Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 01 January 2008
Occurred: 09 November 2007

Classifications:

Attack Method: SQL Injection
Country: Brazil
Country: USA
Origin: Russia
Outcome: Planting of Malware
Vertical: Government

RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.

References:

Infamous Russian malware gang vanishes
News Story, News.com, 09 November 2008
US Gov sites Hacked with SQL Injection
Blog Entry, Bill Pennington, 09 November 2008

WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others

Reported: 01 January 2008
Occurred: 29 January 2007

Classifications:

Attack Method: Credential/Session Prediction
Country: Brazil
Outcome: Disclosure Only
Vertical: Finance

IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.

Reported by Alexandre Sieira

References:

Unibanco tem brecha em sistema de comprovantes de transa??es online
News Story, IDG Now (Google Translate), 29 January 2007

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.