Mar 28, 2011 06:56 GMT  ·  By

Hackers have compromised the database of MySQL.com, as well as the French, German, Italian, Japanese and other localized versions of the website, ironically by exploiting an SQL injection vulnerability.

A hacker calling himself Jackh4xo took credit for the compromise by reporting it on the popular Full Disclosure mailing list.

The report included information about the vulnerable parameter, a list of tables from several databases and a list of database users with hashed passwords.

Soon afterwards, Romanian hacker TinKode published a more complete report on his blog claiming that it was he and a friend who discovered the vulnerability a few months ago and that it wasn't supposed to be made public.

"In this morning our friend Jackh4x0r decided to make public a vulnerability in MySQL.com. It’s about an parameter vulnerable to SQL Injection, what we (TinKode & Ne0h) had found with few months ago [sic.]," the hacker writes.

As proof for his claim he links to a previously private thread on Team Insecurity Romania's (ISR) forum where the vulnerability has been discussed since January 3, 2011.

TinKode's disclosure also includes more information like cracked passwords for some database and blog accounts, including that of Robin Schumacher, MySQL's director of product management.

Mr. Schumacher's blog password is made up of only four digits, which is why cracking it from the hash was trivial. The password of Kaj Arnö, the former vice president of the MySQL Community in the Database Group at Sun Microsystems, was also disclosed.

TinKode previously exposed similar vulnerabilities in sites belonging to the UK Royal Navy, NASA and the U.S. Army. He was also responsible for disclosing the XSS vulnerability in YouTube comments that was exploited by 4chan members to target Justin Bieber fans a year ago.

The incident proves just how common these vulnerabilities are. If the creators of MySQL, the most widely used database engine in the world, can't secure their own website against SQL injection attacks, what reasonable expectation of security can one have from websites that aren't run by experts?

It's worth pointing out that SQL injection is a very dangerous attack vector. Unlike cross-site scripting, which can be used to inject rogue code into pages, SQLi vulnerabilities can also be exploited to extract sensitive data like private customer information from databases.