CGISecurity Logo

F-Secure Hacked Via XSS, SQL injection

"A Romanian hacker site said on Wednesday it was able to
breach the website of Helsinki-based security firm F-Secure just as it
had gained access to the sites of two other security companies earlier
in the week.

F-Secure is "vulnerable to SQL
Injection
plus Cross Site Scripting," an entry on the HackersBlog site
said. "Fortunately, F-Secure doesn't leak sensitive data, just some
statistics regarding past virus activity."

An
F-Secure spokesman said the company had taken the affected server down
and that it was a low-level server that was not critical to the company
and had no sensitive or customer data on it, just statistical data for
marketing purposes.

"It is slightly embarrassing as a
security company that we have had the breach," David Frazer, a
spokesman in F-Secure's San Jose, California office, said in a phone
interview. "We certainly, as a security company, want to ensure that
all of our servers are patched to the levels that they should be."

HackersBlog publicised on its site that it had breached the US website of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques."

Read more: http://news.zdnet.co.uk/security/0,1000000189,39615484,00.htm