More than 20,000 records were leaked because of a SQL Injection attack.
After it was revealed that Bell Canada had 22,421 user names and passwords, and five valid credit card numbers of affiliated small-business customers posted on the internet at the weekend, security researcher, Troy Hunt, said in a blog that it was “pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach”.
He said that despite this being the number one OWASP flaw, being rated as easy to exploit, having a severe impact and that there may have been SQL credential exposure at some point which would make the whole thing easy, Bell will have more than enough data in their logs to reconstruct the attack and know exactly where it all went wrong.
“The risk could have been discovered in minutes by an automated tool and almost as quickly by even the most junior penetration tester. Nobody tested this system for security vulnerabilities – including Bell – and now they have a very unfortunate blight on their record that will be referenced for years to come,” he said.
Hunt also pointed out on Twitter that logins to Bell Canada was unencrypted. Commenting, Sean Power, security operations manager from DOSarrest Internet Security, said: “Any decent hacker will use a scanner to check out the vulnerabilities in a website, especially on such a high profile website. With the rapid rate that vulnerabilities are discovered, frequent vulnerability scans with a current scanner are vital to ensure that the site remains protected at all times.
“In addition to running scans at least every quarter, it is strongly recommended to run a vulnerability scan on your website after making any moderate or larger updates to your site or infrastructure to ensure that no new vulnerabilities have been introduced.”
