Hacker claims SQL bug on Symantec site

Symantec is the latest company to fall prey to a Romanian hacker who has been finding SQL injection bugs in security sites.

A Romanian hacker who has spent the past few weeks exposing a common, but dangerous, Web programming error on security vendors Web sites says he's found a SQL injection flaw on Symantec's Web site. But Symantec says it's not a security issue.

Still, Symantec was forced to pull down a section of the company's Web site Thursday after the hacker, going by the name Unu, claimed that he'd found the bug in Symantec's Document Download Center, a password-protected part of the company's site where channel partners can download sales materials for the company's products.

The site hosts marketing materials and Symantec said that no company or customer information was exposed.

"Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability," the company said in a statement Thursday. "It appears that the individual who reported it based the report on an error message."

Symantec representatives were unable to comment in detail on the matter, but at worst, the issue is an embarrassment for Symantec, the world's best-known computer security vendor. "The irony of the situation is that it's done on ... a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY," Unu wrote in his note describing the problem. "What can I say: nice advertising."

In a SQL injection attack, the hacker takes advantage of bugs in Web programs that query SQL databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

These flaws have been used in widespread Web attacks, that have allowed criminals to place malicious code on thousands of Web sites over the past year.

Based on Unu's description of the matter, it's unclear whether he found a legitimate SQL injection flaw, said Robert Hansen, CEO of SecTheory, a Web security consultancy. "He could be absolutely right. This could be SQL injection, but so what," he said. "Maybe [sales materials are] really valuable to an attacker, but I doubt it."

Just over a week ago, Unu found a similar problem in Kaspersky Lab's site, as well as in a partner site for security vendor BitDefender, and in the F-Secure Web site.

The attacks have exposed data that the vendors had wanted to protect such as customer e-mail addresses, product activation codes and research data, but not financial information.

"While the attack is something we must learn from and points at things we need to improve, it's not the end of the world," wrote F-Secure in a blog posting, commenting on the matter. In the F-Secure attack, the hacker was able to get access to statistics the company keeps on malicious software.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackersymantecsql injection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?