Even a child could do it
We’re all still reeling from the hack that exposed almost 55 million people to unnecessary fraud risk, and more details of the biggest government related hack are still filtering through. We had a hunch that Comelec’s security surrounding the database of all the voters wasn’t the best, but Troy Hunt, the creator of haveibeenpwnd.com, days that the hackers didn’t have to be geniuses to get the database.
When asked to describe how easy it was to take the information from the Comelec in an interview in GMA News Online, Hunt responded, “Exceptionally easy. The video I saw showed a SQL injection risk being exploited. This is the biggest—and one of the most well known—risks we have on the web today. It’s also one of the easiest to exploit and we often see children using it to compromise websites.”
Hunt also observed severe security lapses that enabled the attackers to get access to the data.
“There was also definitely no formal security review of the website as these were very obvious flaws. For a government site of this nature, you’d expect to see proper review,” he said.
The worst part is that better security for the database wouldn’t have cost an arm and a leg.
“The secure software development patterns that would have prevented this are free, ” he said.