Security Holes Found on HCL Site, Vendor Secretly Fixes Bugs

Independent security researcher Shadab Siddiqui provided us proof that shows the presence of some serious vulnerabilities on the Intranet site of HCL Technologies, a global IT services company based in India.

“This is a website that has SSL installed (i.e. HTTPS) and they are IT service providers and this is the quality they develop. Their own website is vulnerable to SQL Injection and other things,” Shadab told us.

The screenshots and the documentation the expert provided revealed the existence of SQL Injection and cross-site scripting (XSS) issues that could have allowed an attacker to compromise the site.

“I found that the target web site is connecting to the backend database by using a user that has administrative privileges. This can allow an attacker to gain extra privileges via SQL Injection attacks,” he explained.

By leveraging these weaknesses a hacker may have been able to gain full access to the database server and execute commands on the underlying operating system.

Regarding the XSS flaws, Shadab said, “Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.”

HCL was contacted a few days ago, all the necessary documentation regarding the presence of the security holes being given to the site’s webmasters. Today, the site was checked once again and the vulnerabilities seem to have disappeared, which means that in the past days the issues have been addressed.

“This is the issue with these people. They can’t even say ‘thanks’,” Shadab concluded.

On the bright side, at least the company takes security seriously and rushed to patch up the vulnerabilities. On the other hand, it’s a shame that companies refuse to work with security professionals that want to lend them a hand in securing their infrastructures and public websites.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.