14 DAY TRIAL // Although he has previously stated that he doesn’t help governments address the issues that affect their public-facing websites, the hacker known as Gambit has changed his mind and reported an SQL Injection vulnerability to the Oak Ridge National Laboratory (ORNL.gov).
“I know I said I don't report to governmental sites. But I figured since I'll be going into the field soon as a pentester for hire I might as well add a few .govs to my resume as well,” he explained.
He claims that a scene from The Big Bang Theory has made him focus his attention on the site of the ORNL.
“It’s a funny story on how I came across this, I was watching The Big Bang Theory, it was the episode where Sheldon hacks into ORNL to use their super computer to try and figure out the Jew’s (can’t remember his name) card trick,” he said.
That inspired him to take a look at the government organization’s website and, after some digging around, he came across an SQL Injection security hole in the Risk Assessment Information System section of the site.
According to Gambit, the facility’s webmaster failed to respond to his emails, but the vulnerability was fixed soon after he sent the notification. Since there isn’t any danger of misuse anymore, he has made available a screenshot that demonstrates the existence of the flaw, along with the email he sent to the administrator.
We will take this opportunity to remind security enthusiasts that responsible disclosure is the best way to go. Many companies refuse to give credit to white hat hackers who find security holes in their websites, but there are a lot of them that really appreciate the help.