http://www.theregister.co.uk/2009/09/01/uk_parliament_hacked/ By Dan Goodin in San Francisco The Register 1st September 2009 A vulnerability in the website of the UK Parliament appears to be exposing confidential information, including unencrypted login credentials, a Romanian hacker wrote on his blog. The SQL injection vulnerability is on this page, the hacker, who goes by the moniker Unu, told The Register. By tacking database commands onto the end of the web address, it's possible to trick the site's backend server into coughing up data that was never intended to be published. Based on a screen shot below, which was included on Unu's post, it appears Parliament's website has been coerced into divulging log-in credentials for at least eight accounts. The disclosure is troubling for several reasons. First, there's the SQL injection hole itself. In the past, we've compared such attacks to Jedi mind tricks, in which weak willed websites are turned against themselves with the web-equivalent of a wave of a hand and a discreetly made suggestion. There's also the likelihood that the passwords, because they're being displayed in readable form, are being stored without the use of encryption. Keeping passwords in the clear is a big no-no in the world of security. [...] ________________________________________ Subscribe to InfoSec News http://www.infosecnews.orgReceived on Wed Sep 02 2009 - 01:44:38 PDT
This archive was generated by hypermail 2.2.0 : Wed Sep 02 2009 - 01:52:10 PDT