The United States web page of one of the best known security software providers, Kaspersky USA, has been exposed as incapable of securing their own databases (which are made up of such things like user names, activation codes, bug lists, admins, and so on). Romanian hacker going by the name of “Unu” said in a blog post over at hackersblog.org that all it took was changing characters in the URL. On the upside, Unu says that Kaspersky’s private info will not be exposed by him or blog staff.

”Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, it’s true. Alter one of the parameters and you have access to everything,” says Unu.

The SQL injection vulnerability was discovered this weekend, and at the time Kaspersky did not provide any comment. As a matter of fact, they were even slow to react to Unu’s warnings, who apparently tried to contact the aforementioned company but got no response; he then continued to post the findings online. Soon after, other researchers from the security industry acknowledged the fact that Kaspersky’s US of A web page is vulnerable to SQL injection.

Kaspersky has since looked into the issue and has now released this statement: “On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site.”

It just goes to show you that poor programming is a serious issue that can affect even the industry’s heavyweights. SecuriTeam saw the lighter side of things and posted this amusing comic strip.

UPDATE: Unu has also hacked BitDefender. Read all about it here.