RBS WorldPay SQL Injection
Author: Matt Johansen
Royal Bank of Scottland Group might be feeling a bit exposed this afternoon…
RBS WorldPay, a system that processes millions of payments daily has been compromised. It looks like the database is just dying to give up names, credit card numbers, email addresses, and all sorts of juicy information to whoever asks for it. Unu has a great write up of the vulnerability with plenty of juicy screenshots on his blog.
Here is a real kicker for you:
The next picture is awesome, but really what we see. In the picture appear user, host and password in mysql database, user table. But look well to the first user webphp, surrounded me. We have % to host and NOTHING in the password !!! I mean we have a user password NULL and % to host, that means that we can log on his account, the MySQL server without password, from any IP.
There is also some fun poked at Bill Gates which never hurts.
That’s pretty embarrassing.
You would think that after the Heartland ordeal and countless other breaches spawned from SQL injection, that people might be starting to actually think to defend against this attack (why they wouldn’t have before I have no clue).
Even if they did try to defend against it and just failed, a NULL password and wildcard host? LOL
All sorts of saddening fail no matter what story they spin or what story is true. Fail…