Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

MySQL.Com Database Compromised via Blind SQL Injection Vulnerability

Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”

Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”

The database for MySQL.com (official site for the MySQL Web site which is owned by Oracle) has been compromised, as a result of a blind SQL injection vulnerability. The incident was initially reported via a post to the full disclosure list on Sunday morning, explaining the issue and posting a dump of part of the MySQL.Com database structure.

Attackers have apparently been able to view the internal databases, tables and passwords. Parts of the database including password hashes have been published online, with some passwords already cracked.

According to the Open Web Application Security Project (OWSP), “When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.”

There have also been reports that the database for Sun.Com has been compromised as a result of the same blind SQL Injection Vulnerability.

We contacted Oracle on Sunday afternoon for comment but have not received a response yet. (Updated)

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.