Sunday, November 29, 2009

Symantec Online Store Hacked

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

Please read here for more details:

1 comment:

Tokwear said...

Oh yeah... finally huhuhu