WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data exposed (Updated)
Update (Feb 22nd 2009) - We were probably not the only ones not satisfied with Kasperski official press release on the subject. An interesting report on Kasperski viruslist blog by a person on the investigating team provides answers: the data was neither secured well nor the hacker incapable. The hacker made a mistake in his attack vector and decided to pursue no further. The data was available for any hacker who was really after it.
I must tkae my hat off to Kasperski for this frank analysis, which is very uncommon to companies who were breached and can really help to highlight the importance of application security.
Update (Feb 13th 2009) - Kasperski hired David Litchfield, a well known database security expert, to analyze the incident. In their response, Ksaperski point that no sensitive data was actually compromised to the event. The report points that the hacker and others following his hints did try to access sensitive data but did not succeed. The carefully worded report does leave many questions open:
- Was the data secured well, or were the hackers who tried to access it just not capable?
- Was no data vulnerable or just "sensitive data" and if so what is the data that was exposed?
- Did the investigation go back to check that no one hacked the system prior to the published incident, potentially abusing it and avoiding publication?
A researcher found and exploited a serious SQL injection vulnerability in US web site of Kasperski, an anti-virus software vendor, exposing the full customers database. Well, the full database actually as the list of tables exposed proves. Apparently, the vulnerability existed for some time and the researched informed Kasperski about it to no avail before making it public.
This is another example of how fatal is SQL injection. SQL Injection is considered one of the more well understood attack vectors, easy to find during a security review, and therefore easy to get rid of. However one of its variants, blind SQL injection, can appear everywhere in the application and not just in key pages managing sensitive information and expose the entire database, making a review and fix of the application from it much harder.
