Nokia Developer Database Compromised by SQL Injection

Nokia’s Developer site is home to an app submission launchpad, documentation on developing for S40, Windows Phone and MeeGo, as well as the official place to be for conversation on the platforms with their development teams.

Unfortunately, the developer page has been the target and victim of a simple SQL injection attack. Part of the internal administration database has been compromised. A portion of the database containing user names and password hashes (along with their respective salts) has been circulated and posted online.

Thankfully, Nokia employs the use of hashing algorithms in their security policy and no plain-text passwords are stored. According to the above image, the vulnerable page is their search form which allows for unsanitized/unfiltered input. An attacker enters a query that is processed by the back-end as an SQL statement, any information stored within the tables the attacker requests, is provided as output. This can be information containing simple notes or links, but an attacker will often craft a query to return stored credentials, credit card or other personal information.

Exactly how much information was taken from the database is unknown, but at least 11 accounts have had their password hashes posted online.

The folks who head the Nokia Developer page have been notified of the breach and hopefully they are scrambling to close the current known hole and then tasking a team to search through all of their public facing pages and lock them down.

Sony Europe Website Hacked

A “gray hat hacker” known as “idahc”, who self-identifies as a Lebanese hacker, managed to hack Sony Europe’s Database of Application Store and posted the information on the Internet.

Sony Europe Website Hacked

The hacker claims to have used a simple SQL injection to gain access to credentials for 129 user accounts, including username, password and email.

Here a proof of the hack shared by The Hacker News

Sony Europe Hack Idahc (18), a computer enthusiast says that he’s bored and is keen to play the game of the year: “Hacker vs Sony”.

He states in a interview,

I think Sony did not have a team of computer security consultants, simply. They produce Internal Sites like hotcakes. The databases are not protected. No encryption. They have much, but then a lot of servers, websites, which means there will always be flawed. Nothing is 100% secure.

Few days back, Sony Pictures was hacked by LulzSec, gaining access to the information in over 1 million user accounts. Sony has contacted the U.S. Federal Bureau of Investigation and are working together to track down the hackers.

Sony Europe’s website is now currently down for “scheduled maintenance”.

Sony Europe App Store