Symantec Online Store Hacked

By Shayla
in Back Page News

 Share

Recommended Posts

Grand Master

Shayla

Posted
Posted
A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. Accessing most of the website's sections requires authentication, and in order to exploit the blind SQLi vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2002 as database back-end.

From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called "symantecstore." One of the tables in this database is named "PaymentInformationInfo" and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

Unu claims that his interest is only to point out security issues and not misuse any data. Therefore, according to him, he did not attempt to extract any information from this table. Instead, he focused on another one called TB_MEMBER, which contains 70,356 records.

For demonstration purposes, he extracted 6 of these entries at random, revealing customer names and login credentials with the passwords stored in plain text; a major security oversight. The hacker also notes that passwords for the accounts in a different table called TB_EMPLOYEE are also stored in a similar insecure way.

More information on Softpedia

Link to comment
https://www.neowin.net/forum/topic/848672-symantec-online-store-hacked/
Share on other sites
Community Regular

Adrian0E

Posted
Posted (edited)

Romanian? Nice...

Windows 2000 & SQL 2002? You've got to be kidding me... :blink:

L.E.: Unu hacked allready 'Bitdefender', 'kaspersky', and 'Linden Lab's second life' websites back in february...

It seems that a lot of websites have SQL injection vulnerabilities.

But it's sad that a security company get to be hacked... Security is gone, now it's just company! :p

Edited by MafiotuL
Grand Master

Malisk

Posted
Posted

Symantec also offer high quality security-oriented solutions for the business user and personal user alike! :woot:

LOL @ using products with not even critical patch support from Microsoft on production servers. There's a fine line between being economic and stupid. Symantec crossed that line.

Mentor

Mr. Black

Posted
Posted

It does seem odd for a big company like Symantec that they are using Windows 2000 and SQL Server 2002...that is kinda old software, but it doesn't surprise me, I still see alot of companies using Windows 2000 server. The minimum I would use is 2003 these days (2008 for new installs w/o compatibility issues), but meh...their decision for whatever (or no) reason. :)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.