Impact of HackersBlog's vulnerability discoveries may be overstated, victims say

3 Min Read

The Romanian white hat hackers who have been exposing vulnerabilities in major Websites and databases during the past month aren't always "playing fair" in the penetration testing game, some "victims" say.

The white hat group, which is led by a researcher known only as "unu" and posts its findings on its own HackersBlog.org Website, has exposed SQL injection flaws and other vulnerabilities in several high-profile sites since February, including sites belonging to security vendors Kaspersky, BitDefender, F-Secure, and Symantec, as well as the International Herald Tribune newspaper.

During the past few days, HackersBlog has reported new vulnerabilities in the Websites of U.K. newspaper The Telegraph, as well as on a Website belonging to telecommunications giant BT. In both cases, and as in its previous vulnerability reports, HackersBlog said the group had demonstrated the ability to penetrate back-end databases containing sensitive data.

But two of the most recent "victims" of HackersBlog's attacks said the white hat group is overstating its achievements. In a statement released today, BT said that HackersBlog had succeeded in only penetrating a testing database that contained no live data.

"BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time," the statement said. "When sites are under test, they do not contain live data and are often not included within our secure network until they become operational...Our operational systems have not been affected in any way by this attempt to break through our security."

Symantec also protested HackersBlog's findings. In a response posted on HackersBlog, the security giant conceded that the page in question was flawed by "inconsistent exception handling," but it rejected unu's assertion that the bug could lead to database access.

"Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective," Symantec said. "The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. We will have the modified page up again soon with better exception handling." In subsequent public statements, Symantec renewed its assertion that no sensitive data had been compromised.

Other victims of the white hat attacks observed that HackersBlog had not penetrated their primary sites, but had gained access through ancillary sites or third-party connections. The Telegraph, for example, said the hack probed database tables behind one of its partner sites -- search.property.telegraph.co.uk -- and "exposed a weakness in the way that particular site had been coded."

"The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting," said Paul Cheesbrough, CIO of Telegraph Media, in a statement.

None of the victims disputed the fact that HackersBlog had found coding errors in their systems. However, unu's assertion that vulnerabilities can be broadly found by exploring the Internet's most popular Websites may be overstated, they suggest. In most of the "hacks," the Romanian group actually penetrated ancillary or partner sites, where public defenses are not as strong.

Security experts continue to recommend that users potentially affected by the vulnerabilities -- including The Telegraph's 700,000 subscribers -- take the time to change their passwords.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights