By Brenno de Winter
May 18, 2010
(Google Translation from Dutch)
An ordering site for personal OV-chip cards show leak. Hackers have
long-term access to information of 168,000 passengers. The SP wants the
minister to account.
A website to entice travelers to a personalized smart card to buy
appears to be open. Attackers have the personal data of over 168,000
passengers got owned.
It is a promotional website with the provinces of Gelderland, Flevoland
and Overijssel people in public transport to get. On Experience the OV
people can sign up for coupons, a personalized smart card or a special
trip for their product OV-chip card.
An error in the website is wrong to import too much information is
returned. This makes it possible to communicate directly with the
database. So not only can the information be searched, but it is also
possible to delete data, add or change. These so-called SQL insertion
attack is relatively easy to exploit and is actually a basic mistake to
create a site.
In the database in different places personal information about
individuals, for example, a personalized smart card have requested. In
total, over that for 168.000 people, of which at least the name,
address, birth date, email address and telephone number to call. There
are also database fields to store numbers and identification documents
indicate some tables on an agreement for payment.
Best Selling Security Books and More!
Shop InfoSec News