CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 17th, 2008

Oklahoma Department Of Corrections Website Exposed Sex Offenders Data

A critical flaw in the Oklahoma Department of Corrections website allowed (until recently) to extract any sensitive information from the database at will. SQL queries failed to perform any input validation on the information being presented from a database extended to every offender that had been sentenced to probation or incarceration within the Oklahoma Correction system, and not just those convicted of sexual or violent offenses. It also allowed the retrieval of Department of Corrections employee records and medical activity.

While having the ability to do this to any database of personal information maintained by a government body is a problem, the fact that it concerned the state’s Sexual and Violent Offender Registry means that there is more likely to be individuals and groups of people with a motivation to obtain or hide records in the database, and not necessarily socially beneficial motivation.

When notified of the flaw, the Department of Corrections modified the site so as to close the hole as reported, at least that is what initially appeared to be the case. It was soon discovered that the only change had been to perform a case-sensitive look up of some table data and left the hole wide open. It wasn’t until it was shown that employee data could be returned that the hole appeared to be closed off for good.

The developers executed several critical errors in establishing the site. They allowed a database with sensitive content to be accessible from the Internet. They also allowed queries from the website to access any of the information in that database and did not perform any filtering of the anonymous GET requests, which allowed to execute the SQL requests and returne the results to anyone. Furthermore, the SQL queries required to extract information were placed inside GET requests from the browser.

Share this item with others:

More on CyberInsecure:
  • Oklahoma State University Parking Services Server Compromised
  • Phishers Attack Facebook With A Variety Of New Scams
  • Fake Sex Scandal Spam Campaign Involving Barack Obama Spreads Malware
  • Splunk.com Exposed Clear Text Users Passwords During Server Error
  • Government Sites Tainted With Malware, Lure Users To Click Sex Videos

    • Posted in Privacy, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Thursday, April 17th, 2008 at 4:48 pm and is filed under Privacy, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Oklahoma Department Of Corrections Website Exposed Sex Offenders Data

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »