HackersBlog finds BT.com flaw

BT.com is the lastest big firm to have its internet security examined by the prolific folks at HackersBlog.

After finding a flaw at the Telegraph's site earlier this week, Hackersblog posted details of how they claimed to access BT.com's database using a blind SQL injection.

The hackers write: "A faulty parameter, improperly sanitized opens the vault to the [precious] databases. One can gain access to such ordinary things as personal data, login data, and the like."

HackersBlog claimed to be able to access login and personal data including names, email addresses and passwords for some users registered with the site.

The hacking site held off publishing the full details of the problem until today in order to let BT fix the flaw. It said the vulnerable pages have now been taken down.

The site added that BT isn't the only big firm with such troubles, promising to show similar problems with other telcos. "Don't rush to conclusions and start pointing fingers before you see the next articles where we will show similar issues with other large telecommunication providers. As we said earlier, we don't take sides, but rather, want to show that the above mentioned vulns [vulnerabilities] can be found almost everywhere."

HackersBlog added: "We would like to thank BT.com for the fair-play and manners they displayed in addressing this issue in the email we got from them.We appreciate and support the mature and to the point attitude they have. It is very important for us."

That said, a spokesperson for BT told IT PRO: "BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time."

"When sites are under test they do not contain live data and are often not included within our secure network until they become operational. BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests," the statement added.

"Where a suspected intrusion has occurred BT will act swiftly to ensure our customer data is not at risk. Our operational systems have not been affected in any way by this attempt to break through our security."