Symantec Online Store Hacked

By Shayla
in Back Page News

 Share

Recommended Posts

Grand Master

Shayla

Posted
Posted
A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. Accessing most of the website's sections requires authentication, and in order to exploit the blind SQLi vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2002 as database back-end.

From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called "symantecstore." One of the tables in this database is named "PaymentInformationInfo" and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

Unu claims that his interest is only to point out security issues and not misuse any data. Therefore, according to him, he did not attempt to extract any information from this table. Instead, he focused on another one called TB_MEMBER, which contains 70,356 records.

For demonstration purposes, he extracted 6 of these entries at random, revealing customer names and login credentials with the passwords stored in plain text; a major security oversight. The hacker also notes that passwords for the accounts in a different table called TB_EMPLOYEE are also stored in a similar insecure way.

More information on Softpedia

Link to comment
https://www.neowin.net/forum/topic/848672-symantec-online-store-hacked/
Share on other sites
Community Regular

Adrian0E

Posted
Posted (edited)

Romanian? Nice...

Windows 2000 & SQL 2002? You've got to be kidding me... :blink:

L.E.: Unu hacked allready 'Bitdefender', 'kaspersky', and 'Linden Lab's second life' websites back in february...

It seems that a lot of websites have SQL injection vulnerabilities.

But it's sad that a security company get to be hacked... Security is gone, now it's just company! :p

Edited by MafiotuL
Grand Master

Malisk

Posted
Posted

Symantec also offer high quality security-oriented solutions for the business user and personal user alike! :woot:

LOL @ using products with not even critical patch support from Microsoft on production servers. There's a fine line between being economic and stupid. Symantec crossed that line.

Mentor

Mr. Black

Posted
Posted

It does seem odd for a big company like Symantec that they are using Windows 2000 and SQL Server 2002...that is kinda old software, but it doesn't surprise me, I still see alot of companies using Windows 2000 server. The minimum I would use is 2003 these days (2008 for new installs w/o compatibility issues), but meh...their decision for whatever (or no) reason. :)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Anthropic pulls Fable 5 and Mythos 5 after US export control order

      By JayZJay · Posted

      I totally disagree. Very little good comes out of governments all around the world manipulating everything they can and usually the people are not the benefactors. What you say about being restricted and expensive sounds almost like the arguments against firearms and why banning them will protect people as if making something illegal somehow will prevent the criminals from having and using them. AI being far less mainstream could simply mean the average person will not benefit, but "big brother" and the corporations will benefit, which is almost for sure NOT a good thing.
    • Microsoft making much needed change to Windows 11, 10 Patch Tuesday security updates

      By lonegull · Posted

      I do apologize to the author Mr. Sen for my rude comment, questioning his knowledge of the subject. It is I whom lacked knowledge of the subject. Sorry!
    • USB Port Optimization for best locations for devices

      By bikeman25 · Posted

      Hello All Have a MSI Pro B650 VC Wifi Rev 1.0 motherboard Ryzen 7 7700X Radeon 7800XT OC 16GB 32GB Teamgroup DDR 5 5600mhz Samsung 990 Pro 1TB Boot NVMe Samsung 990 Pro 2TB Game NVMe Lian Li Lancool Black ARGB 216 Case Seasonic Focus GX 750 Watt Power supply   Wondering today what is best spot to plug in the following items on system for performance and not bottle neck anything if i can help it Creative Pebble Pro USB C or A Speakers, ((Powered by External USB C to C PD Adapter)  Logitech G513 USB Gaming Keyboard Logitech G502X Wired Gaming Mouse Cyberpower UPS USB Cable for UPS Power Management/System shutdown External drives connected occasionally are as follows---WD My Book 8TB (primary backup drive)   Seagate 8TB in External USB 3.0 Enclosure,  Seagate Portable 1TB USB 3.0 drive,   WD My Passport (Blue) 2TB, and WD My Passport (Red) 2TB,    WD Elements 500GB USB 2.0 External (Oldest one, Christmas 2003)       **Do have a 7 Port Powered  USB Hub as well, but when i use that--that leaves only the USB Flash spot for something to directly connect to system if needed.    Rear USB C 2x2 unused right now as moved the Creative speakers off it to USB A port next to it, with a USB C to A Cable, as figured speakers didn't near audio from USB C port and tie up the high speed port**   Front Ports trying to limit use of, so i don't have Front I/O port go bad again, already had it replaced once by Lian Li support all the way from Taiwan over night ((Do get extra nervous at times on things,  so i might just be extra nervous for nothing lol))
    • EA launches in-game advertising platform for brands to "connect with audiences"

      By RejZoR · Posted

      "connect with audiences" is the most obvious corporate speak you can think of. I only bought Need for Speed from EA because it was the only racing game with cops in existence and I dig that. Now that they killed off NFS franchise, I have nothing to spend money on. EA is officially dead for me, just like Ubisoft which I've been boycotting for some 20 years now...
    • Politically funny images of the World

      By +primortal · Posted

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      496
    2. 2
      +Edouard
      203
    3. 3
      PsYcHoKiLLa
      127
    4. 4
      Steven P.
      83
    5. 5
      ATLien_0
      80
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!