Passwords and e-mail addresses of at least 134,004 users were exposed by a cybersecurity failure that Hospital Quirón suffered in its web page. Through this page, it markets its online medical services, coronavirus tests, genetic analysis, medical check-ups and cosmetic surgery services. Fortunately, the company has fixed the problem and there is no evidence that any data has been stolen.
This type of failure allows third parties to access user data, which does not necessarily mean that information is being stolen.
The security flaw allowed SQL Injection attacks. SQL stands for Structured Query Language, a programming language designed to access information stored in databases. To steal information by accessing databases, malicious code is injected into computer programs via SQL. If the attacked program has not been built with security guarantees or the operating system has not been properly updated, there is a high probability that the attack will succeed.
In the case of Quirón, the flaw was discovered by cybersecurity expert and bug hunter Touseef Gul.
Currently, it has been communicated from Quirón that it is «a minor problem that has already been fixed«. The cybersecurity flaw was reported in May and was fixed shortly thereafter.
The SQL attack explained:
A SQL Injection attack consists of obtaining private information from a DDBB that should normally only be available to privileged users (e.g., DDBB Administrators). This information can be used to gain privileged access to applications or to steal confidential information. These attacks usually occur by exploiting a vulnerability in a public application (e.g. web form) which, in turn, has access to the DDBB. The vulnerabilities can come from an application that does not implement security controls for this type of attack. For example, that allows to introduce sentences in SQL language in a text field destined to write the name of a client, or an existing vulnerability in some of the used components, as it can be a web server, a library, etc..
The keys to reducing the risk of suffering this type of cyber-attack would be to install specific security solutions for SQL Injection type threats or to update operating systems.
#cybersecurity #SQL #solutions
To keep update about us follow our Social Media