RBS WorldPay SQL Injection
Royal Bank of Scottland Group might be feeling a bit exposed this afternoon…
RBS WorldPay, a system that processes millions of payments daily has been compromised. It looks like the database is just dying to give up names, credit card numbers, email addresses, and all sorts of juicy information to whoever asks for it. Unu has a great write up of the vulnerability with plenty of juicy screenshots on his blog.
Here is a real kicker for you:
The next picture is awesome, but really what we see. In the picture appear user, host and password in mysql database, user table. But look well to the first user webphp, surrounded me. We have % to host and NOTHING in the password !!! I mean we have a user password NULL and % to host, that means that we can log on his account, the MySQL server without password, from any IP.
There is also some fun poked at Bill Gates which never hurts.
Posted by Matt Johansen
on September 10, 2009. Filed under Data Security,Vulnerability.
You can follow any responses to this entry through the RSS 2.0.
You can skip to the end and leave a response. Pinging is currently not allowed.
2 Responses to RBS WorldPay SQL Injection
Leave a Reply
Follow Liquidmatrix
Brooks
September 11, 2009 at 12:30 pm
That’s pretty embarrassing.
You would think that after the Heartland ordeal and countless other breaches spawned from SQL injection, that people might be starting to actually think to defend against this attack (why they wouldn’t have before I have no clue).
Even if they did try to defend against it and just failed, a NULL password and wildcard host? LOL
Michael Dickey
September 11, 2009 at 3:16 pm
All sorts of saddening fail no matter what story they spin or what story is true. Fail…