Homepage tabWindows tabGames tabDrivers tabMac tabLinux tabScripts buttonMobile tabHandheld tabGadgets tabNews tab


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home / News / Security / Data Leaks

Data Leaks

Telegraph.co.uk Website Hacked

SQL injection vulnerability compromises subscriber passwords and e-mails

By Lucian Constantin, Web News Editor

7th of March 2009, 12:44 GMT

Adjust text size:


The Daily Telegraph's website leaks hundreds of thousands of subscriber e-mails
Enlarge picture
HackersBlog, the Romanian whitehat hacking outfit, have disclosed an SQL vulnerability in a section of the telegraph.co.uk website. According to the group, the flaw gives attackers access to over 700,000 e-mail addresses and user passwords.

The Daily Telegraph, also referred to as The Telegraph, is one of the biggest daily newspapers in UK. It was founded in 1855 and currently has a daily circulation of almost 850,000. The telegraph.co.uk website is home to the online version of The Daily Telegraph and its sister paper The Sunday Telegraph and is one of the most popular consumer websites in Britain.

The SQL injection flaw affecting one of the website's sections was discovered by a Romanian self-confessed ethical hacker going by the online handle of "unu" (someone). "Unu" is a member of HackersBlog and has recently disclosed similar vulnerabilities in popular websites belonging to The International Herald, UK's National Lottery, Kaspersky Labs, Bitdefender Antivirus, or Symantec.

According to the evidence published by the hacker, a poorly sanitized page of the Telegraph's website allows the execution of SQL queries through URL manipulation. These can be used to reveal all the databases and information about them.

Telegraph.co.uk database information sample
Enlarge picture
Telegraph.co.uk subscribers' username and password sample
Enlarge picture
Telegraph.co.uk newsletter e-mail extraction sample
Enlarge picture


Information such as the usernames and passwords of the site's members can also be extracted by exploiting the same vulnerability. Even more serious is the fact that the passwords are stored in plain text form instead of being hashed.

The severity of the security breach doesn't stop here. According to "unu," in one database table he discovered the e-mail addresses of the people subscribed to the website's newsletter. This is "A real treasure for spammers," the hacker claims, because "there [are] quite a bunch of them." One of the published screenshots shows how "unu" successfully extracted the 700,000th e-mail address.

Rik Ferguson, solution architect at antivirus vendor Trend Micro, advises that "if you are a Telegraph subscriber and are concerned about the safety of any other online accounts you may have I would encourage you to change your passwords on those other accounts, and of course on the Telegraph web site."

The date displayed by the affected web page, according to the screenshots, is February 17, 2009, but there is yet no indication whether the issue has been addressed or not. According to some accounts, the vulnerable section, which has intentionally been blotted in the images, has been taken offline. One of the HackersBlog admins resumed to saying that "we will do a full disclosure if the vulnerability isn't patched in usefull time or if it’s been patched after the admin is contacted."

Note: We will return with more information as/if it becomes available.

Update: Telegraph.co.uk's Communities Editor, Shane Richmond, announced on his blog that "The main part[s] of our website are not affected, nor are the accounts of My Telegraph users or Telegraph blog commenters."

Mr. Richmond cites Paul Cheesbrough, chief information officer at Telegraph Media Group, who confirms that a partner site, more specifically search.property.telegraph.co.uk, has been affected. The CIO notes that the vulnerable code is two years old and that it's being rewritten. Furthermore, he thanks HackersBlog on behalf of the company for bringing the issue to its attention.

Read the complete statement here

TAGS:

 The Daily Telegraph | telegraph.co.uk | SQL injection | HackersBlog | data breach
Read by 2,320 user(s) | Add comment | Link to this article TWEET THIS


Article rating:
Excellent (5.0/5) 1 vote(s)    

Subscribe to news | Print article | Send to friend

© Copyright 2001-2009 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


Hackers of Kaspersky, Bitdefender, F-Secure and Symantec Speak Up

UK's National Lottery Website Vulnerable to SQL Injection

Symantec Website Hacked

International Herald Tribune SQL Injection

Bitdefender Hit Again by Romanian Hackers

F-Secure Joins the List of Compromised Antivirus Websites

Kaspersky Reveals Details of Attack on Its Website

Kaspersky and Bitdefender Websites Hacked

User opinions:


Comment #1 by: Henry on 09 Mar 2009, 09:25 GMT reply to this comment

As far as I know, bitdefender wasn't really affected by these hackers.


Comment #2 by: Lucian Constantin on 09 Mar 2009, 10:44 GMT reply to this comment

Hello Henry,

Thank you for taking the time to comment on this article.

There have been two incidents disclosed by HackersBlog, that involved Bitdefender.

The first one regarded a serious SQL injection vulnerability on bitdefender.pt, a website operated by a Bitdefender partner in Portugal. At the time, the website display all the branding elements of Bitdefender (name, logo, page layout and products). This attack is described here: http://news.softpedia.com/news/Kaspersky-and-Bitdefender-Websites-Hacked-104038.shtml

The second incident was a less critical SQL injection affecting the news.bitdefender.com website. This site is owned and operated by Bitdefender itself. The attack is described here: http://news.softpedia.com/news/Bitdefender-Hit-Again-By-Romanian-Hackers-104600.shtml

Bitdefender later released the results of its investigation, which are available here: http://news.softpedia.com/news/Bitdefender-Concludes-Investigation-into-Security-Incident-105195.shtml

Please note that even though the company claimed that nothing was exploited, this actually refers to the fact that no sensitive information has been misused and it does not necessarily mean that it couldn't have been.

According to this group's own account - which is available here: http://news.softpedia.com/news/Hackers-of-Kaspersky-Bitdefender-F-Secure-and-Symantec-Speak-Up-105173.shtml - their only intention is to disclose vulnerabilities and successful attacks and not to misuse or publish the sensitive information they might obtain as a result.


Comment #3 by: Kate Day on 09 Mar 2009, 12:41 GMT reply to this comment

This did not affect the main Telegraph site or Telegraph Blogs and My Telegraph accounts. For the full story please see here http://blogs.telegraph.co.uk/shane_richmond/blog/2009/03/09/hackersblog_and_telegraphcouk Thanks.


Comment #4 by: Lucian Constantin on 09 Mar 2009, 14:26 GMT reply to this comment

Hello Kate,

Thank you for bringing this to our attention. We have updated our article to include part of the information that Mr. Shane Richmond made available.

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 




Windows tabGames tabDrivers tabMac tabLinux tabScripts tabMobile tabHandheld tabGadgets tabNews tab

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive