Following the story about the SQL injection vulnerability on Kaspersky’s website, they have provided a rather detailed account of what happened on their blog. In it, they confirm that there was an issue, and that they don’t think any data was actually exposed using the vulnerability:
After collecting field names the attackers made a few attempts to extract the data from tables. Those queries failed because the attackers specified the wrong database. The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE,INSERT,DELETE… were logged.
Zero Day has some more details; the vulnerable code is said to be produced by an external contractor, and was somehow not reviewed before it was put online:
According to Roel Schouwenberg, a senior virus analyst at Kasperky, the problem occurred in a piece of code written by a subcontractor for the U.S. office that did not go through the standard code review process. The code was in production for approximately 10 days before the attacker discovered the problem, and it was remediated some 5 hours after the detection of the attack. The attackers have claimed that they provided Kaspersky forewarning of the compromise, but it appears the notice came in approximately 1 hour before the attacker went public with the list of the tables on the support database.
To sum it up, the problem was there, but it was detected pretty fast and solved even faster. It’s good to see that Kaspersky didn’t try to downplay this issue, and that the hackers that found this issue are also keeping their competitors alert. It’s also a good reminder never to trust any code, whether it was produced in-house or by a contractor, especially for these kinds of high-profile targets.