At one of the most popular hacker shopping areas, several sellers began to sell SQLI vulnerability, with which it is alleged, it is possible to get full access to the internal database of the PickPoint service.
Everyone can purchase a SQLI vulnerability to the PickPoint system for 1000 dollars. Using the SQL Injection type attack, the dynamic SQL statements are activated, the specific parts of the instructions are made in the comments and a condition that will always be true is added. SQL injection is aimed at vulnerabilities in the web application architecture and uses SQL operators to perform a malicious SQL code.
On the same hacker forum, another seller can acquire the already downloaded PickPoint customer database, which contains about 4 million entries. The seller reports that for each record, detailed personal information about clients (FULL NAME, date of birth, phone number, accommodation address, electronic address Almost, checked MD5 passwords, etc.).
Information security experts are confident that the sale of such information is "echoes" in early December 2020 hacking PickPoint posts. Then unknown cybercrimes held a cyber attack on the system of the Russian company, as a result of which the doors of cells were opened in some posts located in different cities of Russia, which were delivered parcels.
In PickPoint then noted that the security incident is associated with a cyber attack on providers, which provided Internet access for posts. In total, over 2.7 thousand posts from 8 thousand existing ones suffered due to the hacker attack. As a result of opening the door of the posts, about 1000 delivered parcels was kidnapped.
Pickpoint has not yet commented on the fact of selling SQLI vulnerability to service systems. Also, the delivery service did not report possible leakage of personal data of 4 million clients.
More interesting material on cisoclub.ru. Subscribe to us: Facebook | Vk | Twitter | Instagram | Telegram | Zen | Messenger | Icq new | YouTube | Pulse.