The “Holy Lulz Crusade of Canada” is an operation initiated by the hackers of the Team Dig7tal collective, but it’s uncertain if this is a form of protest against the Canadian government or simply a way of showing that websites are highly insecure.
The list of targeted sites is considerably long and if in some cases they simply unveiled the presence of cross-site scripting (XSS) and SQL Injection vulnerabilities, in other situations they’ve leaked the information found in the databases.
One of the most important websites is the National Defence and Canadian Forces (corces.gc.ca). They not only demonstrated that the main domain contains a number of XSS security holes, but they also showed how some of the subdomains could be breached by leveraging SQL Injections. The subdomains include navy.forces.gc.ca
From the systems of the Health Council of Canada they leaked database information, usernames along with their associated passwords in clear text, and the website’s administrator’s credentials.
A number of university websites have also been probed
by the hackers, including The University of British Columbia, University of Toronto, University of Ontario Institute of Technology, and McGill University. From each of the educational institutions the hackers have leaked user data.
Government-owned websites such as the Industry of Canada (ic.gc.ca), Natural Resources of Canada (nrcan.gc.ca), and the Science and Technology for Canadians (science.gc.ca) are all on the list of victims.
Team Dig7tal showed that sites managed by law enforcement organizations such as the Montreal Police Department (spvm.gc.ca) and Toronto Police Department are also easily penetrable.
Finally, the list of targets ends with Telefilm Canada (telefilm.ca) and the site of the Legislative Assembly of Prince Edward Island.
“Don't worry though, The Holy Lulz Crusade is not going away! We are charging against the UK next,” the hackers wrote.
We will not provide a link to the data dump at this time since it is full of unaddressed vulnerabilities and clear text passwords, but hopefully, the administrators of the aforementioned sites will act on fixing the security holes before someone decides to misuse the information made public by the hackers.