Flight Centre Travel Group(flightcentreassociates.com) database information leaked by WhiteHat MrNervous, hacker provided the database information in a WordPress website along with database information.
Hacker used the MySQL Injection vulnerability for hacking this website, they are expecting the USD 5000 for bug bounty and they are sent the vulnerability information to Flight Centre Travel Group on 09 February 2014.
Flight Centre Travel Group is Travel & Tourism Industry is a big name, a Multi National Company, they promise their clients that they are using best in class technology to gain confidence.
Till yet Flight Centre Travel Group is not responded to the hackers email and they are posted the below message on hacker website along with the mirror of database.
It is really disheartening to see how vulnerable companies under Flight Centre Travel Group (Australia) are. Our travel details including our plans, contact details etc are all stored by these Travel companies in their dataBase, which is now leaked only because their security is incompetent.
"In Travel & Tourism Industry, Flight Centre Travel Group is a big name, a Multi National Company. They promise their clients that they are using best in class technology to gain confidence. While in reality, this is not the case. In addition to this, their staff also ignores a warning email sent to Flight Centre Travel Group informing them about the flaw in security. Now that they know, no one has yet gathered enough courage to come up and talk to the Pentester, provide him with a reward for finding flaw; and in-turn avoid this ShowUp. And they instead took a more drastic step which Amadeus IT Group, Abacus, Hindustan Book Agency, MatchMeCupid, SalesForce did not, they sent a notice under DMCA (Digital Media Copyright Act) for Copyright Infringement to take down the dataBase files uploaded by the pentester. This aggravated the whole situation and the pentester is now focussed on Flight Centre Travel Group of companies to find flaws in all of them and download their data to later publish it online. So that, next time they and any other company thinks twice before sending a Take Down notice or taking any action of any kind against the Tester.
Now it might just be the time, when the customers of Flight Centre Travel Group will rethink on whether they should continue to deal with this company as they do not actively monitor nor safeguard the security of their dataBase, which contains their client’s private data, contact details, and a lot.
If you are one of their Client or planning to deal with them for your travel plans, or if you even send them queries for travel plan, Please be informed that all the data you share with them will be all out there, published on the Internet. You might then want to file law suits against them if your confidential data is among the data which is leaked.
Flight Centre Travel Group, I will bring you on your knees! "
I have sent email to Mr.WhiteHat MrNervous regarding the reason for this defacement and for more information.
UPDATE:22-03-2014
Vulnerability Details (Important): Flight Centre Travel Group uses ‘Parallels Plesk Panel’ for online login to server which is vulnerable to SQL Injection, Cross site scripting (XSS), Denial of Service, Remote Code Execution, Authentication Bypass, etc.
I believe Parallels Plesk Panel current updated version might not be vulnerable to SQL Injection exploited here, but Flight Centre Travel Group’s IT Team had not updated theirs to the latest bug free version.
It is because of this that I was able to exploit SQL Injection vulnerability to get access to their database. And then I asked them if the would pay a bug bounty for what I found. They didn’t reply, the very next day I published their leaked database online. Flight Centre Travel Group has not yet been able to catch me for this leak, now as they know Parallels Plesk Panel was at fault and is responsible for their database leak, they might want to take them to court.
Source (Parallels Plesk Panel is vulnerable or has serious security flaws):
http://www.cvedetails.com/product/21684/Parallels-Parallels-Plesk-Panel.html?vendor_id=5403
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
Hacker used the MySQL Injection vulnerability for hacking this website, they are expecting the USD 5000 for bug bounty and they are sent the vulnerability information to Flight Centre Travel Group on 09 February 2014.
Flight Centre Travel Group is Travel & Tourism Industry is a big name, a Multi National Company, they promise their clients that they are using best in class technology to gain confidence.
It is really disheartening to see how vulnerable companies under Flight Centre Travel Group (Australia) are. Our travel details including our plans, contact details etc are all stored by these Travel companies in their dataBase, which is now leaked only because their security is incompetent.
"In Travel & Tourism Industry, Flight Centre Travel Group is a big name, a Multi National Company. They promise their clients that they are using best in class technology to gain confidence. While in reality, this is not the case. In addition to this, their staff also ignores a warning email sent to Flight Centre Travel Group informing them about the flaw in security. Now that they know, no one has yet gathered enough courage to come up and talk to the Pentester, provide him with a reward for finding flaw; and in-turn avoid this ShowUp. And they instead took a more drastic step which Amadeus IT Group, Abacus, Hindustan Book Agency, MatchMeCupid, SalesForce did not, they sent a notice under DMCA (Digital Media Copyright Act) for Copyright Infringement to take down the dataBase files uploaded by the pentester. This aggravated the whole situation and the pentester is now focussed on Flight Centre Travel Group of companies to find flaws in all of them and download their data to later publish it online. So that, next time they and any other company thinks twice before sending a Take Down notice or taking any action of any kind against the Tester.
Now it might just be the time, when the customers of Flight Centre Travel Group will rethink on whether they should continue to deal with this company as they do not actively monitor nor safeguard the security of their dataBase, which contains their client’s private data, contact details, and a lot.
If you are one of their Client or planning to deal with them for your travel plans, or if you even send them queries for travel plan, Please be informed that all the data you share with them will be all out there, published on the Internet. You might then want to file law suits against them if your confidential data is among the data which is leaked.
Flight Centre Travel Group, I will bring you on your knees! "
I have sent email to Mr.WhiteHat MrNervous regarding the reason for this defacement and for more information.
UPDATE:22-03-2014
Vulnerability Details (Important): Flight Centre Travel Group uses ‘Parallels Plesk Panel’ for online login to server which is vulnerable to SQL Injection, Cross site scripting (XSS), Denial of Service, Remote Code Execution, Authentication Bypass, etc.
I believe Parallels Plesk Panel current updated version might not be vulnerable to SQL Injection exploited here, but Flight Centre Travel Group’s IT Team had not updated theirs to the latest bug free version.
It is because of this that I was able to exploit SQL Injection vulnerability to get access to their database. And then I asked them if the would pay a bug bounty for what I found. They didn’t reply, the very next day I published their leaked database online. Flight Centre Travel Group has not yet been able to catch me for this leak, now as they know Parallels Plesk Panel was at fault and is responsible for their database leak, they might want to take them to court.
Source (Parallels Plesk Panel is vulnerable or has serious security flaws):
http://www.cvedetails.com/product/21684/Parallels-Parallels-Plesk-Panel.html?vendor_id=5403
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment