Unu, the Romanian hacker that blew the whistle on the SQL injection vulnerability affecting the Kaspersky USA web page has done it again: this time he has discovered a vulnerability affecting the BitDefender Portugal site. By means of SQL injection he managed to gain access to loads of confidential data such as admin usernames, passwords, sales tables, customer details and email addresses, and so on.

Just as in the case of the Kaspersky SQL injection, Unu has posted several pictures depicting his accomplishments: “It seems Kaspersky aren’t the only ones who need to secure their database. BitDefender has the same problems. The images speak for themselves. First we see the version, user and name of the Data Base. Now let’s see the Admin userName, userPass, sessionID and lastlog. Here’s an injection that returns thousands of lines where we see personal details of the customers, tabel vendas (sales table),” he says.

The list of customer email addresses alone makes is worth it for spammers to take advantage of the poorly programmed database – with a simple SQL injection they have access to a whole list of verified and authentic addresses which can be later on exploited. The least worrisome situation would be bombarding the inboxes of these people with “Genuric Viagr@” messages; but what is stopping someone with malicious intent to launch a phishing attempt? We can only take comfort on the fact that Unu will not disclose details about the vulnerability, just as he did in the Kaspersky situation. The other consolation is that since BitDefender is based in Romania, the communication process between Unu and the aforementioned security software developer will go smoothly.

In related security news, it must be said that Microsoft will release a patch tomorrow, the 10th of February 2009. With this month’s Patch Tuesday the Redmond software developer will address two critical vulnerabilities in Internet Explorer and Microsoft Exchange Software and two important vulnerabilities in Microsoft Office and Microsoft SQL.