By Dan Goodin in San Francisco
8th February 2009
A security lapse at Kaspersky has exposed a wealth of proprietary
information about the anti-virus provider's products and customers,
according to a blogger, who posted screen shots and other details that
appeared to substantiate the claims.
In a posting made Saturday, the hacker claimed a simple SQL injection
gave access to a database containing "users, activation codes, lists of
bugs, admins, shop, etc." Kaspersky has declined to comment, but two
security experts who reviewed the evidence said the claims appeared
"This looks very real to me," Thomas Ptacek, a researcher at security
provider Matasano said via instant message a few hours after the post
went live. He pointed to the address bar of one screenshot that showed
usa.kaspersky.com along with the text "concat_ws(0x3a,ver" to the right
of that. "It's a URL that is being used to alter the database request
that's used to generate the page," he added. "One of them can be tricked
into pulling arbitrary data from the database. Game over."
Roger Thompson, chief research officer at competing anti-virus provider
AVG concurred. "/me feels sorry for Kaspersky," he wrote to El Reg.
"Can't tell for certain, but it looks legit."
Best Selling Security Books & More!