A hacker claims to have found a SQL injection flaw on Symantec's website.
The Romanian hacker, who is known as Unu and previously exposed a flaw on security vendor Kaspersky's website, said he'd found the bug in Symantec's Document Download Center, a password-protected part of the company's site where channel partners can download sales materials for the company's products.
Symantec said it wasn't security issue and no company or customer information was exposed, but the security firm still pulled down the website.
"Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability," the company said. "It appears that the individual who reported it based the report on an error message."
Symantec representatives were unable to comment in detail on the matter, but at worst, the issue is an embarrassment for Symantec, the world's best-known computer security vendor. "The irony of the situation is that it's done on ... a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY," Unu said his blog. "What can I say: nice advertising."
In a SQL injection attack, the hacker takes advantage of bugs in web programs that query SQL databases. The point is to find a way to run commands within the databases and access information that would normally be protected.
These flaws have been used in widespread web attacks, that have allowed criminals to place malicious code on thousands of websites over the past year.
Based on Unu's description of the matter, it's unclear whether he found a legitimate SQL injection flaw, said Robert Hansen, CEO of SecTheory, a web security consultancy. "He could be absolutely right. This could be SQL injection, but so what," he said. "Maybe [sales materials are] really valuable to an attacker, but I doubt it."
The attacks have exposed data that the vendors had wanted to protect such as customer email addresses, product activation codes and research data, but not financial information.
"While the attack is something we must learn from and points at things we need to improve, it's not the end of the world," F-Secure said in a blog, commenting on the matter. In the F-Secure attack, the hacker was able to get access to statistics the company keeps on malicious software.