Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Victims Argue Findings Of Romanian White Hat Hacker Group

Impact of HackersBlog's vulnerability discoveries may be overstated, victims say

The Romanian white hat hackers who have been exposing vulnerabilities in major Websites and databases during the past month aren't always "playing fair" in the penetration testing game, some "victims" say.

The white hat group, which is led by a researcher known only as "unu" and posts its findings on its own HackersBlog.org Website, has exposed SQL injection flaws and other vulnerabilities in several high-profile sites since February, including sites belonging to security vendors Kaspersky, BitDefender, F-Secure, and Symantec, as well as the International Herald Tribune newspaper.

During the past few days, HackersBlog has reported new vulnerabilities in the Websites of U.K. newspaper The Telegraph, as well as on a Website belonging to telecommunications giant BT. In both cases, and as in its previous vulnerability reports, HackersBlog said the group had demonstrated the ability to penetrate back-end databases containing sensitive data.

But two of the most recent "victims" of HackersBlog's attacks said the white hat group is overstating its achievements. In a statement released today, BT said that HackersBlog had succeeded in only penetrating a testing database that contained no live data.

"BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time," the statement said. "When sites are under test, they do not contain live data and are often not included within our secure network until they become operational...Our operational systems have not been affected in any way by this attempt to break through our security."

Symantec also protested HackersBlog's findings. In a response posted on HackersBlog, the security giant conceded that the page in question was flawed by "inconsistent exception handling," but it rejected unu's assertion that the bug could lead to database access.

"Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective," Symantec said. "The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. We will have the modified page up again soon with better exception handling." In subsequent public statements, Symantec renewed its assertion that no sensitive data had been compromised.

Other victims of the white hat attacks observed that HackersBlog had not penetrated their primary sites, but had gained access through ancillary sites or third-party connections. The Telegraph, for example, said the hack probed database tables behind one of its partner sites -- search.property.telegraph.co.uk -- and "exposed a weakness in the way that particular site had been coded."

"The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting," said Paul Cheesbrough, CIO of Telegraph Media, in a statement.

None of the victims disputed the fact that HackersBlog had found coding errors in their systems. However, unu's assertion that vulnerabilities can be broadly found by exploring the Internet's most popular Websites may be overstated, they suggest. In most of the "hacks," the Romanian group actually penetrated ancillary or partner sites, where public defenses are not as strong.

Security experts continue to recommend that users potentially affected by the vulnerabilities -- including The Telegraph's 700,000 subscribers -- take the time to change their passwords.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.