Hacker claims SQL bug on Symantec site

Symantec is the latest company to fall prey to a Romanian hacker who has been finding SQL injection bugs in security sites.

A Romanian hacker who has spent the past few weeks exposing a common, but dangerous, Web programming error on security vendors Web sites says he's found a SQL injection flaw on Symantec's Web site. But Symantec says it's not a security issue.

Still, Symantec was forced to pull down a section of the company's Web site Thursday after the hacker, going by the name Unu, claimed that he'd found the bug in Symantec's Document Download Center, a password-protected part of the company's site where channel partners can download sales materials for the company's products.

The site hosts marketing materials and Symantec said that no company or customer information was exposed.

"Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability," the company said in a statement Thursday. "It appears that the individual who reported it based the report on an error message."

Symantec representatives were unable to comment in detail on the matter, but at worst, the issue is an embarrassment for Symantec, the world's best-known computer security vendor. "The irony of the situation is that it's done on ... a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY," Unu wrote in his note describing the problem. "What can I say: nice advertising."

In a SQL injection attack, the hacker takes advantage of bugs in Web programs that query SQL databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

These flaws have been used in widespread Web attacks, that have allowed criminals to place malicious code on thousands of Web sites over the past year.

Based on Unu's description of the matter, it's unclear whether he found a legitimate SQL injection flaw, said Robert Hansen, CEO of SecTheory, a Web security consultancy. "He could be absolutely right. This could be SQL injection, but so what," he said. "Maybe [sales materials are] really valuable to an attacker, but I doubt it."

Just over a week ago, Unu found a similar problem in Kaspersky Lab's site, as well as in a partner site for security vendor BitDefender, and in the F-Secure Web site.

The attacks have exposed data that the vendors had wanted to protect such as customer e-mail addresses, product activation codes and research data, but not financial information.

"While the attack is something we must learn from and points at things we need to improve, it's not the end of the world," wrote F-Secure in a blog posting, commenting on the matter. In the F-Secure attack, the hacker was able to get access to statistics the company keeps on malicious software.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags symantecsql injectionhacker

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?