Hacker walks freely through the database

Dec 8, 2009 14:01 GMT  ·  By

Kaspersky Lab's online presence in Portugal has been targeted by a Romanian hacker, who used SQL injection to obtain unrestricted access to the database. According to the attacker, the website contained, at the very least, product licensing information.

The self-confessed grey hacker goes by the moniker of "TinKode" and was inspired to perform this unauthorized research on the kaspersky.com.pt website by the actions of his fellow countryman "Unu." The latter is a security enthusiast who grabbed international headlines after he demonstrated serious security vulnerabilities on the websites of several anti-virus vendors, including Kaspersky.

"Kaspersky, from what i know has been hacked by 'unu' with MySQLi. So I said to try to see if I could find a vulnerability!" writes TinKode, referring to the February incident, which involved Kaspersky's USA support site. According to him, it only took five minutes to locate an insecure parameter on the kaspersky.com.pt.

This allowed him to instrument an SQL injection attack against the underlying PostgreSQL database server. This type of vulnerabilities allow attackers to execute rogue SQL queries and extract information from website databases without authorization.

However, unlike Unu, who grabbed pieces of sensitive data for demonstrative purposes, TinKode claims that he did not extract any content from the database. "I wasn’t concerned about the content, I only 'got' the names of databases, tables and columns," he explains. Some examples of databases present on the server are estkaspersky, license, acessosclientes (clients access) or licencefmota.

Even though their actions are not authorized by the companies they target, grey hat hackers such as Unu or TinKode do follow an ethical code of their own making. They sometimes decide to obfuscate potentially sensitive information in their screenshots or notify the affected companies in advance of going public.

It is worth noting that kaspersky.com.pt appears to be maintained by a local business partner called iPortalMais. While this might theoretically absolve the Russian security vendor of some responsibility, it’s unlikely that users will see past Kaspersky's name, logo and even website template being used.

Incidents such as this should serve as a reminder to companies who entrust other parties with their branding elements, to make sure their reputation is upheld accordingly. On a side note, in this case, TinKode did not contact Kaspersky, but we did and will update our article as soon as we get a response from them.

Update: The antivirus vendor has confirmed the attack and as expected, pointed out the website in question is maintained by one of its business partners. "The site you've mentioned belongs to our partner in Portugal, and we neither created it nor control it. The hacker did NOT contact us before publishing this, which speaks for itself," a Kaspersky Lab representative wrote in an e-mail to Softpedia.

Regarding the nature of the exposed data, the spokesperson stressed that "no important information was compromised, the hacker could only access public information that is already available on the website."

Photo Gallery (2 Images)

Kaspersky website in Portugal hacked through SQL injection
Kaspersky.com.pt PostgreSQL server information
Open gallery