14 DAY TRIAL // A hacker claims to have gained full access to the website of the British Royal Navy and the underlying database through an SQL injection attack.
The public disclosure was made by a Romanian self-confessed security enthusiast who uses the online handle of "TinKode."
The grey hat hacker specializes in finding Web vulnerabilities like SQL injection and cross-site scripting.
Back in July he disclosed a high-risk weakness in YouTube, which was subsequently misused to poison video comments.
In a new post on his blog, TinKode claims that the compromise of www.royalnavy.mod.uk happened on November 5 at 22:55. Time zone is not specified, but Romania is in UTC +02:00.
The hacker mentions that the attack vector was SQL injection, but fortunately, he doesn't publicly disclose the vulnerable URL.
He does, however, link to a file hosted on pastebin.com, which contains sensitive information gathered from the Royal Navy Web server and database.
This includes a copy of the /etc/passwd file, a listing of MySQL databases, as well as the tables for some of them.
For the "globalops" database, which we assume corresponds to the "Global Operations" section of the website, TinKode lists the contents of the "admin_users" table. This includes the administrative accounts and their corresponding passwords hashes.
The hacker even decrypted the hashed password for the user called "admin," posted it in plain text. Suffice to say that it's ridiculously simple and in no way appropriate for a military website.
Furthermore, he also posted usernames and hashed passwords for the site's "Jack Speak" blogs section, which appears to be running WordPress. We have alerted the Royal Navy Web team, but have yet to receive a reply. Meanwhile, the website remains online.
SQL injection is a type of vulnerability, which stems from a failure to properly sanitize user input. It allows attackers to execute rogue database queries by manipulating the vulnerable URL.
TinKode previously disclosed similar vulnerabilities on NASA and U.S. Army websites. At the end of October he announced compromises on websites belonging to the U.S. Army 470th MI Brigade, the U.S. Army Civil Affairs & Psychological Operations Command and the National Weather Service.