Posted by: Robert Westervelt
web application flaws, website vulnerabilities
Attacker gains access to smartcard website revealing customer information.
An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers.
The website offered a coupon for a free trip using the OV smart card system and was set up to promote the new system which is being slowly rolled out throughout the region. According to Webwerld, a tech publication based in the Netherlands, the names, addresses and telephone numbers of individuals who signed up were publicly available as a result of the flaw.
Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes. The website has since been taken offline.
Graham Cluley, a security consultant with UK-based security vendor Sophos, wrote that the hacker apparently had good intentions. It doesn’t appear the data fell into the wrong hands, he said.
In this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.
As Cluley points out, secure coding has been a major issue in the last several years. SearchSecurity issued a tip in January on how to prevent and stop SQL injection attacks. The tip is part of our Web Application Security Guide. Websites like the Netherlands smartcard site can start by reducing debugging information, offering up less details when the Web server experiences an error.
In March, a researcher at Core Security Technologies demonstrated a new automated hacking technique that could be used to discover SQL injection flaws. The technique eliminates many of the false positives that slow down bug hunters. The black-box technique was developed by Core researcher Sebastian Cufre.