Website flaw exposed a Canadian ISP’s entire customer database

Canadian internet provider Altima Telecom has fixed a flaw in its website that could have given an attacker full access to its customer database.

The customer database was connected to the company’s website, but could be remotely accessed with a blind SQL injection attack. Daley Borda, founder of Underdog Security, found the bug and reported it to TechCrunch, which we passed on to Altima.

Altima Telecom bills itself as one of the largest, independent Canadian internet service providers, serving Montreal and Toronto.

The database contained 427 tables, containing millions of records on customers — including billing data, support tickets, and other user data, according to Borda. Although the researcher could probe the database by entering commands into his browser’s address bar, he said that a malicious attacker could easily dump its contents and download the entire database.

He also found several database columns storing credit card data, including card numbers, expiry dates, security codes, and addresses.

When reached, Altima’s chief executive Frank Yang told TechCrunch that the database was protected using an encryption key management service. But when we asked several security researchers about the flaw, they said that a successful injection attack would appear as a request from a legitimate user.

“We really appreciate you and the security researcher bringing this to our attention,” said Yang. “We are taking this matter very seriously.”

It’s a surprisingly simple flaw that could have caused significant damage — even for a mid-sized ISP. Altima’s exposure is the latest in a string of security incidents at internet providers. Comcast has patched several flaws that allowed improper access to customer data. New York cable provider RCN recently admitted to storing customer passwords in plaintext.



from www.tech-life.in
Share:

No comments:

Post a Comment

Search This Blog

Blog Archive

Powered by Blogger.

Edo raises $12M from Breyer Capital to measure TV ad effectiveness

Edo , an ad analytics startup founded by Daniel Nadler and actor Edward Norton, announced today that it has raised $12 million in Series A f...

Blog Archive

Recent Posts

Unordered List

  • Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
  • Aliquam tincidunt mauris eu risus.
  • Vestibulum auctor dapibus neque.

Sample Text

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation test link ullamco laboris nisi ut aliquip ex ea commodo consequat.

Pages

Theme Support

Need our help to upload or customize this blogger template? Contact me with details about the theme customization you need.