Jump to content
Login new information ×
Login new information

Symantec falls as Romanian hacker strikes again

nsane.forums

By nsane.forums
in Security & Privacy News

Recommended Posts

nsane.forums

nsane.forums

Posted
Posted

medium.jpg

SQL injection attack exposes customer data on Symantec web server

The Romanian hacker who successfully broke into a web site owned by security vendor Kaspersky Lab has struck again, this time exposing shortcomings in a Symantec web server.

The hacker, known only as Unu, said in a blog post today that he was able to access a server belonging to the security giant using a blind SQL injection attack. Once in, he accessed sensitive information including customer address data and catalogue keys on the Symantec Store database.

The hacker also expressed outrage that user passwords were displayed in plain text and had not been encrypted.

"A secured bad parameter allows full access to Symantec servers, allows access to many sensitive data stored on this server," wrote Unu.

"So, it seems quite strange how a company like Symantec, which sells software and security solutions, the famous Norton for example, wants to protect ourselves. Instead, it is not able to protect its own database."

Symantec has confirmed the vulnerability at pcd.symantec.com, a Norton support web site for customers in Japan and South Korea only.

"This incident impacts customer support in Japan and South Korea but does not affect the safety and usage of Symantec's Norton-branded consumer products," the firm said in a statement.

"Symantec is currently in the process of updating the web site with appropriate security measures, and will bring it back online as soon as possible. Symantec is still investigating the incident, and has no further details to share at this time."

view.gif View: Original Article

Link to comment
Share on other sites
  • Replies 10
  • Views 1.7k
  • Created
  • Last Reply
LeetPirate

LeetPirate

Posted
Posted

OWNAGE! It's always funny when you hear about 1 guy taking down an entire corporation, especially when their main purpose is Internet security. Imagine how ashamed they (Symantec) must feel right now. AHAHHAHAHAHA:lol:

Link to comment
Share on other sites
  • Administrator
DKT27

DKT27

Posted
  • Administrator
Posted

It's funny indeed. :hehe:

He used a blind SQL injection attack. :think:

Link to comment
Share on other sites
RadioActive

RadioActive

Posted
Posted

using a blind SQL injection attack.

SQL Injection? seriously? that's just lame!

I'd understand if a small website got hacked that way but server belonging to such a large corporation, that's just pathetic.

The hacker also expressed outrage that user passwords were displayed in plain text and had not been encrypted.

Damn straight! unencrypted values in the database is a disaster waiting to happen, any developer worth a damn would know that! bleh

Note for developers: SQL Injection is a very dangerous attack, perhaps because it's very simple, even I could do it but it's also easy to protect your data from it, the answer is simple: "parametrized stored procedures" :smartass:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...