Australia Zoo, home of the croc hunter otherwise known as Steve Irwin is one of Queensland’s leading tourist attractions. It also attracted the attention of a pentester who has provided CyberWarNews with evidence that the main website for the zoo has been compromised.
The pentester, a Pakistani penetration tester named Touseef Gul, has previously made headlines for bypassing Sucuri. He was also called a vigilante cybersecurity expert after reporting a bug on the Irish website citypost.ie which resulted in the website being offline for many days while they checked the security of the system.
With respect to the Australia Zoo, the bug discovered is a SQL injection via POST. Touseef was able to provide CyberWarNews with a list of the tables and columns from the database. From the data provided to this site, it appears that all staff, users, campaigns, bookings, events and a huge amount of internal information would be accessible via SQL injection.
Touseef has claimed that he contacted the zoo on July 19, 2018 but got no response and saw no evidence that the vulnerability was being addressed. That is when Touseef contacted CyberWarNews, who also reached out to the Zoo’s IT department. As of the time of publication, this site had received no response from the zoo and there is no evidence that they have secured the site.
Touseef also shared various other findings, including a similar one that impacts a Sydney restaurant, and one that impacts a Nigerian university. CyberWarNews is not naming those entities at this time, even though Touseef provided proof, because this site has not yet attempted to notify them so that they can secure their data.