Sun.com and Mysql.com succumb to SQL injection attack

DATABASE VENDOR Oracle has suffered an attack on two of its highest profile websites, Mysql.com and Sun.com.

Oracle, which obtained the two domains after purchasing Sun Microsystems, is faced with the embarrassment of having two of its most widely known websites hacked through an SQL injection attack. The result was that parts of the websites' databases were dumped to a third party website.

At present it seems that both Mysql.com and Sun.com did not fall victim to database vulnerabilities, but rather to poor coding and testing practices. SQL injection attacks are fairly common and the finger of blame would be on the web developers behind the two websites, as testing for large websites like these usually includes taking measures to prevent such attacks.

To compound the embarrassment for Oracle, some of the Wordpress accounts had passwords that were just two characters long, while the director of product management's password was just a four digit number. Arguably the most surprising feature of the attack was that it did not make use of this gaping security hole at all.

While the attackers dumped the username/password tables of Mysql.com, perhaps in an act of mercy, they omitted passwords from Sun.com's tables, though they made email addresses available to view.

For Oracle the attack on two of its most popular websites must be a deep embarrassment, regardless of how long the company has operated both websites. Perhaps the very thin silver lining for Oracle is that these attacks didn't result from a vulnerability in the database software that both websites were running. µ