Hacker Gains Access to 7 ESA Databases by Leveraging Blind SQL Injection Flaw

D35m0nd142 says he has informed the Space Agency, but he has received no response

  Blind SQL Injection vulnerability in ESA website
The hacker known as D35m0nd142 has identified a Blind SQL Injection vulnerability on a domain owned by the European Space Agency (ESA). 

The hacker known as D35m0nd142 has identified a Blind SQL Injection vulnerability on a domain owned by the European Space Agency (ESA). 

The hacker has managed to gain access to the information stored in 7 databases. To demonstrate his findings, he has published database and table names, but also the contents of one table with user IDs, email addresses and passwords.

However, all the sensitive information has been redacted.

“It was a very simple hack because this database isn't least protected. I've published some tables and the content of a user table from one single DB, but as you can see, I could take any record of the database. I've already warned administrators but until now they haven't respond to me,” the hacker told me.

This isn’t the first time when D35m0nd142 shows that the systems of ESA are vulnerable to cyberattacks. He says he has identified similar security holes on at least three other occasions. 

Comments