Daily cyber threats and internet security news: network security, online safety and latest security alerts
November 26th, 2009

Symantec Online Store Hacked, Passwords And Serial Numbers Potentially Exposed

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

According to the hacker an insecure parameter of a script from the website allows for a blind SQL injection attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQL injection attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the website is written in Japanese and it serves a product called Norton PC Doctor. Accessing most of the website’s sections requires authentication, and in order to exploit the blind SQL vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.

From the screen shots released by the hacker there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

For demonstration purposes, the hacker extracted 6 of these entries at random, revealing customer names and login credentials with the passwords stored in plain text; a major security oversight. The hacker also notes that passwords for the accounts in a different table called TB_EMPLOYEE are also stored in a similar insecure way. There are 122,152 entries in the SerialNumber column.

Symantec has confirmed the existence of a vulnerabiliy in the

“A SQL injection vulnerability has been identified at The Web site facilitates customer support for users of Symantec’s Norton-branded products in Japan and South Korea only. This incident does not affect Symantec customers anywhere else in the world.

“This incident impacts customer support in Japan and South Korea but does not affect the safety and usage of Symantec’s Norton-branded consumer products. Symantec is currently in the process of updating the Web site with appropriate security measures and will bring it back online as soon as possible. Symantec is still investigating the incident has no further details to share at this time.”

Credit: Softpedia News

Share this item with others:

More on CyberInsecure:
  • Gamers Accounts Hacked In Sony Playstation Store
  • Online Music Service Breached By Hackers
  • Customers Credit Cards Possible Theft In Compromised Altman Weil Online Store
  • PlentyOfFish Resets User Passwords After Registration Details Theft
  • Users Login Credentials Potentially Exposed In Science Journal Breach

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Symantec Online Store Hacked, Passwords And Serial Numbers Potentially Exposed

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.