[ISN] UK Parliament website hack exposes shoddy passwords

[InfoSec News <alerts@xxxxxxxxxxxxxxx>]

http://www.theregister.co.uk/2009/09/01/uk_parliament_hacked/

By Dan Goodin in San Francisco
The Register
1st September 2009

A vulnerability in the website of the UK Parliament appears to be 
exposing confidential information, including unencrypted login 
credentials, a Romanian hacker wrote on his blog.

The SQL injection vulnerability is on this page, the hacker, who goes by 
the moniker Unu, told The Register. By tacking database commands onto 
the end of the web address, it's possible to trick the site's backend 
server into coughing up data that was never intended to be published.

Based on a screen shot below, which was included on Unu's post, it 
appears Parliament's website has been coerced into divulging log-in 
credentials for at least eight accounts. The disclosure is troubling for 
several reasons.

First, there's the SQL injection hole itself. In the past, we've 
compared such attacks to Jedi mind tricks, in which weak willed websites 
are turned against themselves with the web-equivalent of a wave of a 
hand and a discreetly made suggestion. There's also the likelihood that 
the passwords, because they're being displayed in readable form, are 
being stored without the use of encryption. Keeping passwords in the 
clear is a big no-no in the world of security.

[...]


________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org