The Romanian group, HackersBlog, has struck again and this time it is not an infosec firm. It is the website of the highest selling national daily newspaper of the United Kingdom, The Daily Telegraph.

The Property section of the website suffered a serious SQL injection vulnerability which was disclosed by the group. The affected section of the website is currently offline:

It is interesting to point out that despite the fact that SQL injection is the most well understood web application attack, yet many high profile websites are still vulnerable. The Property section of the telegraph.co.uk website utilized scripts that did not sanitize variable inputs properly leading to the execution of custom SQL queries by manipulating the input SQL query. The result? Well, the below pictures released by the group reveal all:

It is very interesting to learn that the website developers did not think about hashing the subscriber passwords and instead chose to store them in plain text:

There are a lot of lessons to be learned from this disclosure. For the end-user: do not use a common password.

Share / Save