A hacker, who calls himself “ins3cted”, has demonstrated to Webwereld via video how by exploiting a simple SQL injection, he can retrieve 168,000 personal records from a Dutch website called Experience the OV (http://www.ervaarhetov.nl).
Citizens living in the provinces of Gelderland, Overijssel and Flevoland are being encouraged to use public transport via a campaign that promotes the vulnerable website, from where they can purchase travelling smart cards. “ins3ct3d” also explained that he felt obliged to expose this security vulnerability to warn his fellow citizens as long as the government continues to use such unsafe systems. ins3cted also stated “This time it’s sensitive personal data, next time your fingerprints or EPD,” which for sure it’s not the kind of data you want falling in the wrong hands!
Till now, there is no confirmation if customers’ banking and payment details were exposed, but there were a number of accessible fields in the databases which stored ID card numbers and payment terms. At the request of Webwereld, a Dutch website which publishes internet related news, the hacker did not retrieve any more data. The vulnerable site, at this time is currently unavailable.
At least we can breathe a sigh of relief this time, since the hacker appears to have interest in exposing poor coding security, rather than stealing identities. Hopefully this incident will raise much needed awareness around the world of the need to ensure secure development and web application penetration tests. The video is available from the following URL; http://webwereld.nl/nieuws/66012/ov-site-lekt-persoonlijke-data-168-000-reizigers.html