In one of the most recent news, we reported government websites being hacked and the data being uploaded on the internet,  According to a  blog Article  published by Zsecure –  A serious vulnerability was discovered in HDFC Bank’s online platform, that potentially allowed hackers to gain private information of HDFC Bank’s customers.
Although, it looks like the user information may not have landed in wrong hands – the time taken by HDFC Bank to rectify this issue could literally border on a criminal act. Zsecure guys intimated HDFC on the 17th of July (2 days after the vulnerability was found) and HDFC Bank took full 22 days to fix this issue.
WEBSITE: Â www.hdfcbank.com
- Vulnerability Type: Hidden SQL Injection Vulnerability
- Database Type: MSSQL with Error
- Vulnerability Discovered: 15-July-2011
- Alert Level: Critical
- Threats: Complete Database Access, Database Dump, Shell Uploading
ZSecure sent them an email, about the vulnerability, they again checked the status of said vulnerability and found that the vulnerability was still active on their web portal. They sent across another set of details to the HDFC Team with additional proof of vulnerability and asked them to fix the same asap. Later on, after 2 days ZSecure received an e-mail from their team with a message:
We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.
Isn’t it strange that such a larger organization requires a third party vendor to have it’s IT security  assessed, One would expect them to have an in house IT and Information security team, which would  dedicatedly  monitor these kind of activities since HDFC is a financial organization.
Finally, the vulnerability was removed from the server and site was restored for normal operation, just shows how easy it would have been for a BlackHat hacker to get into the system and ruin it up.
Anyways, If you guys need any information security tips get in touch with us. Our team would be more than happy to help your company be secured in the big BAD space of the World Wide Web