Kaspersky's software might protect you against nasties on the desktop - but it doesn't seem to have done the same for the company's own servers.
A cracker by the name of “unu” has claimed that the website of anti-virus vendor Kaspersky is wide open to attack from SQL injection – and that it's possible to get a complete copy of the site's database containing personal information on the company and its customers.
As reported by The Register
on Sunday, the digital miscreant – who posted the results of his attack to website Hackers Blog
– the claim is that a simple manipulation of the URL on the usa.kaspersky.com
domain allowed for complete access to the back-end database.
With screenshots to back up his claims, it certainly looks like Kaspersky might have an embarrassing failure to secure its website – made worse by the fact that the company offers a range of security products designed to detect and prevent this sort of intrusion on their customers' servers.
The data at risk includes user information for customers of Kaspersky, details on the company's financials including lists of on-line sales, all support tickets registered on the system – both internal and external – and a list of every activation code the company has ever issued for its products. However, it is not thought that customer's financial data – including credit card details – is stored on the same system.
The flaw is made doubly urgent as it is possible – although not yet confirmed – that a cracker using the information posted on the Hackers Blog site could plant malware in Kaspersky's website: IBM's chief security strategist Gunter Ollman worries
that “this type of critical flaw could probably be used to usurp legitimate purchases and renewals of [Kaspersky's] products – which could include the linking to malicious and backdoored versions of their software.
Kaspersky has yet to issue a statement on the claimed attack, except to say that it would be looking in to the issue as a matter of urgency.
Is this the worst possible advert for the efficacy of Kaspersky's security solutions, or does it simply reveal an embarrassing lack of routine security maintenance at the firm? Share your thoughts over in the forums