The Romanian self-proclaimed ethical hacking outfit HackersBlog has disclosed an SQL injection vulnerability in the website of Tiscali UK. The flaw allows for unauthorized access to the database containing the personal and login information of the registered users.
Tiscali is an European Internet service provider headquartered in Italy, but also operating in the United Kingdom, Germany and the Czech Republic. In addition to broadband Internet access, the company offers telephone and television services and runs large web portals in each of the mentioned countries.
Tiscali.co.uk is the website operated by the UK branch of Tiscali and offers a wide range of features such as webmail, news, dating, chat, radio, online TV and others. According to the Romanian hacker going by the online handle of "unu," a poorly-sanitized parameter in one of the site's pages allows an attacker to execute SQL queries by manipulating the URL.
"Unu" explains that he has been able to gain access to "login data as well as personal data of the users (username, firstname, surname, company, telephone, regdate, lastlogin, email, password)." In addition, a partial listing of the databases is also disclosed and includes names such as FreeGifts, TiscaliToolkit, blogs and cms_modules. According to the available screenshots, the database engine is MySQL 5.0.22.
This disclosure comes after "unu" has recently documented a vulnerability in the website of telecommunication giant British Telecom (BT). The company has later maintained that the information compromised represents test data, located on a server that has not been operational. However, Rik Ferguson, solutions architect at antivirus vendor Trend Micro, commented that his personal research revealed that "The information made visible through the compromise is real, valid and belongs to individuals not directly employed by British Telecom."
"Dont [sic.] rush to conclusions and start pointing figers [sic.] before you see the next articles where we will show similar issues with other large telecommunication providers. As we said earlier, we don't take sides, but rather want to show that the above mentioned vulns cand [sic.] be found almost everywhere," "unu" wrote after the BT disclosure. This idea is also reinforced by the group in a short interview given to Mr. Rik Ferguson, in which they state that "Usually, when we find a vuln in a website, we try to show that their competitors can face the same problems."
Note: We have contacted Tiscali regarding this security breach and we will return with more information as it becomes available.