14 DAY TRIAL // The grey hat known as D35m0nd142 managed to gain unauthorized access to the sites of the United Nations (un.org), Skype (skype.com) and Oracle (oracle.com).
On the official Skype site, the hacker found Blind SQL injection vulnerabilities that allowed him to access their webserver.
“In Skype I've found a lot of Blind SQL Injections. I've written 8 [in the Pastebin document], but probably there are more vulnerabilities,” the hacker told us.
“I've written to the admins because there are a lot of users and a vulnerability like SQL Injection is very very dangerous.”
A similar vulnerability was discovered on Oracle’s community site, theoretically allowing ill-purposed hackers to cause some serious damage.
By leveraging an MSSQL injection flaw, he managed to bypass the security protocols implemented by the United Nations site’s administrators.
This is not the first time when un.org is breached, a couple of days ago even Team R00tw0rm claiming to have hacked it. Now, D35m0nd142 provided a screenshot and leaked information from their servers, publishing some of it on Pastebin.
In each scenario, the hacker ensured that the data he accessed remained unharmed and contacted the ones responsible for the sites to notify them on the presence of the issues.
We’ve asked the grey hat to explain the risks posed by the presence of SQL injection vulnerabilities which, along with cross-site scripting (XSS) flaws, are the most common ones found in commercial websites.
“The SQL Injection in my opinion is the greatest danger online. From a little bug an attacker can steal thousands or millions of username, password, credit cards,” he said.
“It's incredible. We always talk about this technique, but almost all sites have this vulnerability.”
Last week D35m0nd142 hacked sites belonging to the US Army, the Royal Navy, the US Federal Reserve, MIT, and, for the second time, MySQL.com.
