We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Symantec website SQL hosts injection flaw

Site pulled but no personal data exposed

A hacker claims to have found a SQL injection flaw on Symantec's website.

The Romanian hacker, who is known as Unu and previously exposed a flaw on security vendor Kaspersky's website, said he'd found the bug in Symantec's Document Download Center, a password-protected part of the company's site where channel partners can download sales materials for the company's products.

Symantec said it wasn't security issue and no company or customer information was exposed, but the security firm still pulled down the website.

"Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability," the company said. "It appears that the individual who reported it based the report on an error message."

Symantec representatives were unable to comment in detail on the matter, but at worst, the issue is an embarrassment for Symantec, the world's best-known computer security vendor. "The irony of the situation is that it's done on ... a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY," Unu said his blog. "What can I say: nice advertising."

In a SQL injection attack, the hacker takes advantage of bugs in web programs that query SQL databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

These flaws have been used in widespread web attacks, that have allowed criminals to place malicious code on thousands of websites over the past year.

Based on Unu's description of the matter, it's unclear whether he found a legitimate SQL injection flaw, said Robert Hansen, CEO of SecTheory, a web security consultancy. "He could be absolutely right. This could be SQL injection, but so what," he said. "Maybe [sales materials are] really valuable to an attacker, but I doubt it."

Just over a week ago, Unu found a similar problem in Kaspersky Lab's site, as well as in a partner site for security vendor BitDefender, and in the F-Secure website.

The attacks have exposed data that the vendors had wanted to protect such as customer email addresses, product activation codes and research data, but not financial information.

"While the attack is something we must learn from and points at things we need to improve, it's not the end of the world," F-Secure said in a blog, commenting on the matter. In the F-Secure attack, the hacker was able to get access to statistics the company keeps on malicious software.

Visit Broadband Advisor for the latest internet news, reviews, tips & tricks - and to take advantage of PC Advisor's unique, independent Broadband Speed Tester

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security products

See also: Symantec helps parents tracks kid's online activities


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV setup advice: Apple TV hacks to help you create the ultimate Apple TV hub in your home