The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against SQL flaws.
Pointing at a recent case, where the hotel booking website Worldview Limited was fined £7,500 due to a vulnerability on its website which allowed attackers to access the full payment card details of 3,814 customers, the ICO said that the data was accessed after an attacker exploited a flaw on a page of the Worldview website to access the company’s customer database.
The weakness had existed on the website since May 2010, and was only uncovered during a routine update on 28th June 2013 after attackers had access to the information for ten days.
Simon Rice, ICO group manager for technology, said that it may come as a surprise that this type of attack is still allowed to occur. “SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable,” he said. “Worldview Limited failed to do this, allowing the card details of over three thousand customers to be compromised.
“Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”
Robert Hansen, vice president of WhiteHat Labs, told IT Security Guru that this is interesting, as computer security is one of the few industries that fines the victims of crimes.
He said: “I fully agree that SQL Injection is preventable, but it’s also extremely prevalent and can exist for months or years undetected, like it did with the Drupal Core SQLi. Is it the fault of every user of Drupal or Drupal itself?
“The reason it often goes unnoticed is because most companies don’t even bother looking for it in the first place, or refuse to do tests against applications that require an authenticated user for fear of damaging their systems. Often they see applications as ancillary to their main company and unrelated enough that they are not worth checking, which is a dangerous assumption if they are on the same network.”
Despite sitting at the top of the OWASP top ten, WhiteHat Security CTO Jeremiah Grossman said that according to its Sentinel statistics, SQLi doesn’t rank in the top ten as far as “likelihood” goes.
“Currently SQLi stands at number 14, existing in only 5.9 per cent of the sites we currently test,” he said. “This is not to say that SQLi is a solved problem, but it generally afflicts the older secondary and tertiary company websites, not their primaries.”
Hansen said that the problem with fixing flaws like SQLi is that companies often try to do everything by hand, and as a result it might take months or years before they attack each application, by which time the environment has changed significantly due to agile development – because manual testing is extremely unscalable.
He said: “Often SQLi is only identifiable as vulnerable if an attacker has access to source code, which is why source code scanning of open source applications is critical; it ensures that there are no obvious identifiable flaws that lay hidden within the code.
“The fix for SQLi is not difficult, b
ut the willpower, know-how and scale to find the flaw in the first place is often lacking.”
Chris Eng, vice president of security research at Veracode, said that it does not see the prevalence of SQLi declining significantly.
“As of 2013 we were seeing at least one instance of SQL injection in 32 per cent of all web applications that Veracode scan,” he said.
He said that one problem in many organisations is that even if newer applications are being developed with security in mind, such as by using a rigorous development lifecycle, thorough testing and developer education, there can be hundreds of older applications that may have never been tested which still makes that organisation vulnerable.
Eng said: “I do not believe a £500,000 fine proposed by the ICO will be enough to compel organisations to act to ensure they are protected against SQL injection. This amount is a rounding error to a large organisations, who may have hundreds of applications to secure.”