SQL Injection Attack on News Websites

In order to keep up to date on the Beijing Olympic Games, even if from in front of the screens, millions of people are searching the Internet for the latest news on the competition. This thirst for breaking news makes hijackers' job easier than ever and this is proven by SophosLabs experts who discovered an SQL injection attack on several news websites reporting on the Olympics.

Such attacks are triggered by a security vulnerability that appears when user input is not properly filtered so as to return the right escape sequences or when it is not correctly typed and, lacking some restrictions, is executed in an instant.

The security breach usually emerges on websites that work with syndicated content from other sources. In the case of the Beijing Olympics, the Agence France-Presse seems to be the provider of some content that was used in the attack on Indian news website NDTV. Due to the fact that AFP offers a micro-website with Flash animations and interesting background information on the Olympics, a large number of clients see that content as a means to attract visitors and make them access their sites on more than one occasion.

The actual information and rich media files don't contain anything that is intrinsically harmful. However, the fact that they are displayed under an AFP brandmark makes people more unwary than usually. If the website that hosts syndicated content doesn't secure its backend ASP/SQL infrastructure, it is extremely vulnerable to attacks.

"It's important to realize that AFP is not to blame - but if you are syndicating content around the web you might be wise to inform your customers and users of the importance of properly hardening their infrastructure to avoid bringing your company's name into disrepute." said Graham Cluley, senior technology consultant at Sophos, in a blog post. He also warned users to be careful and keep their antivirus running when they visit websites that advertise Olympic-related content.