Thursday, December 10, 2009
Unu hits Kaspersky a second time with SQL Injection disclosure
In February, Unu went public on HackersBlog and disclosed the SQL Injection flaws he had discovered on Kaspersky’s USA portal. The flaws, which led to complete access to users, activation codes, lists of bugs, admins, shopping, etc., were quickly patched, and Kaspersky was quick to point out that, “despite their attempts, the hackers were unable to gain access to restricted information stored on the website. Claims by the hackers responsible for the attack that they had managed to gain access to user data are untrue.”
In response to those claims, we interviewed Unu shortly after Kaspersky issued them.
“First of all, it starts from a negative premise. It was not about any kind of attack. [This was not] my intention. I am not a thief. I'm just a guy who likes to do security testing, penetration. It’s like any other hobby,” Unu wrote in the e-mail.
“I do not break, I do not delete, I do not change, and I NEVER save anything. In the data that I can access in this way, I just show that it is possible, that the site is vulnerable. That is all. The same thing happened [in the] Kaspersky case. It was about a banal parameter that was not good or not [sanitized enough].”
Now, Unu has disclosed SQL Injection problems in two other Kaspersky portals, which were being hosted by channel partners in Malaysia and in Singapore. According to what was discovered, Unu commented that the vulnerability affected all databases in Southeast Asia. However, Unu told The Tech Herald that the flaws have been patched.
Yet, while the vulnerabilities were fixed, the point is the same. The SQL Injection only worked because user input was not checked. In detailing what he discovered on the two Kaspersky portals, Unu noted that several of the administrator passwords, while encrypted, were weak, and in several cases identical. (In one example he listed an administrator with a password of abc123.) the tech herald