Ubuntu Linux developer Canonical has admitted that the data of 2 million of its forum users has been compromised, following the exploitation of a known SQL vulnerability. The flaw was found in the ‘Forumrunner’ add-on, which was left unpatched. User passwords have not been breached, but the attacker had access to the usernames, email addresses and IPs for the 2 million affected. Ryan O’Leary, VP Threat Research Centre at WhiteHat Security commented below.
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
“SQL injection continues to be an easy avenue for hackers to cause harm or steal information from a database. According to our annual statistics report, around six per cent of websites have at least one SQL injection vulnerability. Six per cent may not seem like a large amount, but consider that six out of every 100 websites you use – that’s a staggeringly large amount – have this particularly nasty vulnerability.
“SQL injection is not the most difficult attack to execute. In fact, it’s one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation. Companies need to run a thorough vulnerability assessment and fix these critical, yet easy-to-exploit, vulnerabilities.”