Two Official Kaspersky Websites Hacked

Lucian Constantin reports:

A grey hat hacker has found a critical SQL injection weakness on the official Kaspersky Lab websites in Malaysia and Singapore. Exploiting the vulnerability leads to full compromise of the underlying database, which contains customer information, product keys and other sensitive data.

The attack has been documented by a Romanian hacker calling himself “Unu” (“one” or “someone” in Romanian). The self-confessed security enthusiast specializes in finding SQL injection vulnerabilities on high-profile websites belonging to well known IT companies, antivirus vendors, banks, media outlets or public institutions.

Unu’s rise to fame on the Internet ironically began in February 2009, when he hacked Kaspersky Lab’s U.S. support site and gained access to the customer database. Following that highly publicized incident, Kaspersky hired world-renowned database security expert David Litchfield to perform an audit on all websites run by the company.

That investigation must have missed something, because the grey hat just performed a nearly identical hack on Kaspersky’s Malaysia and Singapore websites. “Although they are two different domains, databases are identical, being on the same MySQL server,” unu explains on his blog, concluding that this is inappropriate for a company of this size.

The sensitive data contained in this database include personal customer information such as name, username, e-mail, home address, postcode, city, state, country and encrypted password. Almost 13,000 product keys for Kaspersky Antivirus and Kaspersky Internet Security are also available.


About the author: Dissent

Comments are closed.