By Dan Goodin in San Francisco
1st September 2009
A vulnerability in the website of the UK Parliament appears to be
exposing confidential information, including unencrypted login
credentials, a Romanian hacker wrote on his blog.
The SQL injection vulnerability is on this page, the hacker, who goes by
the moniker Unu, told The Register. By tacking database commands onto
the end of the web address, it's possible to trick the site's backend
server into coughing up data that was never intended to be published.
Based on a screen shot below, which was included on Unu's post, it
appears Parliament's website has been coerced into divulging log-in
credentials for at least eight accounts. The disclosure is troubling for
First, there's the SQL injection hole itself. In the past, we've
compared such attacks to Jedi mind tricks, in which weak willed websites
are turned against themselves with the web-equivalent of a wave of a
hand and a discreetly made suggestion. There's also the likelihood that
the passwords, because they're being displayed in readable form, are
being stored without the use of encryption. Keeping passwords in the
clear is a big no-no in the world of security.
Subscribe to InfoSec News