Unu from HackersBlog has posted details today on an SQL Injection (SQLi) attack aimed at the U.S portal for security heavyweight Kaspersky. The attack yielded all sorts of information and allowed full access to the database on the backend of the site.
Kaspersky\'s USA portal suffers SQLi attack.(IMG:Kaspersky)
“Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.” Unu wrote.
In the images below you can see the proof offered on HackersBlog. The information accessed is extensive, as the table list shows. Among other things, the tables completely visible when accessed included codes, users, admin_users, retail_users, as well as fields related to versioning information and product information.
The problem is that if someone malicious gained access to this information, the avenue of exploitation is large. Consider that not-only home users have Kaspersky installed, but businesses as well. The likely target would be business users. There is also the section of the database, likely because the SQLi jump started in the support area of Kaspersky’s site, which contains information on bug-tracking issues.
The plus side to this, if you want to see one, is that the staff over at HackersBlog have not posted sensitive information. They could have dumped the entire database, removed it, or taken another malicious route. Instead, they came forward, posted information and proof, and simply left it at that.
“Yes, that SQL Injection in usa.kaspersky.com is very real,” wrote 2fingers on the HackersBlog in response to coverage by The Register. “Still, Kaspersky team doesn’t need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data; we just point our fingers to big websites with security problems. We hope to see that vulnerability patched very soon (if it isn’t already patched).”
By way of response, Kaspersky offered up an official statement saying: “On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site.”
The Tech Herald e-mailed the company with a request for additional comments, and if it offers them we will post an update to this story.
Below are the images from the initial post on HackersBlog.
Username and password for mysql.user
Database schema for Kaspersky's portal
User table header information
Version number, database name, and username for the Kaspersky portal
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story