Potential SQL Injection Attack on Oklahoma Prison Thwarted
Code vulnerabilities spotted and reported
April 15, 2008
A code vulnerability in an Oklahoma state prison registry opened information such as Social Security numbers to potential unauthorized SQL injection attacks. According to Alex Papadimoulis, writing in The Daily WTF the code for the Oklahoma Department of Corrections Sexual and Violent Offender Registry left Social Security numbers, home addresses, and other information prey to hacker attacks for up to three years. Papadimoulis said that a SQL database query used to display information in a URL contained a SQL SELECT statement that “also included a few non-displayed columns such as ‘social_security_number’ and ‘date_of_birth,’ and even had several conditionals to make sure that only Active records were returned.” By displaying "social_security_number" instead of "doc_number" and removing the conditionals he showed that it was possible for an intruder with basic SQL Server skills to display the private numbers. When he pointed this out to George Floyd, the IT Administrator at the Oklahoma Department of corrections, the site came down and was fixed by April 13, 2008.
For more information on SQL injection, see these related resources, How to Protect Against a SQL Injection Attack, How to Avoid a SQL Injection, and SQL Injection: The Hacker’s Gold Mine.
About the Author
You May Also Like