Kaspersky database exposed
An unidentified hacker announced yesterday that he has managed to gain access to databases used by the usa.kaspersky.com website, allowing him to gain access to users accounts, activation codes and possibly personal data about Kaspersky customers.
In a later post, the hacker indicated that no confidential data would be exposed, but he does provide a list of the different tables available in the database as proof of the vulnerability. Judging from the screenshots that were posted, this looks like a simple SQL injection attack, and several people have already noted that this looks credible. As IBM’s security strategist notes:
I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed.
While SQL injections are not uncommon, even for larger websites and even for companies in the security business, this is especially bad news for Kaspersky; almost every single site they operate has been defaced or otherwise fallen victim to attacks over the past few years. Have a look at the entries at zone-h.org if you are interested in specific examples.
According to The Register, Kaspersky has not issues a statement about this yet:
“Given the hour, we are not able available to talk now, but I will work on answers for you to have early tomorrow,” a spokeswoman wrote in an email sent Saturday evening California time, several hours after the post was made.
Update 9-2: Kaspersky has responded:
“On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”
Meanwile, it looks like Bitdefender is also having its share of SQL injection problems; hackersblog.org has several screenshots showing the results SQL injection on the Portugese Bitdefender site.
Update 11-2: Kaspersky has provided more details.
February 9th, 2009 at 11:26 am
[…] de activación y, “posiblemente datos personales”, según informa la web “Securityandthe.net“.Para demostrar que va en serio, el informático -que ya ha señalado que no hará público […]
February 9th, 2009 at 3:26 pm
[…] here are some cool links to visit: – Kaspersky database exposed – CIA Agent Pleads Guilty to Defrauding Covert Credit Cards – Scientist Teleport Matter More Than […]
February 9th, 2009 at 4:58 pm
[…] you haven’t, Kaspersky had a little problem this weekend. They did get it corrected quickly. Kaspersky database exposed | Security and the Net Tags: ( vulnerability sql […]
February 10th, 2009 at 11:01 am
[…] The Inquirer ed altre nel campo specifico della sicurezza (tra cui GovernmentSecurity e Security and The Net) hanno riportato la notizia secondo cui l’infrastruttura web di Kaspersky, database compreso, […]
February 10th, 2009 at 12:29 pm
[…] Kaspersky database exposed (Security and the […]
February 10th, 2009 at 5:12 pm
[…] avec un plaisir certain qu’un partenaire m’a fait parvenir le lien de cet article dans la journée de hier. A la première lecture, c’est la fin du monde : l’éditeur a […]
February 10th, 2009 at 8:09 pm
[…] Visto en securityandthe […]
February 10th, 2009 at 10:23 pm
“The vulnerability wasn’t critical and no data was compromised from the site.”
Doesn’t that first screenshot show root:localhost and the password hash? Seems pretty serious. Assuming this has been secretly known for a while couldn’t the hash have been broken?
If the guy can list the tables can’t he list a select all on the same tables and thus have all data from the compromised DB?
Whitewash? Or perhaps I misunderstood?
February 10th, 2009 at 10:24 pm
[…] Kaspersky database exposed (Security and the […]
February 11th, 2009 at 11:33 am
[…] Vía: Kaspersky database exposed (Security and the Net) […]
February 11th, 2009 at 1:21 pm
[…] READ […]
February 12th, 2009 at 2:45 pm
I love the fact that Kaspersky denies that they were compromised, when hackersblog clearly shows otherwise. Honesty is the best policy. Maybe Kaspersky should try it out some time.
February 12th, 2009 at 4:25 pm
@hazed: Kaspersky has done the right thing and have provided a detailed response about what happened, see this page: http://securityandthe.net/2009/02/11/updates-about-kaspersky-sql-injection/
April 2nd, 2009 at 4:51 am
I’m already 8 minutes with a Kaspersky update download @ 99% and it has been growing from 10 Mb. to 22,3 Mb. I’m running a virus scan from my second system on my net work drives, because who knows??? Can’t be too paranoid.
Half an hour ago Kaspersky shut down spam checking and ran a Windows app “repairing” Kaspersky, rolling back on a number of files. After restart an alert popped up warning about my AV DB being out of date, hece the download.
Now it’s nagging about a restart.
I’m not going to do this until my Avast AV has finished. If I’m still alive tomorrow, I’ll let you know…