An unidentified hacker announced yesterday that he has managed to gain access to databases used by the usa.kaspersky.com website, allowing him to gain access to users accounts, activation codes and possibly personal data about Kaspersky customers.
In a later post, the hacker indicated that no confidential data would be exposed, but he does provide a list of the different tables available in the database as proof of the vulnerability. Judging from the screenshots that were posted, this looks like a simple SQL injection attack, and several people have already noted that this looks credible. As IBM’s security strategist notes:
I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed.
While SQL injections are not uncommon, even for larger websites and even for companies in the security business, this is especially bad news for Kaspersky; almost every single site they operate has been defaced or otherwise fallen victim to attacks over the past few years. Have a look at the entries at zone-h.org if you are interested in specific examples.
According to The Register, Kaspersky has not issues a statement about this yet:
“Given the hour, we are not able available to talk now, but I will work on answers for you to have early tomorrow,” a spokeswoman wrote in an email sent Saturday evening California time, several hours after the post was made.
Update 9-2: Kaspersky has responded:
“On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”
Meanwile, it looks like Bitdefender is also having its share of SQL injection problems; hackersblog.org has several screenshots showing the results SQL injection on the Portugese Bitdefender site.
Update 11-2: Kaspersky has provided more details.