Was BitDefender exploited for a second time?

by Steve Ragan - Feb 17 2009, 19:59

The same group that targeted a reseller of BitDefender earlier this month, pointing out SQL Injection (SQLi) vulnerabilities on its site, has now claimed BitDefender is vulnerable for a second time, and has posted related information to the site.

HackersBlog, which has previously targeted the likes of BitDefender, Kaspersky, and F-Secure, has once again singled out BitDefender for having a supposed SQL Injection vulnerability on its main Web site. The problem is that, unlike the previous SQLi disclosure by the group, this time BitDefender isn’t too pleased.

“...they have a vulnerable parameter. And this time it’s not on one of their partner websites but on their own website,” Unu wrote on HackersBlog this Tuesday. “This parameter gives access to the DB. I will not publish too much now as I am waiting for the problem to be solved. The parameter is in their news section and it has a strange behavior if you test it with the all too common by now, SQL Injection.”

Another issue Unu raised was that there is a considerable lack of contact information on the BitDefender site.

However, when the Tech Herald called and spoke to Vitor Souza, Global Communications Manager for BitDefender, he was less then impressed with the discovery posted by HackersBlog.

“Let me first start it off by saying that it was not a vulnerability as the “hacker” described. So [absolutely] no SQL injection as noted,” Souza said in an e-mail recapping an initial phone conversation.

“It was an unchecked parameter on the website that displayed data in a wrong way. It was a “strange behavior” (like they said), they tried to exploit, but without any luck,” he added. “This strange behavior was fixed Sunday. They didn’t manage to exploit or disclose anything.”

Calling the entire article from HackersBlog and Softpedia very tendentious, Souza pointed out in his e-mail that, “there’s no News Section Involved. It’s the Search Module, the server’s data like Apache, PHP versions are available for all websites, but they presented like a big discovery. For example, www.mcafee.com is using Microsoft Server, IIS 5.0, and ASP.Net.”

Souza also disputed the claim that they e-mailed the Webmaster account for the site, pointing out that the only e-mails the company located were addressed to the sales address on Saturday, the 14th of February.

This is a different response from the company, which no doubt feels as if it has been singled out by the HackersBlog crew. When BitDefender was exploited last time, the company said: “During investigation, it appears that the attack was not intended to steal information, but simply to show vulnerability.”

However, this time it disputes there was any sort of vulnerability to begin with.

In an interview with the Tech Herald, Unu of HackersBlog explained: “I am not a thief. I'm just a guy who likes to do security testing, penetration. It’s like any other hobby.”

“I do not break, I do not delete, I do not change, and I NEVER save anything. In the data that I can access in this way, I just show that it is possible, that the site is vulnerable,” he insisted.

Unu is, you could argue, something of a White Hat; one who exposes security flaws to help get them fixed and to warn end users about a problem. However, the companies Unu has targeted are no-doubt wanting to label him as a Grey Hat, one who can go either way, when it comes to ethical or malicious hacking.

Yet, to judge Unu for his efforts would be misguided. There is little known publicly about him or the HackersBlog crew, only what is found in select circles and online. The group's work speaks for itself.

As this article was written, the issue on BitDefender’s Web site was resolved. Unu, however, is still hard at work. This time the target is news sites. The first on his list, as posted today (02-17-09), is the International Herald Tribune (iht.nytimes.com), another site, another SQL Injection.

Around the Web