NEWS CATEGORIES:

NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>

Find us on Google+

Home > News > Security > Incidents

December 22nd, 2009, 20:01 GMT · By Lucian Constantin

Intel Website Compromised through SQL Injection

Adjust text size:

A hacker has discovered an SQL injection flaw in a website owned by Intel. According to the attacker, the vulnerability can be exploited to access sensitive information, including credit card details, stored in the underlying database.

The proof of concept attack was demoed by a prominent self-confessed white hat hacker going by the online handle of Unu. The Romanian security enthusiast specializes in finding SQL injection vulnerabilities in high profile websites. His latest public disclosures involved websites owned by Kaspersky, Symantec or the Wall Street Journal.

According to Unu, the flaw is located in the Intel Channel Webinars website, which is part of the company's Channel Partner Program. The database server is MySQL and the hacker notes that one of the MySQL users has % in its host field. This means that if the password is decrypted, which is fairly easy to do, an attacker can use it to access the server from any IP address.

Further inspection of the database reveals that passwords for the website's administrative accounts are stored in plain text, which is a major security oversight. Additionally, the load_file MySQL function is allowed. Under certain conditions, this function can be abused to upload a PHP shell and completely compromise the server.

However, the most worrying find seems to be a table that stores credit card information, probably for the paying website subscribers. The hacker says that he did not touch any information in the credit_card_number, card_expire_date and card_cvv fields, as his intention is to only disclose vulnerabilities and not exploit them.

But for demonstrative purposes, Unu did extract samples of personal data about the subscribers, such as addresses, phone numbers, nationality, as well as other information about their accounts. These were partially blotted in the screenshots he published in order to avoid abuse.

Ironically, this is not the first time when Unu targeted Intel in his research. Back in February, he disclosed a similar vulnerability on the Intel Security Center website.

Note: We have contacted Intel about Unu's report and they are currently investigating the incident. We will return with more information when/if it becomes available.

FILED UNDER:

Intel Channel Webinars

TELL US WHAT YOU THINK:

4,500 hits · 2 comments · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:

Two Official Kaspersky Websites Hacked

Wall Street Journal Website Hacked

Symantec Online Store Hacked

Hacked: ING Belgium, Dexia and HSBC France Websites

Intel Security Center Lacks Security

READER COMMENTS:

Comment #1 by: Space Rogue on 06 Jan 2010, 21:21 UTC	reply to this comment
Geez, you rip off all of his info and don't even bother to provide a link to his blog? http://unu123456.baywords.com/ Not very neighborly. - SR

Comment #1.1 by: Lucian Constantin on 07 Jan 2010, 10:38 GMT

Hello Space Rogue,

A link back to Unu's blog and original article has been available since this article was published on 22 December 2009. The link is on the word "demoed" and is underlined and colored in light blue.

In the vast majority of cases we post links back to our sources, unless the story is sent to us exclusively via e-mail, which wasn't the case here.

If you've been mislead by the dark colored links, which point to content on our own website, I'm sorry, but a link to Unu's blog was always available.

SUBMIT PROGRAM \| ADVERTISE \| GET HELP \| SEND US FEEDBACK \| RSS FEEDS \| UPDATE YOUR SOFTWARE \| ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved. Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.	Copyright Information \| Privacy Policy \| Terms of Use