An SQL-injection vulnerability discloses commuters' personal data

Sep 11, 2009 07:26 GMT  ·  By

RideMatch.info, a website used by several California-based companies and transportation boards to match commuters on similar routes, has been exposed by a security expert as being vulnerable to massive SQL injections that will result in the disclosure of user personal data, CyberInsecure reports. Among the companies that use this service there were some US military bases that could have all their personnel's commuting info exposed on the web.

Actively engaged in several conflicts around the Globe, the US Military found itself in a sensitive situation if an abundance of accurate and detailed information regarding home addresses, pick-up times, pick-up locations, working hours, working addresses, financial information, employee ID and more could find their way on the web.

It is not known whether the activity of these military bases was changed thanks to this possible leak, but for sure someone in the HQ is perspiring about the personnel's safety for the upcoming days.

The website is currently under the supervision of five Southern California Transportation Boards (Los Angeles, San Bernandino, Riverside County, Orange County and Ventura County), which use it as a “match-making” service to maximize transportation vehicle usage in daily commutes.

The person that cracked the website is Kristian Hermansen, a security researcher working in the area that needed to use the service to find a perfect commute route to work. He didn't like the huge amount of personal data the website required to be filled in, and decided to test it against SQL injections, a technique recently used by a group of hackers to steal $130 million from several banking firms.

After cracking down the website, he informed website admins, but two weeks later, they failed to fix the problem. Faced with their indifference, he issued this statement, “The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don’t even know that their employees’ personal and corporate information, like employee ID and login ID, may have been compromised,” citing CyberInsecure.

As the story broke out in the media, a spokesperson from the Riverside County Transportation Board has released a statement in which he informs that the company in charge of the website administration and the commute match-making software is working on the problem and will have a patch in the next days.