A white-hat hacker claims that the website of UK's National Lottery is open to SQL injection attacks that could endanger the privacy of the registered players. By exploiting an insecure parameter on a page, unauthorized access to the site's database can be obtained.
The http://www.national-lottery.co.uk website is operated by the Camelot Group, which is licensed by UK Government's National Lottery Commission. The website allows players to register, acquire tickets and play the lottery games online.
Upon registering an account on the website, the users have to provide their real name, e-mail address, date of birth and home address. Other information can also be given away, like the telephone number, even though it is not mandatory. In the hands of cyber crooks, such a detail can be more than enough to facilitate identity theft.
"We keep your ticket details safe and secure in your National Lottery Account, so you can view them online whenever you like," is noted in the site's FAQ section. We can only hope that this account is not the one stored in the database user table, to which the ethical hacker has obtained access.
"Unu" has published two screenshots as evidence of the attack. However, even though vital information that would allow someone else to exploit the vulnerability is blurred out, the screenshots clearly list the tables of the database as well as the login credentials for the admin account, parts of which have been also intentionally hidden.