There appears to be an error in the popular MySQL database management system. Which allows rogue servers to steal documents from users of the system. Sensitive information can just fall into the wrong hands because of a few minor mistakes.

The vulnerability was discovered by Security Boulevard and then further explored by Bleeping Computer. This is a design error in the interaction of file transfer between a client host and MySQL server. Due to the vulnerability, an attacker can run a MySQL server and thus gain access to all the data to which the connected server has access.

Steal sensitive information

The vulnerability could be used to obtain sensitive information from incorrectly configured web servers. These are servers that allow connections to non-confidential servers or certain database management applications. The problem seems to lie further in the LOAD DATA statement, which is used with the LOCAL-modifier. The MySQL documentation already describes this as a security risk.

Strikingly enough, says the SiliconAngle site today, in a discussion on the Reddit forum site, the same MySQL error is the reason behind the success of the Magecart hacker group’s attacks. This group is always able to add code in order to take money from multiple websites that handle transactions. Attacks have already taken place on the Infowars Store, Cathay Pacific Airways, British Airways and Ticketmaster Entertainment.

According to Tripwire researcher Craig Young, who spoke to SiliconAngle, the vulnerability does not seem critical at first glance, but it does need to be addressed. This is because users are not always aware that there are major vulnerabilities in the database management interface. Admins need to be aware that certain pages, even if they are not linked to other content, can be discovered and abused by attackers, says Young. Admin tools such as Adminer should under no circumstances be exposed.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.