First Kaspersky - Now BitDefender suffers SQL Injection attack (Update)

by Steve Ragan - Feb 10 2009, 23:34

Update:

Vitor Souza, global communications manager at BitDefender, e-mailed The Tech Herald with new information from BitDefender's side of things:

"The vulnerability was found by BitDefender's blog monitoring activities. We immediately notified our partner and the site was shutdown very shortly after... we corrected the vulnerability and the site reopened at 6pm WET (GMT) time, February 9th. Our current review indicates that no customer data was stolen... it appears that the attack was not intended to steal information, but simply to show vulnerability.

"All BitDefender-owned sites execute routine protection processes to ensure that these severely limit vulnerability to these types of attacks. While we can't control how are partners manage their sites, we do work with them to foster best practices in protection.

"As a result of this attack, BitDefender worked with our partners, reevaluated their Web defense strategies and where necessary took corrective action to avoid this type of attack, ensuring they have the support and resources necessary for adequate web defense.

"It is important to highlight that BitDefender does not store customer credit card information on any of our sites, to protect customer privacy and ensure that this type of information is not accessible to attack."

For the second time in as many days, the crew over at HackersBlog has exposed another SQL Injection (SQLi) vulnerability. Like the SQLi exposure on Kaspersky’s U.S. portal, this new target is also a known security vendor, Romania-based BitDefender.

The site, bitdefender.pt, is actually a reseller for BitDefender products located in Portugal (Uptrend Software). However, while not the main asset of BitDefender itself, the Web site sells only BitDefender products, and there is no way to tell at a glance that there is any distinction between the reseller and the main company.

It is worth noting that while the HackersBlog report is bad, the reseller is at fault for lax database security. While BitDefender should monitor resellers for brand control, it cannot monitor them for security compliance. There are some comments on the HackersBlog story that say perhaps it should, but sometimes that level of monitoring requires processes and controls no vendor has.

Security wise, third-party Web site or not, this public shaming will cause BitDefender some problems with customer trust. Even Kaspersky has said it expects a serious amount of public fallout after its own database security was cracked.

"It seems Kaspersky aren’t the only ones who need to secure their database. BitDefender has the same problems," wrote Unu of HackersBlog.

Below are images from the screen grabs after the SQLi took place (notice the AOL usage. How 1990s of them).

Version, user, and name of the BitDefender database