BitDefender website also leaking [Update]
BitDefender's Portuguese website has been found to be vulnerable to SQL injection attacks. Kaspersky's web site was hacked over the weekend using the technique, and now, the same hacker has found that the Portuguese website of the maker of BitDefender AntiVirus is vulnerable to a similar attack. The hacker, who goes by the name of "unu", has published screenshots of the compromise as evidence of the vulnerability.
In both cases the SQL injection attack involved modifying a URL for pages on the site. The site takes parts of the URL and passes them, unfiltered to be used to compose SQL queries. By modifying the appropriate part of the URL, the operation of the SQL query can be interrupted and the attackers SQL query can be run instead, which in turn can reveal information from within the database.
Update: The website in question is not run by BitDefender. Bitdefender.pt is managed by the BitDefender's Portuguese resellers.
- Kaspersky hack: Kaspersky respond, a heise Security report.
- Kaspersky web site reportedly leaky, a heise Security report.