Back in February of this year, the Romanian hacker Unu found a SQL injection vulnerability in a Kaspersky tech support portal server based in the U.S. That vulnerability when exploited allowed full access to all the database tables, exposing things such as usernames and activation codes.
Well, Unu strikes again and this time Symantec is the unlucky recipient of his attentions, and certainly at first glance it looks worse than the Kaspersky breach. In a new posting on Unu’s blog he details a blind SQL injection-based attack against a Symantec server, the server appears to be responsible for tech support through ‘Norton PC Expert from PC-Doctor Co Ltd’ in Japan.
According to Unu, by exploiting the vulnerability he is able to access a lot of very sensitive information including personal details and product keys (from the Symantec store database table). More worryingly, the screenshots appear to indicate that the attacker is able to browse the entire contents of the server hard drives at will.
Unu also notes that both user and employee passwords are available in clear text which, if true, represents a serious oversight, passwords should always be stored encrypted or with a salted hash. It should be noted though that there is no evidence of this particular data other than Unu’s own typed report, no screen shots of this data have been posted.
Although commentators have not always agreed on the accuracy of Unu’s claims, as in the recent claimed compromise of the Barack Obama Donations site; as ever, Unu insists that his activities are only done to warn and raise awareness without saving or otherwise stealing any proprietary information.
‘If you remember, in February, Kaspersky faced with a sql injection. Then they had the courage to admit vulnerability, why have my admiration. There was fair play, they quickly secured vulnerable parameter, and even if at first they were very angry at me, finally understood that I did not extract, I saved nothing, I have not abused in any way by the data found. My goal was, what is still, to warn. To call attention. That being said, expect the curious reaction from Symantec.’
I have made sure Symantec UK and Japan are aware of this information and I am sure they are investigating as I type, but it’s never a bad idea to restate a few best practices for securing web applications:
- Keep them patched
- Never store sensitive data in clear text
- Get them regularly vulnerability scanned from the inside as well as the outside
- Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking
- Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks
- Provide access to information on a Need to Know basis and always provide it with Least Privilege
- Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message