Customer info and product keys exposed

Dec 10, 2009 15:06 GMT  ·  By
Kaspersky's Malaysia and Singapore website hacked through SQL injection
7 photos
   Kaspersky's Malaysia and Singapore website hacked through SQL injection

A grey hat hacker has found a critical SQL injection weakness on the official Kaspersky Lab websites in Malaysia and Singapore. Exploiting the vulnerability leads to full compromise of the underlying database, which contains customer information, product keys and other sensitive data.

The attack has been documented by a Romanian hacker calling himself "Unu" ("one" or "someone" in Romanian). The self-confessed security enthusiast specializes in finding SQL injection vulnerabilities on high-profile websites belonging to well known IT companies, antivirus vendors, banks, media outlets or public institutions.

Unu's rise to fame on the Internet ironically began in February 2009, when he hacked Kaspersky Lab's U.S. support site and gained access to the customer database. Following that highly publicized incident, Kaspersky hired world-renowned database security expert David Litchfield to perform an audit on all websites run by the company.

That investigation must have missed something, because the grey hat just performed a nearly identical hack on Kaspersky's Malaysia and Singapore websites. "Although they are two different domains, databases are identical, being on the same MySQL server," unu explains on his blog, concluding that this is inappropriate for a company of this size.

The sensitive data contained in this database include personal customer information such as name, username, e-mail, home address, postcode, city, state, country and encrypted password. Almost 13,000 product keys for Kaspersky Antivirus and Kaspersky Internet Security are also available.

However, this attack also reveals serious security oversights that reflect very badly on a company which specializes in security. For one, many MySQL users have % specified in their host field, which means that they can connect to the server from any IP on the Internet. Their secure passwords, which can be extracted through this vulnerability can be easily decrypted, as Unu demonstrates.

The passwords of website administrative accounts are encrypted inside the database, which Unu notes is way better than Symantec's approach, which was caught storing similar passwords in plain text. Unfortunately, these passwords can also be decrypted and one of them is "abc123" (yes, seriously). This password is actually used on four separate admin accounts.

Kaspersky's website in Portugal was recently compromised in a similar manner by a different hacker. However, that website was created and maintained by a local business partner, absolving the antivirus vendor of some responsibility for the incident.

Note: We have contacted Kaspersky Lab about this security breach and we will update our article with more information as/if it becomes available. Update: Kaspersky has confirmed this incident. “Yes, the vulnerability did exist, and the hacker contacted us prior to publishing his findings and reported about the vulnerability he had found. The vulnerability was fixed before he made it public,” a spokesperson for the company told us in an e-mail.

Photo Gallery (7 Images)

Kaspersky's Malaysia and Singapore website hacked through SQL injection
Kaspersky Malaysia MySQL databasesKaspersky Singapore MySQL databases
+4more