The common website of the supermarket chains Dirk, Bas and Digros gave by mistake to access e-mail addresses of newsletter subscribers. Via the leak could also obtain access to other sites of the same website builder.
It goes to the website Lekkerdoen.nl the joint website of Dirk, Bas and Digros. Via sql injection could beveiligingsonderzoeker Ingratefully to say that, in any case, 150,000, and may even approximately 318.000 e-mail addresses approach, although there are duplicate e-mail addresses in between can sit. According to the builder of the website, the Canal company Montani, there were only 50.000.
Also the login data of the admin panel were to approach. The passwords were gehasht as mysql323 and were therefore easy to identify; the md5 algorithm has been around for some time now and through rainbow tables can have many hashes to plaintext passwords are linked.
One of the seized accounts was also of the website builder. The same combination of username and password was also used on other websites of the same maker, which also could be logged in on the Drupal administrator panel, among others Fiets.com, Megategel.nl and Displaygigant.nl but also on that of the site builder Montani itself. This could, among other files to be uploaded. According to the researcher, it was probably possible to use PHP Shell to upload and perhaps via an exploit root access to the server to get it; he has, however, not done.
The leak was in a cms that by Montani itself was built; also another website that the cms used was therefore vulnerable. Through that site could be around 10,000 e-mail addresses can be accessed. “The problem is right after you report has been investigated and rectified,” says the director of the company, Jan Boon. The uniform adminwachtwoord for all of the Montani-sites is replaced by separate passwords for each site. Incidentally, there was a couple of hours between the notification and the bridging of the leak.
Initially said Bean declaration will do against the beveiligingsonderzoeker, but later he gave himself to ‘consider’. “What he has done is in principle a punishable offence,” said Bean. The director admits that there is a bug in the software but was: “When a car with engine running state, that is not to say that it can be driven.” Beveiligingsonderzoeker Ingratefully says about the possible declaration: “Declaration for the tip of a datalek? Not again. You can apparently better blackhat remain. I don’t want to do any damage, but the eyes of companies and web developers, open it.”
According to another employee of Montani, Jan Albert Vroegop, is Lekkerdoen.nl seven years ago, and had the site actually been replaced. “It was developed with a minimal budget and minimal control,” said Vroegop. “We now suffer from. The module that has been hacked was a haastklus. Say: yesterday figured out, tomorrow online.”
Fergus Hoedeman, the ict director of the Detailresult Group, the company behind the supermarkets, says that information is not to be able to confirm. However, he says the ‘fine’, to find that the leak has come to light and is now resolved.