The German grey hat known as D35m0nd142 probed the official website of CBS (cbs.com) and found several vulnerabilities that could easily be exploited by hackers.
The list of security holes includes 17 Blind SQL Injection issues, a directory disclosure flaw and a number of cross-site scripting (XSS) problems with the “possibility of change the vulnerable page of website.”
“I've found a lot of vulnerability and in the last days I've just published the proofs. A real hacker doesn't deface any websites or create damage. He just finds vulnerabilities and warns the admins and publishes the proofs. Black hats think that a hacker must create damage or he isn't a hacker,” D53m0nd142 told us.
He immediately notified the site’s administrators to make them aware of the existence of the vulnerabilities.
To show that the flaws represent a real danger and to prove that they can be exploited, the hacker also provided screenshots which demonstrate that he gained unauthorized access to CBS’s systems.
He utilized Acunetix Web Vulnerability Scanner to highlight the existing flaws, but he claims that this doesn’t mean he relies on such tools to do the real work.
“I use Acunetix to speed up my scans. That's all. But then I pierce databases and servers using methods that are unknown to skids,” D35m0nd142 explained.
Other websites that were proven to be vulnerable by the grey hat are the ones of the Canadian Space Agency, European Space Agency, security solutions provider Sophos, United Nations, Skype, the US Federal Reserve, and MySQL.com.
We’ve had a great interview with him a while ago where he explained a lot of interesting things about his life and his hacking experiences.
The interview, part of the Hackers around the world series can be found here.