Ubuntu Linux developer Canonical has admitted that the data of 2 million of its forum users has been compromised, following the exploitation of a known SQL vulnerability. The flaw was found in the ‘Forumrunner’ add-on, which was left unpatched. User passwords have not been breached, but the attacker had access to the usernames, email addresses and IPs for the 2 million affected. Ryan O’Leary, VP Threat Research Centre at WhiteHat Security commented below.

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:

Ryan O’Leary“SQL injection continues to be an easy avenue for hackers to cause harm or steal information from a database. According to our annual statistics report, around six per cent of websites have at least one SQL injection vulnerability. Six per cent may not seem like a large amount, but consider that six out of every 100 websites you use – that’s a staggeringly large amount – have this particularly nasty vulnerability.

“SQL injection is not the most difficult attack to execute. In fact, it’s one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation. Companies need to run a thorough vulnerability assessment and fix these critical, yet easy-to-exploit, vulnerabilities.”

Experts Comments

Stay Tuned! Our Information Security Experts Community is responding .....

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.