Both Kaspersky and Bitdefender antivirus vendors have been left with red faces by a Romanian hacker who obtained access to the SQL databases of two of their websites. The data stored in the databases includes customer information, e-mails, support tickets, and even activation codes.
A hacker going by the nickname of "unu," meaning "one" in Romanian, has reported on Saturday that he compromised the security of the Kaspersky website in USA. In a posting made on HackersBlog, unu published screenshots as well as a list of the tables found in the site's SQL database.
The hacker explained that he obtained full access to the database through SQL injection. SQL injection is a form of URL manipulation that allows passing SQL commands through a URL. It is usually used by hackers to insert rogue data into the database for various purposes. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc," the Romanian writes.
However, unu's intensions were not malicious. According to The Register, he only decided to go public after he sent messages to several Kaspersky official e-mails and got no response. This is also reflected by the evidence he presented, like the malformed URLs being blurred in the screenshots.
Also, he did not publish any customer information, although he claims to have had complete access to it. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," unu explains.
Kaspersky has partially confirmed the security breach. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," the company claims in a statement.
Tocsixu, one of the admins of HackersBlog, has told The Register that unu hacked the website days before going public, which seems to come into conflict with Kaspersky's account. According to him, the reason why no data has been compromised is only due to the good will of the hacker. "Indeed, no data was compromised from the site because that is not Unu's (our) intention. No sensitive information from the site was stored, legit Kaspersky users can rest assured," he states.
However, after being done with Kaspersky, the hacker turned his attention to another big player on the antivirus market, Bitdefender. In a new post published today, the hacker documents a similar successful SQL injection attack against the website of Bitdefender Portugal. "It seems Kaspersky aren’t the only ones who need to secure their database. Bitdefender has the same problems," unu adds.
He goes on to describe the attack that provided him with access to the database containing administrators' usernames and passwords, the personal details of thousands of customers and sales data. In addition, one table in the database contains a large number of e-mail addresses belonging to people who subscribed to the company's newsletter. "And last a part of the data from the table inscricoes(Newsletter)… thousands of email addresses, candy for possible spammers," the attacker points out.
Like in the case of the Kaspersky incident, unu did not publish any sensitive information and also blacked out the compromising details of the attack in the provided screenshots. Bitdefender has still to confirm and comment on this attack. Stay tuned, we will return with updates if it does.