site, which is currently down, has a message posted that it’s offline for maintenance.

An Intel spokesperson says the company has taken down the site and is “investigating the matter.”

In his blog post on the Intel site’s vulnerability, unu says: “Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with which we can do virtually anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.”

He was able to hack into the front-end Web application and then discovered that server administrators had their passwords stored in clear text, according to the post.

Security experts at Praetorian Security Group who analyzed Unu’s hack say most alarming about the hack is a screenshot that appears to show people who registered for an event, along with their passport numbers, birth dates, and credit card types. “Unu acknowledges that he simply is not showing the credit card numbers, expiration dates, and CW/CID codes but they are also in the table,” they blogged.

Daniel Kennedy, a partner with Praetorian, says the site had been defaced before by someone else before. “So Intel or the supporting vendor has to take a long look at who besides Unu could have been in that database,” Kennedy says.

“Intel realistically has to notify everyone who could be affected … this is passport and credit card data,” he says.


Share this item with others:

More on CyberInsecure:
  • Web Security Provider Barracuda Networks Attacked, Sensitive Data Exposed
  • New Lateral SQL Injection Method To Hack Oracle Database
  • Remote Code Execution Through Intel CPU Vulnerability Will Be Presented In Hack In The Box Security Conference
  • The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen
  • Malaysian Kaspersky Antivirus Website Has Been Hacked In An SQL Injection Attack

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Intel Website Hacked, Personal Data Exposed Through SQL Injection

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.