A white-hat hacker claims that the website of UK's National Lottery is open to SQL injection attacks that could endanger the privacy of the registered players. By exploiting an insecure parameter on a page, unauthorized access to the site's database can be obtained.

The http://www.national-lottery.co.uk website is operated by the Camelot Group, which is licensed by UK Government's National Lottery Commission. The website allows players to register, acquire tickets and play the lottery games online.

Upon registering an account on the website, the users have to provide their real name, e-mail address, date of birth and home address. Other information can also be given away, like the telephone number, even though it is not mandatory. In the hands of cyber crooks, such a detail can be more than enough to facilitate identity theft.

"We keep your ticket details safe and secure in your National Lottery Account, so you can view them online whenever you like," is noted in the site's FAQ section. We can only hope that this account is not the one stored in the database user table, to which the ethical hacker has obtained access.

"Unu" has published two screenshots as evidence of the attack. However, even though vital information that would allow someone else to exploit the vulnerability is blurred out, the screenshots clearly list the tables of the database as well as the login credentials for the admin account, parts of which have been also intentionally hidden.



The website operators note that "We take your security seriously and have invested in what is an industry-wide practice to enable you to operate online with a higher level of trust. This effort, known as 'Extended Validation (EV) SSL' certificates, helps you by providing a visual indication in the Address Bar of supported browsers that an EV SSL certificate is present."

Obviously, this is a much appreciated security measure, which prevents man-in-the-middle or phishing attacks. However, if someone gains direct access to the database, like in this case, protection through SSL becomes rather meaningless.

"Unu" is a member of the Romanian self-proclaimed ethical hacking group known as HackersBlog. The group has recently disclosed SQL injection vulnerabilities in the websites of several antivirus vendors as well as the International Herald Tribune.

To shed light on what impact this vulnerability had on the privacy of the online lottery players, we have contacted the website's administration, at a listed e-mail address, as well as the National Lottery Commission. Keep an eye on this page for an update with their answer.

Update: The National Lottery operator, Camelot Group plc, denies any SQL injection attack against its main website and claims that the privacy of the players has not been compromised. Read more