The Romanian hacker who penetrated the Websites of three security vendors last week is now claiming two new victims: Symantec and The New York Times.

The hacker, known only as "unu," posted a blog about an SQL injection vulnerability found on one of Symantec's Websites, the Document Download Center of the Norton Resource Center For Resellers. The flaw "permits access to their databases," unu says, although he did not say which databases or what data is contained in them.

Ironically, the flaw was found on a login page that promotes the Norton line of security products, unu observes.

In a response posted to unu's Website, Symantec concedes that the page is flawed by "inconsistent exception handling," but it rejects unu's assertion that the bug could lead to database access.

"Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective," Symantec says. "The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. Thanks again for notifying us of the issue. We will have the modified page up again soon with better exception handling."

In a separate blog, unu also claims to have discovered an SQL injection vulnerability in the Website of the International Herald Tribune, the global edition of The New York Times.

"I discovered an unsecured parameter, which allows access to the database," unu says. "Besides the wealth of information in the database, we also found an interesting table containing login details of 161 affiliates, editors, reporters, and other associates of the famed newspaper."

The International Herald Tribune says the vulnerability has been patched, but concedes that some login details were exposed.

Unu says he's targeting other newspapers' Websites for further research.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message