Injection: vulnerability allows access to Sony's customer data

A security researcher has found on the website of Sony a critical SQL injection vulnerability. The vulnerability allows the customer data from participants in the Playstation Networks read.

Was discovered in the gap of Aria Akhavan. The IT security expert had informed Sony claims to two weeks ago about the existence of the gap. Reacts Sony has not so far. The gap uses a function on the website of the support of Sony, there may be manipulated by means of a parameter in a URL request to a SQL Server database from Sony will be sent. The output contains a potential attacker directly in the browser.

Further details on the use of the gap are Golem.de before. Due to the severity of the gap and thus the possible access to numerous customer data we decided not to publish the details. We have Sony asked for an opinion, but we have not yet received a response.

Sony's Playstation Network was last 2,011 victims of a major hacker attack. At that time, the access and personal data were stolen from 77 million users . As a result, in many countries, authorities and politicians had dealt with the incident and demanded by Sony better protection of customer data. Also in August of this year there was a attack on the Playstation Network , but it was only a distributed denial-of-service attack (DDoS).

SQL injection attacks are one of the most common and dangerous vulnerabilities in web applications. Only recently was a serious SQL injection vulnerability in the content management system Drupal has become known, numerous websites have been hacked so that in the last days.

SQL injection vulnerabilities occur whenever a web application inserts inputs from users unchecked and unfiltered in SQL commands. Through the consistent use of so-called prepared statements are SQL injection vulnerabilities can be completely prevented. Especially in safety-critical applications, the use of prepared statements is therefore strongly recommended.