A security lapse at Kaspersky has exposed a wealth of proprietary
information about the anti-virus provider's products and customers,
according to a blogger, who posted screen shots and other details that
appeared to substantiate the claims.
In a posting
made Saturday, the hacker claimed a simple SQL injection gave access to
a database containing "users, activation codes, lists of bugs, admins,
shop, etc." Kaspersky has declined to comment, but two security experts
who reviewed the evidence said the claims appeared convincing.
"This looks very real to me," Thomas Ptacek, a researcher at
security provider Matasano said via instant message a few hours after
the post went live. He pointed to the address bar of one screenshot
that showed usa.kaspersky.com along with the text "concat_ws(0x3a,ver"
to the right of that. "It's a URL that is being used to alter the
database request that's used to generate the page," he added. "One of
them can be tricked into pulling arbitrary data from the database. Game
over."
Read more: http://www.theregister.co.uk/2009/02/08/kaspersky_compromise_report/