Kaspersky Lab Alleged Customer Database Hack From SQL Injection Flaw


The latest big news is that on February 6th the Kaspersky Customer Records database was hacked through a simple SQL injection flaw on the website. The hacker claimed it was possible to expose all customer data including users, activation codes, lists of bugs, admins, shot and so on. The anonymous hacker hasn’t actually posted any of the data, but has listed the database tables exposed here.

Later Kaspersky has stated that no data was actually exposed, apparently there was a flaw to do with data validation and perhaps only the database table names were exposed – not the data within.

So far though it’s all speculation unless the hacker releases the actual data and Kaspersky comfirms it there’s no way we can know what has actually transpired.

Anti-virus vendor Kaspersky Lab denies any data was stolen during a SQL injection attack launched Feb. 6. Well-known database security expert David Litchfield of NGSSoftware is doing a third-party review for Kaspersky.

Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend.

According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it.

The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.

Kaspersky has already commissioned a 3rd party audit from well-known specialist in Database Security, David Litchfield the principal consultant with NGS Software.

I wonder if Mr. Litchfield will publish his findings publicly or they will be vetted through Kaspersky first, I’d imagine the latter – which again means we might never know the true extent of the vulnerability.

According to the company, the problem was due to the site not properly validating user input. Roel Schouwenberg, senior anti-virus researcher at Kaspersky, confirmed that the names of the tables are accurate. However, having the names of the tables does not mean the hacker actually accessed them, he noted.

Schouwenberg added that no credit card data was stored on the server targeted by the hacker, though there were product activation codes and 2,500 e-mail addresses for people who signed up for a product trial.

“This shouldn’t have happened,” Schouwenberg said, adding he was worried about the impact the hack would have on Kaspersky’s reputation.

The vulnerable code the hacker took advantage of to launch the attack was developed externally and did not go through Kaspersky’s normal code review process, Schouwenberg said.

It shouldn’t have happened? What insight these people have!

They are blaming the vulnerability on code developed externally, and it seems that from the story it’s limited data to do with some kind of software trial. It’s not the full customer records database.

Still I think we need to wait a little longer to get a clearer picture of what is going on, either way it looks like this might be an interesting story for us to follow.

Source: eWeek

Posted in: Database Hacking, Exploits/Vulnerabilities, Hacking News, Legal Issues, Web Hacking

, ,


Latest Posts:


tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.


3 Responses to Kaspersky Lab Alleged Customer Database Hack From SQL Injection Flaw

  1. d3ck4 February 10, 2009 at 3:55 pm #

    LOL

  2. Morgan Storey February 10, 2009 at 11:14 pm #

    They were owned, they should admit it and move on, the hacker posted table listing of their databases I heard. Of course admitting another ownage after their prior defacements etc doesn’t bode well for a security organisation.
    I can sympathise though. They are a security company based out of Russia, they may as well just paint a big target on their back, and hand out guns.

  3. MrCracker February 12, 2009 at 2:41 pm #

    Ha. It would have been more ironic is they were hacked via a virus.