Security Flaws Detected on RBS WorldPay Websites
A grey-hat Romanian hacker has recently discovered SQL injection flaws on the websites of the Royal Bank of Scotland (RBS) WorldPay.
Adding on to the worries of the company, another Web developer unmasked a cross-site scripting (XSS) flaw in one of the sites belonging to the company so as to prove that its efforts to alleviate XSS are completely misguided and inept.
A Romanian hacker known as "Unu", famous for finding SQL injection flaws in high-profile sites, stated he straightaway attacked the database of the company, as per the news published by Dark Reading on September 11, 2009.
The hacker informed that he was able to access the database of RBS WorldPay through a SQL injection vulnerability encountered in one of its Web applications. On the other hand, RBS WorldPay has claimed that Unu was merely able to access a test database that was void of any live data, and so none of the accounts of merchants or cardholders were hacked. Since then, the company has taken down the affected Web pages.
As per the blog posts by Unu, security inadequacies - despite being blocked - on the website of RBS WorldPay revealed sensitive details like contact details of partners and admin passwords.
The company said that the database in question carried replica data and was only used for a trial website. Offended with this response, Unu discovered another SQL flaw in a different site of RBS WorldPay. But the company once again seemed to ignore the seriousness of the discovered vulnerabilities.
He added that if the stricture is not well-protected, apart from the authentic request from the database - which is linked to that stricture - other applications data can insert. According to him, the susceptible parameter enables complete access to databases on the server.
The hacker had earlier unveiled the same problems on the sites of HSBC France and the UK Parliament, among the others. In addition, he published screenshots also to support his recent claims.
It is learnt that The Royal Bank of Scotland Group business processes millions of payments daily. A spokeswoman for RBS WorldPay stated that they took websites' security very seriously.
Related article: Securities Push Up A Must For Web Companies
» SPAMfighter News - 03-10-2009