F-Secure provides details on Web site breach

Security firm says bug in Web application led to hole hackers used to breach Web site.


Helsinki-based security firm F-Secure said on Thursday that a breach of its Web site earlier in the week by a Romanian hacker site was limited in scope and impact.

On Wednesday the HackersBlog site said it had used a SQL injection and cross-site scripting attack to get access to data on an F-Secure Web site. Earlier, the site had launched similar attacks on a site of security firm Kaspersky and one belonging to a partner of BitDefender.

F-Secure said the problem with its site was due to a bug in a Web application and not related to an unpatched system.

"One of our servers used in gathering malware statistics had a page that didn't properly sanitize input and was therefore vulnerable to attack," spokesman David Frazer said in an e-mail. "Fortunately we utilize defense-in-depth strategies so the attack was only partly successful. The Server was taken down immediately after the blog was discovered to ensure the SQL injection was contained and to also analyze the level of the threat."

Although the attackers could read the F-Secure database information, they were not able to write or manipulate the data and were unable to access any other data on that server because the SQL user only had access to its own database, he said. The data accessed was statistics information used for marketing purposes, he added.

"So while the attack is something we must learn from, it was very minimal with no impact to F-Secure, our partners or our customers," Frazer said.