The website of the police union wrestled with a vulnerability which, under other login names conforms to and passwords could be captured. The police union was Tuesday already tipped, but knew of the leak until a day later to close it.
Tuesday afternoon was Tweakers.net tipped off about a vulnerability in the website of the Dutch police union, a trade union for employees of the police. It turned out to be possible to press a particular page to a variable, own sql-queries to add. This type of vulnerability known as a sql injection vulnerability, is common.
The police union promised Tweakers.net the leak as quickly as possible to seal. Wednesday morning, when other media all about the security vulnerability published had was the vulnerability, however, still to exist.
A developer who is in command of the police union works, Ron Rutten, claimed the opposite Tweakers.net the problem was solved. “All variables are sanitized with the mysql_real_escape_string function,” says Rutten. That function is designed for variables to clean up before being used in a sql query to be used.
When I was told that the manipulation of sql queries still easily possible – which indicates that the respective function is not used or is used incorrectly – promised the developer to again to the problem to look.
An hour later, the entire website of the police union as a precaution taken offline. This, however, could not prevent a partial dump of the database, with lidmaatschapsnummers, names and passwords on Pastebin appeared.
According to Rutten, it’s going to transfer data from an older database, for a web application that no longer was used. “This application is ever put online and then not be updated anymore,” said Rutten. According to him, it is a database that Tuesday is already offline, it is removed and distinct from the current website. That is not consistent with the assertion of the hacker, who claimed that the vulnerability in the news page could not be found. The vulnerability is according to Rutten, in any case, not in an outdated version of MySQL, as other media reported.
It is unclear who the security vulnerability is discovered and the database dump has been published. According to a source of Tweakers.net is this the work of a hacker who has contact with the computer hacker group’ Anonymous, but the loose connection would have nothing to do.
Image: XKCD