The Romanian ethical hacking outfit HackersBlog shames yet another antivirus vendor – Symantec. A SQL injection vulnerability in a section of the Symantec website allows unauthorized access to the database.
Symantec is one of the biggest IT security companies in the world, developing a wide range of products for both home and enterprise consumers. It is a veteran on the antivirus market, its flagship product being Norton Antivirus.
According to “unu,” a Romanian hacker associated with HackersBlog, the Document Download Centre section of the Symantec website contains a poorly-sanitized parameter, which facilitates SQL injection attacks. Successful exploitation results in giving an attacker access to the database.
“The irony of the situation is that it’s done on https, on a login page, a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY,” the hacker, who doesn't specify what sensitive information, if any, is stored in that particular database, notes.
The documented attack is actually a “blind” SQL injection. As opposed to regular SQL injections, such attacks are harder to instrument, because the website does not respond back with useful error information that would give the hacker an idea of how to proceed.
According to the few items of information “unu” has provided, the website runs on an Apache Web server with PHP 5.2.6 and a MySQL 5.0.22 backend. The published screenshots demonstrate how executing SQL commands through URL manipulation alters the content of the page.
“Unu” claims to have contacted Symantec regarding the problem, or at least attempted to. “[...] On the website there is no contact email address for cases such as this, I’ve sent an email to firstname.lastname@example.org and email@example.com. The email didn’t bounce, so someone must have received it. No answer as of yet,” he writes, while pointing out that more detailed info could be revealed after the company fixes the issue.
During the past two weeks, hackers from the HackersBlog crew have been disclosing various SQL injection vulnerabilities on websites belonging to no less than four antivirus vendors: Kaspersky, F-Secure, Bitdefender, and now Symantec. The site operated by the Bitdefender business partner in Portugal has also been compromised by the same group through SQL injection.
Antivirus vendors are not the only targets of the Romanian group of hackers. Yahoo! has also made the subject of attacks from them more than once, while “unu” has just recently disclosed a similar vulnerability on the website of the International Herald Tribune, the global edition of the New York Times.
Note: Read about Symantec's official response on the matter.