Kaspersky Website Hacked

A simple SQL injection allows hackers to view the contents of all of the critical information of the business, including account activation keys, admin usernames, partner information and lots more.

The Reg has more here:

A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider’s products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims.

In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing “users, activation codes, lists of bugs, admins, shop, etc.”

It claimed that a simple modification of a URL exposed the site’s entire database. “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shot, etc.” The screenshots showed the attack was focused on Kaspersky’s technical support and knowledge base for the Americas.

This breach potentially exposes customer information and could also open Kaspersky’s site to other types of abuse, security experts said.

Since this breach can expose customers and partners, Kaspersky must move quickly to eliminate the vulnerability and then reconcile their accounts to make sure that only legitimate purchases were made.  An attacker could hijack renewals or even force customers or partners to download trojanized versions of the software.

It is understandable that security companies are a big high-value target for hackers.  But failing to apply this sort of application security to an e-commerce portal is something you expect rookies to do.