14 DAY TRIAL // Evidence of an SQLi flaw allegedly affecting the website of BT, one of the largest communications providers in the world, has been published by a self-confessed white-hat hacker. He claims that successful exploitation of the vulnerability exposes the login credentials and e-mail addresses of registered users.
BT, also known as British Telecom, is the official communication services partner for the London 2012 Olympics. According to its own description, "BT is one of the world's leading providers of communications solutions and services operating in 170 countries." The company offers a wide-range of services including broadband Internet, land line and mobile telephony, TV and even IT security.
The SQL injection issue has been disclosed by a Romanian hacker calling himself "unu" and, according to the screenshots he has provided, it is located in a section of the bt.com website. However, it is not clear what section/page is affected because the beginning of the URL has been blotted to prevent an ill-intent replication of the attack.
"A faulty parameter, improperly sanitized opens the vault to the pretious [sic.] databases," the hacker explains. The published evidence includes the listing of the database tables, as well as the login information for the administrative accounts. Fortunately, the passwords are hashed and not in plain text form.
In addition, the personal information of some registered users, such as the e-mail, first name, surname, address, town, postcode, is also exposed along with technical data like the user level, random key, last logged in or status (active/inactive). The hacker tags his post as "episode 1," and specifies at the end that this is "To be continued,… but we need first to see reported vulns patched."
"Unu" is a member of a self-proclaimed ethical hacking outfit called HackersBlog. He has recently disclosed vulnerabilities in multiple high profile websites belonging to the likes of Kaspersky Labs, Bitdefender Antivirus, Symantec, UK's National Lottery, The International Herald, or The Daily Telegraph. "We don’t want to put BT clients in danger by providing sensitive informations [sic.] and hints to a potential attacker," "unu" writes.
Note: We have contacted BT regarding this security breach and we will return with more information as it becomes available.
Update: British Telecom (BT) responds and claims that no customer data has been affected. Meanwhile, the hacker publishes more evidence. Read the full story here.
