back to article Transit site coughs up private info for 168,000 passengers

Dutch authorities have shuttered a transit website after a hacker demonstrated it gave him access to addresses, birthdates, and other sensitive information belonging to some 168,000 passengers. Ironically, Ervaar het OV, which translates to "Experience the OV," was intended to promote the use of smartcards on the OV system by …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    Are you shitting me?

    An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons.

    1. John Smith 19 Gold badge
      Big Brother

      AC@:26

      "An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons."

      Yes.

      Security takes *effort* and *always* works badly if its bolted on.

      This has been known for *decades*.

  2. Anonymous Coward
    FAIL

    nicely done

    They could have at least had the courtesy to put it on a dvd to lose it.

  3. Llanfair
    Big Brother

    Government IT

    Remember this is government IT, so it was done on the cheap. They got some people to make the site. It's probably their first main site and since they just learnt about SQL and databases, they didn't bother to read about security. They did some code and saw it works and then just submitted it without bothering to learn about secure code. That's the problem with easy "programming languages" and those who do not learn secure coding or proper programming techniques.

    1. Anonymous Coward
      FAIL

      M$ and SQL

      Or they have only been using a datasource such as Access, which isn't subject to SQL injection attacks and this was the first client they had that insisted on a SQL server because that's what M$ told them to use...

      1. Anonymous Coward
        Anonymous Coward

        why assume M$?

        this problem happens just as easily with PHP and MySQL or Java and Oracle. Before you assume it's MS go check

        hmmm... Don't think MS SQL runs here...

        Apache/2.2.11 Unix mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.0

  4. Neal 5

    re: sql injection attacks

    Yes, this still where we are, along with PHP. Never mind the attack method, or secure coding, or programming language simplicity, these are still the foundations for websites\servers. Security is another issue altogether. I'm thinking the implications are more a reflection on the mindset of the sites owner, or their attitude towards their users information security, the attack is just a byproduct that highlights that.

  5. Winkypop Silver badge
    Joke

    Only 168,000 ?

    Amateurs, in every respect.

  6. Stoneshop Silver badge
    FAIL

    Par for the course

    Note that what they're promoting is the "OV Chipkaart", powered by the U1tr4 H4xx0r-pr00f Mifare Classic.

  7. YumDogfood

    Brain dead

    One quick google for "sql security test suite"...

  8. Steve Taylor 3
    Thumb Down

    Don't trust the client software.

    > SQL injection flaws are the result of poorly written web applications that fail to vet user-supplied input before passing it to back-end systems.

    Yes and no - the security needs to be present on the back-end systems too, or what's to stop people circumventing the front-end system entirely and just sending their own hand crafted queries and commands to the back end.

    Server software shouldn't assume it's talking to a friend.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019