[ISN] Symantec Japan website bamboozled by hacker

From: InfoSec News <alerts_at_private>
Date: Tue, 24 Nov 2009 09:03:29 -0600 (CST)
http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/

By John Leyden
The Register
23rd November 2009

A Symantec-run website was vulnerable to Blind SQL Injection problems 
that reportedly exposes a wealth of potentially sensitive information.

Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to 
steal a glimpse at the database behind Symantec's Japanese website. A 
peek at the Symantec store revealed by the hack appears to show 
clear-text passwords associated with customer records. Product keys held 
on a Symantec server in Japan were also exposed by the hack.

Unu has previously exposed similar problems involving the websites of 
the UK's parliament and Kaspersky, among many others. The grey-hat 
hacker has published screenshots to back up his latest claims which, if 
verified, run deeper than shortcomings on the websites of Kaspersky, 
F-secure and other security firms previously reported by Unu.

Symantec said it was investigating the reported breach, which Unu claims 
gave him full disk and database access. The security giant said the 
vulnerability only affected a website used by consumer customers in the 
Far East. Symantec admitted there was a problem without commenting on 
how serious the snafu might be, pending the result of an investigation. 
The offending site - pcd.symantec.com - has been taken offline pending 
the addition of extra security defences.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Nov 24 2009 - 07:03:29 PST

This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 07:09:48 PST