Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 28th, 2011 Database Compromised Through SQL Injection, Localized Website Versions Also Affected

Hackers have compromised the database of, as well as the French, German, Italian, Japenese and other localized versions of the website, ironically by exploiting an SQL injection vulnerability.

A hacker took credit for the compromise by reporting it on the popular Full Disclosure mailing list. The report included information about the vulnerable parameter, a list of tables from several databases and a list of database users with hashed passwords.

Soon afterwards, another hacker published a more complete report on his blog claiming that it was he and a friend who discovered the vulnerability a few months ago and that it wasn’t supposed to be made public. As proof for his claim he links to a previously private thread on Team Insecurity Romania’s (ISR) forum where the vulnerability has been discussed since January 3, 2011. The disclosure also includes more information like cracked passwords for some database and blog accounts, including that of Robin Schumacher, MySQL’s director of product management.

Mr. Schumacher’s blog password is made up of only four digits, which is why cracking it from the hash was trivial. The password of Kaj Arnö, the former vice president of the MySQL Community in the Database Group at Sun Microsystems, was also disclosed.

The incident proves just how common these vulnerabilities are. If the creators of MySQL, the most widely used database engine in the world, can’t secure their own website against SQL injection attacks, what reasonable expectation of security can one have from websites that aren’t run by experts?

It’s worth pointing out that SQL injection is a very dangerous attack vector. Unlike cross-site scripting, which can be used to inject rogue code into pages, SQLi vulnerabilities can also be exploited to extract sensitive data like private customer information from databases.

Credit: News

Share this item with others:

More on CyberInsecure:
  • New Lateral SQL Injection Method To Hack Oracle Database
  • WordPress Multiple SQL Injection Vulnerabilities
  • SQL Injection Flaw Exposes 32 Million Accounts Passwords
  • The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen
  • Symantec Online Store Hacked, Passwords And Serial Numbers Potentially Exposed

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Database Compromised Through SQL Injection, Localized Website Versions Also Affected

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word