back to article Transit site coughs up private info for 168,000 passengers

Dutch authorities have shuttered a transit website after a hacker demonstrated it gave him access to addresses, birthdates, and other sensitive information belonging to some 168,000 passengers. Ironically, Ervaar het OV, which translates to "Experience the OV," was intended to promote the use of smartcards on the OV system by …

COMMENTS

This topic is closed for new posts.
FAIL

Are you shitting me?

An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons.

2
0
Gold badge
Big Brother

AC@:26

"An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons."

Yes.

Security takes *effort* and *always* works badly if its bolted on.

This has been known for *decades*.

2
0
FAIL

nicely done

They could have at least had the courtesy to put it on a dvd to lose it.

0
0
Big Brother

Government IT

Remember this is government IT, so it was done on the cheap. They got some people to make the site. It's probably their first main site and since they just learnt about SQL and databases, they didn't bother to read about security. They did some code and saw it works and then just submitted it without bothering to learn about secure code. That's the problem with easy "programming languages" and those who do not learn secure coding or proper programming techniques.

5
0
FAIL

M$ and SQL

Or they have only been using a datasource such as Access, which isn't subject to SQL injection attacks and this was the first client they had that insisted on a SQL server because that's what M$ told them to use...

0
2
Anonymous Coward

why assume M$?

this problem happens just as easily with PHP and MySQL or Java and Oracle. Before you assume it's MS go check

hmmm... Don't think MS SQL runs here...

Apache/2.2.11 Unix mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.0

1
0

re: sql injection attacks

Yes, this still where we are, along with PHP. Never mind the attack method, or secure coding, or programming language simplicity, these are still the foundations for websites\servers. Security is another issue altogether. I'm thinking the implications are more a reflection on the mindset of the sites owner, or their attitude towards their users information security, the attack is just a byproduct that highlights that.

3
0
Silver badge
Joke

Only 168,000 ?

Amateurs, in every respect.

2
0
Silver badge
FAIL

Par for the course

Note that what they're promoting is the "OV Chipkaart", powered by the U1tr4 H4xx0r-pr00f Mifare Classic.

1
0

Brain dead

One quick google for "sql security test suite"...

1
0
Thumb Down

Don't trust the client software.

> SQL injection flaws are the result of poorly written web applications that fail to vet user-supplied input before passing it to back-end systems.

Yes and no - the security needs to be present on the back-end systems too, or what's to stop people circumventing the front-end system entirely and just sending their own hand crafted queries and commands to the back end.

Server software shouldn't assume it's talking to a friend.

1
0
This topic is closed for new posts.

Forums