back to article Hackers: BitDefender site exposes private data (yet again)

Romanian hackers have discovered a security flaw in the website of anti-virus provider BitDefender. They said it was the second time in a week the company has inadvertently exposed a database that is supposed to remain private. According to an item posted to HackersBlog, BitDefender's main website can be tricked into …


This topic is closed for new posts.
  1. Inachu
    IT Angle

    This is why you use a hosting company!!!

    This is the main reason why you use a hosting company that will just host your website and nothing else. This way nothing gets lost or no loss of database full of peoples numbers DOB and such.........

    Seems like Bit Defender needs to run their software on their own server.

  2. David Eddleman

    Glad I don't use BitDefender

    Really, if they can't protect themselves from a simple SQL injection attack, how can I trust them to safeguard my data?

  3. Chris Miller


    If your web page is vulnerable to a SQL injection attack, it doesn't matter where the SQL server is hosted (the web server must still be able to access it). OTOH if you just want a static web server providing plain vanilla HTML, then you may have a point.

    The answer to SQL injection is proper validation of all input strings - 'simple' as that.

  4. Steve Roper

    Preventing SQL injection is not rocket science!

    I can't believe that a professional security site has allowed itself to be exploited by this kind of attack. It's a simple matter to validate all input that will be used as part of an SQL query. Here's a couple of very basic, quick and dirty (PHP) examples:

    1) Wherever possible, limit parameters passed from the client to numeric index and key references. This then allows you to use the simple regex:

    $param = preg_replace("/\D/g", "", $_POST['param']);

    to remove all non-numeric characters from the parameter before it gets anywhere near your database.

    2) When you do need to parse textual parameters, you can either use:

    $param = mysql_real_escape_string($_POST['param']); // or run this through the SQL interpreter directly for other languages

    or you can manually replace all dangerous non-alphanumeric characters with their HTML entity equivalents:

    $sqlinj = array("\'", "\"", "(", ")", "=", "\\", "<", ">"); $sqlrep = array("&#39;", "&#34;", "&#40;", "&#41;", "&#61;", "", "&lt;", "&gt;");

    $param = str_replace($sqlinj, $sqlrep, $_POST['param']);

    While these are not the be-all and end-all, they will stop most attempts at SQL injection in their tracks. Any two-bit programmer worth his diploma can figure this out. There's no excuse for BitDefender to not have implemented at least this basic level of protection!

  5. David Kairns

    Uh...These Are **Security Specialist** Corps!!!

    God Help Us.

    "Here, use this nice cool gasoline to put out your house fire."

    AVG is also shit.

    I've found Avast AV excellent -- rock solid program and definition updates daily. Other, also better stuff exists as well.

  6. Anonymous Coward

    @Chris Miller

    God I swear the next person that says the solution to SQL injection is input validation/sanitation alone I'm going to smack.

    Has nobody heard of binding in their SQL anymore?!

  7. Andrew Clerk

    Search database...

    It's just an search database, it doesn't seem to harm.

  8. Lionel Baden


    i use bitdefender !!

    doesnt really effect me to much as a end user, 1 more spam mail in the box.

    but i will defend the product they supply i am extremly happy with it.

  9. Deadly_NZ
    Gates Horns

    Oh I just love a secure anti virus site

    Damn I glad I use Avast

  10. Adam Silver badge

    Input parsing

    I'm with Anonymous on this one. Why on earth are web developers letting the presentation layer access data in the database layer at all? That's what stored procedures and parameters are for.

  11. Anonymous Coward
    Anonymous Coward

    @Steve Roper

    Nice snippets. Often easier (and cheaper on resources) than using preg_replace to strip non-numerics is to just cast the input as an integer;

    $numeric_param = (isset($_GET['myparam']))? (integer)$_GET['myparam']: 0;

  12. David Wilkinson

    Why this stuff happens ...

    I know people who have started jobs as web developers amazed at the level of incompetence show by the previous developers ... only to be forced to produce equally low quality code.

    Each new project they are told to get the site up and running as fast as possible and not to worry about testing, documentation, security .... once the project is completed they will be given a chance to go back and clean up and properly document the code.

  13. Anonymous Coward

    HackersBlog says that it is the News Section, no private data!

    It seems that no private data was exposed, it's just about the news, virus description section as you see in the screenshot. I think they made an update saying that "The paramter is in their news section and it has a strange behaviour if you test it with the all too common by now, SQL Injection". I think the only thing they can do there is to download all the news and virus description togheter :)

    So why is there a title that says "Hackers: BitDefender site exposes private data (yet again)", if there isn't any private data?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022