HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability
zSecure team is back in news again, this time they have discovered a critical SQL injection vulnerability in HDFC Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. This critical flaw really affects the customer realtions of HDFC Bank's and this really questions the existing security in place within bank. HDFC Bank is the leading bank in India but they lack behind the basic security that needs to be implemented. zSecure team claimed in their blog post that even after sending them complete details about the vulnerability and even after conducting the vulnerability assessment from the third party service provider they were not able to discover this critical falw which existed in their web portal. This really raises a big question on their existing security policy.
What would have happened if somone else would have gained acceess to this critical flaw, their entire database would've been dumped, their web-site would have been defaced and much more. HDFC Bank's really needs to think on this matter again.
Website: www.hdfcbank.com
Vulnerability Type: Hidden SQL Injection Vulnerability
Database Type: MSSQL with Error
Vulnerability Discovered: 15-July-2011
Alert Level: Critical
Threats: Complete Database Access, Database Dump, Shell Uploading
Credit: zSecure Team
Proof of Vulnerability
About HDFC Bank
HDFC Bank deals with three key business segments. – Wholesale Banking Services, Retail Banking Services, Treasury. It has entered the banking consortia of over 50 corporates for providing working capital finance, trade services, corporate finance and merchant banking. It is also providing sophisticated product structures in areas of foreign exchange and derivatives, money markets and debt trading and equity research.
Source
