This morning the United Nations Web site was defaced by three hackers calling themselves kerem125, M0sted, and Gsy. The group exploited a typical SQL Injection vulnerability found in the United Nations ASP / ADODB Web servers.
Instead of transcripts of the Secretary-General Ban Ki-Moon’s speeches viewers were greeted with the message:
Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
A post over at hackademix.net notes the importance of the missing apostrophe. This is a clue to the technique used by these attackers to deface the Web site. What’s surprising is that this type of attack can be quite easily avoided by making proper use of prepared statements. One would expect a high profile organisation such as the UN to be more thorough in protecting themselves from this kind of embarrassment.
Even more surprising is that fact that despite having corrected the text in question, the Web site still looks to be vulnerable to the same type of attack. I wonder how long until it’s patched?