Security Bytes

May 18 2010   1:42PM GMT

SQL Injection attack used in breach of 168,000 Netherlands travelers



Posted by: Robert Westervelt
Tags:
web application flaws
website vulnerabilities

Attacker gains access to smartcard website revealing customer information.

An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers.

The website offered a coupon for a free trip using the OV smart card system and was set up to promote the new system which is being slowly rolled out throughout the region. According to Webwerld, a tech publication based in the Netherlands, the names, addresses and telephone numbers of individuals who signed up were publicly available as a result of the flaw.

Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes. The website has since been taken offline.

Graham Cluley, a security consultant with UK-based security vendor Sophos, wrote that the hacker apparently had good intentions. It doesn’t appear the data fell into the wrong hands, he said.

In this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

As Cluley points out, secure coding has been a major issue in the last several years. SearchSecurity issued a tip in January on how to prevent and stop SQL injection attacks. The tip is part of our Web Application Security Guide.  Websites like the Netherlands smartcard site can start by reducing debugging information, offering up less details when the Web server experiences an error.

In March, a researcher at Core Security Technologies demonstrated a new automated hacking technique that could be used to discover SQL injection flaws. The technique eliminates many of the false positives that slow down bug hunters. The black-box technique was developed by Core researcher Sebastian Cufre.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: