March 27, 2007
Republican presidential front-runner Rudy Giuliani's campaign hurriedly
fixed its official website late Monday to remove a dangerous design flaw
that could have allowed hackers to expose personal information submitted
The vulnerability affecting Giuliani's site,
http://www.JoinRudy2008.com, could have exposed confidential information
stored in the campaign's databases. The website failed to block commands
that can instruct it to improperly display sensitive information, a
popular hacking technique known as "structured query language
The campaign fixed the website hours after The Associated Press notified
it about the problem. No personal information was compromised,
spokeswoman Maria Comella said.
"The site has multiple levels of security to detect intrusions and
ensure no user's identity was put at risk," Comella said.
The campaign launched its new site last week. Giuliani described it in
e-mails as "the place where any American can go to learn about my record
and join our campaign" and urged supporters to tell their friends about
campaign "considers your privacy paramount, and we are dedicated to
protecting your privacy on the Internet."
SQL injection vulnerabilities have been implicated in large-scale Web
break-ins. The technique is among the most-critical Internet security
vulnerabilities compiled by the SANS Institute, a cybersecurity research
organisation, and is the subject of warnings by the U.S. Computer
Emergency Readiness Team, part of the Homeland Security Department.
"Anybody who knows anything about security could have found these
problems in two seconds," said Marc Maiffret of eEye Digital Security
Inc., a researcher who examined Giuliani's website at AP's request.
The Federal Trade Commission sued Guess? Inc. in July 2003 over
allegations it failed to protect consumers' personal and credit
information because the fashion company's website was vulnerable to the
same design flaw. The FTC's rules do not apply to presidential
candidates, only companies, so there was no such legal exposure for the
Giuliani's business firm, Giuliani Partners, offered cybersecurity
consulting services under a partnership with Ernst & Young until about
Copyright 2006 AP DIGITAL
Visit the InfoSec News Security Bookstore