10 February 2009 | 5,323 views

Kaspersky Lab Alleged Customer Database Hack From SQL Injection Flaw

Check Your Web Security with Acunetix

The latest big news is that on February 6th the Kaspersky Customer Records database was hacked through a simple SQL injection flaw on the website. The hacker claimed it was possible to expose all customer data including users, activation codes, lists of bugs, admins, shot and so on. The anonymous hacker hasn’t actually posted any of the data, but has listed the database tables exposed here.

Later Kaspersky has stated that no data was actually exposed, apparently there was a flaw to do with data validation and perhaps only the database table names were exposed – not the data within.

So far though it’s all speculation unless the hacker releases the actual data and Kaspersky comfirms it there’s no way we can know what has actually transpired.

Anti-virus vendor Kaspersky Lab denies any data was stolen during a SQL injection attack launched Feb. 6. Well-known database security expert David Litchfield of NGSSoftware is doing a third-party review for Kaspersky.

Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend.

According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it.

The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.

Kaspersky has already commissioned a 3rd party audit from well-known specialist in Database Security, David Litchfield the principal consultant with NGS Software.

I wonder if Mr. Litchfield will publish his findings publicly or they will be vetted through Kaspersky first, I’d imagine the latter – which again means we might never know the true extent of the vulnerability.

According to the company, the problem was due to the site not properly validating user input. Roel Schouwenberg, senior anti-virus researcher at Kaspersky, confirmed that the names of the tables are accurate. However, having the names of the tables does not mean the hacker actually accessed them, he noted.

Schouwenberg added that no credit card data was stored on the server targeted by the hacker, though there were product activation codes and 2,500 e-mail addresses for people who signed up for a product trial.

“This shouldn’t have happened,” Schouwenberg said, adding he was worried about the impact the hack would have on Kaspersky’s reputation.

The vulnerable code the hacker took advantage of to launch the attack was developed externally and did not go through Kaspersky’s normal code review process, Schouwenberg said.

It shouldn’t have happened? What insight these people have!

They are blaming the vulnerability on code developed externally, and it seems that from the story it’s limited data to do with some kind of software trial. It’s not the full customer records database.

Still I think we need to wait a little longer to get a clearer picture of what is going on, either way it looks like this might be an interesting story for us to follow.

Source: eWeek



Recent in Database Hacking:
- Navy Sys Admin Hacks Into Databases From Aircraft Carrier
- aidSQL – PHP Application For SQL Injection Detection & Exploitation
- 1 Million Accounts Leaked From Banks, Government Agencies & Consultancy Firms

Related Posts:
- The Soft Underbelly? – Database Security
- sqlmap 0.5 – Automated SQL Injection Tool
- Bsqlbf V2 – Blind SQL Injection Brute Forcer Tool

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 68,037 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 53,668 views
- Absinthe Blind SQL Injection Tool/Software - 38,820 views

Advertise on Darknet

3 Responses to “Kaspersky Lab Alleged Customer Database Hack From SQL Injection Flaw”

  1. d3ck4 10 February 2009 at 3:55 pm Permalink

    LOL

  2. Morgan Storey 10 February 2009 at 11:14 pm Permalink

    They were owned, they should admit it and move on, the hacker posted table listing of their databases I heard. Of course admitting another ownage after their prior defacements etc doesn’t bode well for a security organisation.
    I can sympathise though. They are a security company based out of Russia, they may as well just paint a big target on their back, and hand out guns.

  3. MrCracker 12 February 2009 at 2:41 pm Permalink

    Ha. It would have been more ironic is they were hacked via a virus.