Focus fixes a SQL Injection vulnerability

Our very first case (06.06.2012) was about a vulnerability on the website of the german magazine “Focus”.

We’ve discovered an SQL injection vulnerability in the dsl-tariff-calculator by accident. Criminals could have dumped all contents of the database. As we’re only doing basic-sql injection checks, we don’t know what’s stored in the database, but often attackers can find email addresses and passwords.

The first attempt to inform Focus about that flaw was unsuccessfull, because nobody had replied to the initial email. After giving them a call, they forwarded the issue to the operating company, which maintains the website. They also promised to get back to us when the issue is resolved. About two weeks later the sql injection flaw has been fixed and we’ve received a friendly email.

The team of