Symantec Online Store Hacked

By Shayla
in Back Page News

 Share

Recommended Posts

Grand Master

Shayla

Posted
Posted
A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. Accessing most of the website's sections requires authentication, and in order to exploit the blind SQLi vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2002 as database back-end.

From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called "symantecstore." One of the tables in this database is named "PaymentInformationInfo" and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

Unu claims that his interest is only to point out security issues and not misuse any data. Therefore, according to him, he did not attempt to extract any information from this table. Instead, he focused on another one called TB_MEMBER, which contains 70,356 records.

For demonstration purposes, he extracted 6 of these entries at random, revealing customer names and login credentials with the passwords stored in plain text; a major security oversight. The hacker also notes that passwords for the accounts in a different table called TB_EMPLOYEE are also stored in a similar insecure way.

More information on Softpedia

Link to comment
https://www.neowin.net/forum/topic/848672-symantec-online-store-hacked/
Share on other sites
Community Regular

Adrian0E

Posted
Posted (edited)

Romanian? Nice...

Windows 2000 & SQL 2002? You've got to be kidding me... :blink:

L.E.: Unu hacked allready 'Bitdefender', 'kaspersky', and 'Linden Lab's second life' websites back in february...

It seems that a lot of websites have SQL injection vulnerabilities.

But it's sad that a security company get to be hacked... Security is gone, now it's just company! :p

Edited by MafiotuL
Grand Master

Malisk

Posted
Posted

Symantec also offer high quality security-oriented solutions for the business user and personal user alike! :woot:

LOL @ using products with not even critical patch support from Microsoft on production servers. There's a fine line between being economic and stupid. Symantec crossed that line.

Mentor

Mr. Black

Posted
Posted

It does seem odd for a big company like Symantec that they are using Windows 2000 and SQL Server 2002...that is kinda old software, but it doesn't surprise me, I still see alot of companies using Windows 2000 server. The minimum I would use is 2003 these days (2008 for new installs w/o compatibility issues), but meh...their decision for whatever (or no) reason. :)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • AMD 9070XT

      By cooky560 · Posted

      Well I've done a grand total of nothing, and it now clocks between 2010mhz and 1995mhz (stock is 1710mhz) and hovers around 80c, warmer than it used to, but tolerable clocks seem to have returned. Thanks for all the advice on this thread. Will review the evidence and make a choice.
    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By ExPat · Posted

      Looking forward to the test results.
    • Audacious 4.6.1

      By Copernic · Posted

      Audacious 4.6.1 by Razvan Serea Audacious is a lightweight, open-source audio player that emphasizes simplicity, performance, and sound quality. Designed for Linux, Windows, and macOS, it supports a wide range of audio formats, internet radio streaming, and playlist management. Users can customize the interface with Winamp-style skins or modern themes, making it flexible for different preferences. Audacious also includes an equalizer, advanced audio effects, and a plugin system for extending functionality. Its low resource usage makes it especially suitable for older computers or users who value efficiency without sacrificing playback quality. Audacious key features: High audio quality – delivers clean, gapless playback with minimal distortion. Wide format support – plays MP3, FLAC, Ogg Vorbis, AAC, WAV, WMA, and more. Internet radio streaming – supports Shoutcast, Icecast, and other online streams. Winamp skin support – classic, nostalgic look for users who prefer the old-school style. Modern GTK-based interface – clean, simple UI with a more modern feel. Customizable themes – change appearance through skins and themes. Advanced playlist management – organize, save, and edit playlists with ease. Equalizer – fine-tune audio output with a built-in graphical equalizer. Audio effects – built-in DSP options like crossfade, replay gain, and more. Plugin system – extend functionality with additional components. File metadata support – displays and organizes music based on tags. Drag-and-drop support – quickly add songs or playlists. Global hotkey support – control playback without switching windows. Bit-perfect output modes – bypass system mixers for pure audio output. ReplayGain support – normalizes track loudness automatically. Cue sheet support – play entire albums from a single audio file with .cue. MPRIS2 integration – integrates with Linux desktop environments for media controls. Advanced resampling options – adjust playback quality with different resampler settings. Gapless playback – seamless transition between tracks encoded properly. Crossfade plugin – blend one song into the next smoothly. Last.fm scrobbling plugin – track listening history online. Remote control support – control Audacious via command-line or scripts. Lyrics plugin – display song lyrics if available. Alarm / timer plugin – start or stop playback at set times. SOX resampler plugin – high-quality resampling for audiophiles. Spectrum analyzer / visualization plugins – visual feedback while playing music. Headphone crossfeed effect – simulates speaker listening for headphones. Customizable buffer size – tweak latency and playback smoothness. Audacious 4.6.1 changelog: Use XDG cache dir to store temporary files (#1817) Accept embedded lyrics in more cases (#1818) Bump .so and plugin ABI versions retrospectively (#1819) Include Georgian translation (#1820) Fix build on systems using musl instead of glibc (#1823) Download: Audacious 4.6.1 | 48.2 MB (Open Source) Download: Portable Audacious 4.6.1 | 69.8 MB View: Audacious Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Politically funny images of the World

      By +DoctorD · Posted

    • Can't access the forum on mobile

      By Steven P. · Posted

      I really wonder if this has to do with the built in VPN or "private DNS" of browsers that trip up legal requirements like cookie consent and Cloudflare (to avoid all the botnet attacks we get). And BTW some botnets still manage to get past Cloudflare, we are constantly having to tweak it to block malicious traffic that ultimately cause a DDoS.

  • Recent Achievements

    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later
    • One Month Later
      agatameier earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      505
    2. 2
      +Edouard
      197
    3. 3
      PsYcHoKiLLa
      142
    4. 4
      ATLien_0
      89
    5. 5
      Steven P.
      80
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!