Nokia Developer Database Compromised by SQL Injection

Nokia’s Developer site is home to an app submission launchpad, documentation on developing for S40, Windows Phone and MeeGo, as well as the official place to be for conversation on the platforms with their development teams.

Unfortunately, the developer page has been the target and victim of a simple SQL injection attack. Part of the internal administration database has been compromised. A portion of the database containing user names and password hashes (along with their respective salts) has been circulated and posted online.

Thankfully, Nokia employs the use of hashing algorithms in their security policy and no plain-text passwords are stored. According to the above image, the vulnerable page is their search form which allows for unsanitized/unfiltered input. An attacker enters a query that is processed by the back-end as an SQL statement, any information stored within the tables the attacker requests, is provided as output. This can be information containing simple notes or links, but an attacker will often craft a query to return stored credentials, credit card or other personal information.

Exactly how much information was taken from the database is unknown, but at least 11 accounts have had their password hashes posted online.

The folks who head the Nokia Developer page have been notified of the breach and hopefully they are scrambling to close the current known hole and then tasking a team to search through all of their public facing pages and lock them down.