Posted: 11th Mar, 2009 By: MarkJ
The
HackersBlog page has exposed a seriously vulnerability in BT's website that could have allowed hackers the opportunity to steal crucial personal data, including customers login details:
Unu from HackersBlog said: "
We kept on hold the publication of the vulnerable parameter which would allow full access in ALL the databases of the main server, waiting for the issue to be solved. Today, all the vulnerable pages have been taken offline for maintenance and security testing.
A faulty parameter, improperly sanitized opens the vault to the pretious [BT] databases. One can gain access to such ordinary things as personal data, login data, and the like."
More details about the vulnerability can be found at the links below, although there's no evidence that any personal data has actually been stolen, though clearly the opportunity did exist:
http://www.hackersblog.org/2009/03/10/sql-injection-in-bt-dot-com-episode-1/http://www.hackersblog.org/2009/03/10/sql-injection-in-btcom-episode-2/UPDATE 12th March @ 08:06am:A BT spokesman has issued us with the following statement: "BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time. When sites are under test they do not contain live data and are often not included within our secure network until they become operational.
BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests. Where a suspected intrusion has occurred BT will act swiftly to ensure our customer data is not at risk. Our operational systems have not been affected in any way by this attempt to break through our security."