Home / Defacement / Student finds flaw in VECO website, leaks data, defaces it.
Student finds flaw in VECO website, leak data, defaces it.

Student finds flaw in VECO website, leaks data, defaces it.


 Mac who said he is a student and a web vulnerability researcher defaced the website of Visayan Electric Company (VECO – www.veco.com.ph.)

It is not home defaced, a file named “notify.html” is uploaded in the website. In there, the researcher explained the reason of the defacement.

According to him, the VECO website is vulnerable to a common website flaw “SQL injection,” and he managed to gather sensitive information from the website.

“I recently visited your site and I have found out that  it is vulnerable to SQL injection. I have gathered infos such as, Administrator Username and Password,” Mac Explained.

The researcher also leaked some data of users from the VECO website, usernames and hashed passwords.

leak user data of users from VECO website

 

Mac insisted, what he did is part of his responsible disclosure and he did not harm/delete any files from the system.

“I already emailed you but you failed to reply or even fix the Vulnerability. 🙁 So in that case, I have decided to put a redirection in the /admin so that other hackers will not access the admin panel and they can’t delete/change files or even deface your site.” he said. <!–nextpage- ->

How unsecure is the VECO website?

As detailed by him, the SQL injection flaw lying in pages of the site which enables him to access the site. An uploading section can allow any attacker to upload a shell (malicious php file) that can cause serious damage to the site.  The admin panel is also unsecured  that anyone can guess it.

A bit white hat, Mac added a redirection in the /admin page so that other attackers can not access the login page. With it, even other malicious users who can fetch sensitive data, harming the website is not possible.

He as well advised the website administrator to simply delete the .htaccess file in “admin” to remove the redirection.

As of now, hours after the hack, the redirection is already removed from the admin page and no comment is given by VECO.

Update around 8:00am : Hacker claiming to be of An0nsec completely defaced the website.

Update, 11:00 AM, website is now fixed and running well.

About Clifford Trigo

Hi there! I am Clifford Trigo from the island of Bohol, come over here and lets have fun! :3 Just keep reading :D