14 DAY TRIAL // Websites belonging to several large European banks, such as ING, Dexia and HSBC, have been hacked through SQL injection. These proof-of-concept attacks reveal poor security practices on behalf of institutions that people entrust with their life savings.
The security issues have been discovered by Romanian self-confessed grey hat hacker "Unu," who has received a fair amount of media attention this year due to the high-profile nature of his targets. Some of his recent discoveries include SQL injection vulnerabilities in websites belonging to the UK Parliament, Yahoo!, The Telegraph or Orange France.
The first reported vulnerability was discovered on the ING Belgium Giftshop website. A PHP script accepting unsanitized parameters, allowing executing unauthorized SQL queries in the database by manipulating the URL. The absolute path of the website's root directory is E:\ING\GOTO18\ROOT\HTML\giftshop\, suggesting the host computer is running a version of Microsoft Windows.
According to the hacker, the passwords for all accounts on the website, including the administrative ones, are stored in plain text. Meanwhile, the personal information of registered users, such as full name and e-mail address, can be accessed. Unu also notes that it might be possible to upload a PHP shell to the server.
Another bank located in Belgium apparently running an insecure website is Dexia. A similar failure to properly sanitize parameters passed to a PHP script opens up access to a vast number of databases. From the screen shots published by the hacker, the server in this case is running Ubuntu (a Linux flavor).
The vulnerability can be exploited to extract personal information about registered users, including their passwords in plain text. Additionally, the server allows load_file, which can be used to execute unauthorized code uploaded to a writable directory. The hacker explains that a malicious attacker could use this in order to obtain command line access and take complete control of the server.
The latest and also probably the most dangerous hack, however, is that of a website belonging to HSBC France, part of HSBC Holdings, one of the largest banking groups in the world. In this case, a simple SQL injection vulnerability has led to a full server compromise. The hacker did not only succeed to obtain access to all of the databases, but also the entire file system.
The machine is running Windows Server and MSSQL as database backend for the website. Unu has published a snapshot of the root folders on all partitions and points out that the E:\Backup\ directory contains .bak files for all the databases.
Passwords for the administrative accounts are again stored in readable form. "That's a massive no no! They should know better. This would get Web application developers fired in many organizations," said Gunter Ollmann, former chief security strategist at IBM Internet Security Systems and currently vice-president of research at Damballa.
We've actually been holding back this article for a while now, mainly because reporting about vulnerabilities in computer systems belonging to banks is a sensitive matter. First of all, banks and other financial institutions are considered high-risk targets and are constantly being attacked by cyber-criminal gangs.
When a data breach at a financial institution occurs, the repercussions can be massive. Recent examples of such incidents at Heartland or WorldPay have resulted in millions of dollars being lost to fraud. Secondly, SQL injection is one of the preferred attack techniques for hacking into sensitive systems. Attackers use it to compromise an Internet-facing server, then exploit other vulnerabilities to jump from computer to computer on the internal network.
Infamous Israeli hacker Ehud Tenenbaum, aka "The Analyzer," has recently pleaded guilty after being arrested for hacking into the networks of several US and Canadian banks using SQL injection. His actions were linked to a larger international credit card fraud operation.
Banks are notoriously known for keeping details about data breaches secret, and while this is somewhat understandable from a security perspective, people have a right to know that many times these are the result of basic programming errors, such as the ones reported in this article.
In the past, Unu declared himself an adept of responsible disclosure practices and said that he was going public about these vulnerabilities in order to raise awareness and force companies to invest more resources into securing their systems. We can only hope that these financial organizations address their problems and enforce better security guidelines in the future.