Oracle databases easy to hack, says researcher

A researcher showed today that Oracle's databases could be hacked with brute-force attacks using only the database's name and a username, according to Kaspersky Lab Security News.

Esteban Martinez Fayo, who works for AppSec Inc., was demonstrating his discovery at a security conference in Argentina and said that within just five hours on a regular PC using a special tool he could hack through easy passwords and access users' data.

"It's pretty simple," Martinez Fayo told the security blog Dark Reading. "The attacker just needs to know a valid username in the database, and the database name. That's it."

Martinez Fayo says he discovered cryptographic flaws in Oracle's password authentication that allows for an easy brute-force hack. According to Martinez Fayo, the crack doesn't require a "man-in-the-middle" to spoof multiple users -- the server leaks vital information directly to the attacker.

Martinez Fayo said that his team first told Oracle about the bugs in May 2010 and the company fixed them in 2011. However, he said, they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks. The company's newly released version 12 does fix the problem.

This isn't the first time that security flaws have been found on Oracle databases. In January, the company squashed 78 software bugs in a major patch that stemmed from a flaw that allowed hackers into its databases remotely. And, just last month, new vulnerabilities that can be exploited to run arbitrary code were discovered in Oracle's latest Java 7 update.

Martinez Fayo said there are workarounds for the flaw. "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable, he said. "It is vital for organizations that deploy Oracle databases affected by these vulnerabilities to administer strong workarounds to prevent an attack."

CNET contacted Oracle for comment. We'll update the story when we get more information.