Credit card data possibly at risk

Dec 22, 2009 20:01 GMT  ·  By

A hacker has discovered an SQL injection flaw in a website owned by Intel. According to the attacker, the vulnerability can be exploited to access sensitive information, including credit card details, stored in the underlying database.

The proof of concept attack was demoed by a prominent self-confessed white hat hacker going by the online handle of Unu. The Romanian security enthusiast specializes in finding SQL injection vulnerabilities in high profile websites. His latest public disclosures involved websites owned by Kaspersky, Symantec or the Wall Street Journal.

According to Unu, the flaw is located in the Intel Channel Webinars website, which is part of the company's Channel Partner Program. The database server is MySQL and the hacker notes that one of the MySQL users has % in its host field. This means that if the password is decrypted, which is fairly easy to do, an attacker can use it to access the server from any IP address.

Further inspection of the database reveals that passwords for the website's administrative accounts are stored in plain text, which is a major security oversight. Additionally, the load_file MySQL function is allowed. Under certain conditions, this function can be abused to upload a PHP shell and completely compromise the server.

However, the most worrying find seems to be a table that stores credit card information, probably for the paying website subscribers. The hacker says that he did not touch any information in the credit_card_number, card_expire_date and card_cvv fields, as his intention is to only disclose vulnerabilities and not exploit them.

But for demonstrative purposes, Unu did extract samples of personal data about the subscribers, such as addresses, phone numbers, nationality, as well as other information about their accounts. These were partially blotted in the screenshots he published in order to avoid abuse.

Ironically, this is not the first time when Unu targeted Intel in his research. Back in February, he disclosed a similar vulnerability on the Intel Security Center website.

Note: We have contacted Intel about Unu's report and they are currently investigating the incident. We will return with more information when/if it becomes available.