Leading PC security software maker Kaspersky Lab has made
millions helping consumers and businesses stay safe online but the
company has evidently struggled to secure its own website, which
was hacked, leaving sensitive information exposed.
The embarrassing incident is the latest in a string of attacks
on Kaspersky websites around the world, raising questions about the
company's security credentials.
In a posting on the website Hackersblog.org, a
hacker published screenshots proving he had used a common technique
called SQL injection to access Kapersky's database containing
"EVERYTHING: users, activation codes, lists of bugs, admins, shop,
etc".
All it took to access this information was a simple modification
to one of Kaspersky's website URLs.
"This type of critical flaw can probably be used to usurp
legitimate purchases and renewals of their products - which could
include the linking to malicious and backdoored versions of their
software - thereby infecting those very same customers that were
seeking protection from malware in the first place," said Gunter
Ollmann, chief security strategist at IBM Internet Security
Systems.
The hacker said personal details of customers were also exposed
but these were not published online. In a later post on the
Hackersblog.org site, the hacker clarified that "staff will never
save or keep any confidential data, we just point our fingers to
big websites with security problems".
It is unclear whether other hackers exploited the same website
flaw to steal personal details, however, Kaspersky said in a
statement that the "vulnerability wasn't critical and no data was
compromised from the site".
"A vulnerability was detected on a subsection of the
usa.kaspersky.com domain when a hacker attempted an attack on the
site," Kaspersky said.
"The site was only vulnerable for a very brief period, and upon
detection of the vulnerability we immediately took action to roll
back the subsection of the site and the vulnerability was
eliminated within 30 minutes of detection."
The security lapse is particularly embarrassing for Kaspersky
because it is not the first time its websites have been
exposed.
In July last year, its Malaysian website was defaced by a
Turkish hacker using the same SQL injection technique. However, no
personal details were compromised in that attack.
Furthermore, a Google search for "Kaspersky" on the security
news website Zone-H.org reveals a string of other successful
attacks on Kaspersky websites around the world.