Looks like Unu has gone and uncovered another major organization vulnerable to SQL Injection - this time it's HSBC Bank in France (previous escapades of Unu include Kaspersky and GameSpot to name but a few).
It's a little hard to verify the legitimacy of whether this particular HSBC hack is completely real because theres not enough evidence beyond some screenshots. That said though, Unu has been pretty reliable in the past on identifying SQL Injection vulnerable sites - so it looks probable.
In the case of HSBC France's system being compromised through SQL Injection, it looks like the backend SQL server was vulnerable - which has resulted in full access to the host. For example, the following list of drives and directories on the system.
Even though it appears that extensive access to the database server files are possible, there's something much worse... Unu has presented a screen shot of user credentials along with their login passwords.
It also looks like HSBC France has failed Security-101 best practices and stored passwords in clear-text. That's a massive no no! They should know better. This would get Web application developers fired in many organizations.
Oh, and a cursory inspection of the (poorly) obfuscated screenshot from Unu also indicates that there's no rigor on password selection or enforcement.
What more could go wrong?
Lets hope that Unu alerted HSBC in advance of his posting and that the SQL Injection vulnerability has been fixed. It'll probably take a little longer to fix the password problems though.
Unu's blog of his most recent HSBC Bank France finding is here.
Sorry to burst your bubble, but if they had MSSQL or Oracle as the backend, it wouldn't have matter much.
ReplyDeleteSo you statement on MySQL being used on mission critical servers is unrelated.
And he says right on his blog
ReplyDelete"The server is mssql and the error does not apear in page, like in mysql"
i've (legally) pentested public-facing banking sites with mysql as a backend before. im not surprised this was the type of db server used by hsbc whatsoever.
ReplyDeletenow RBS WordPay is hacked, full database acces...
ReplyDeletehttp://unu1234567.baywords.com/2009/09/10/rbs-wordpay-hacked-full-database-acces/