14 DAY TRIAL // Following the disclosure of an alleged SQL injection vulnerability affecting the news.bitdefender.com website, the antivirus vendor has released the results of its internal investigation. The most important thing, according to the company, is that no sensitive data has been compromised.
A white-hat hacker calling himself “unu,” member of the HackersBlog crew, announced the vulnerability in a blog post on February 15. At the time, “unu” claimed that he would refrain from disclosing more information until the company had a chance to fix the problem. The AV vendor confirms that it was notified of the issue on February 14, but says that the problem was addressed by the following day.
In an e-mail to Softpedia, a company spokeswoman points out that even though the hackers' assessment of “strange behavior” was correct, there was no successful exploitation. In addition, she mentions that the notification, which “unu” claims to have sent by filling a webmaster contact form on the website, was not received at a webmaster@ e-mail address, but at a commercial support one.
The company maintains the problem was located in a search module on its website, but that it did not affect the News section itself. The little information that was disclosed, like the webserver or database engine versions, does not pose significant security risks and much of it is publicly available, the Bitdefender representative explains.
Another interesting aspect, according to the investigators, is that while in the Kaspersky attack the hackers used a free vulnerability scanning tool from Acunetix, another automated one known as sqlmap was employed to detect the flaw in Bitdefender's website. The attackers are also using TOR when instrumenting their attacks, in order to avoid being traced.
SQL injection vulnerabilities affecting the websites of several antivirus vendors have been disclosed by HackersBlog members during the past few weeks. The most serious one allowed for unauthorized access to a database storing 2,500 customer e-mail addresses and names as well as 25,000 software activation codes for Kaspersky Antivirus. The vulnerability was found in the US Support website of Kaspersky Labs. A similar one was detected on the bitdefender.pt website, which was operated by a partner of the security vendor.