Following the news that Epic Games has confirmed that the Unreal Engine and Unreal Tournament forums, as well as some of its legacy forums, have been compromised in a massive breach affecting over 800,000 users. The attack was carried out on 11 August – allegedly using and SQL injection vulnerability. John Smith, Principal Solution Architect, Veracode commented below.
John Smith, Principal Solution Architect at Veracode:
“While there have been high levels of discussion around the SQL injection since the high profile TalkTalk breach last year, we’re continuing to see consumer data exposed by this attack vector. Although having been around for more than a decade and regularly featuring on the OWASP Top 10 list (the widely accepted standard for application security), the SQL injection vulnerability remains worryingly common. In fact, recent Veracode analysis of over 50,000 enterprise applications found that over one in five had at least one SQL injection vulnerability.
“However, organisations can avoid SQL injection with the right care and attention. All organisations must commit to gain full visibility into their web application perimeter, and run frequent scans on all existing applications, to ensure that they remain protected from the threats that new or updated applications introduce.”