Nokia has temporarily shut down its developer community website as a precaution, after a hacker gained access to a database table containing forum members’ email addresses and other information. The hacker last week exploited a vulnerability in the bulletin board software that allowed an SQL Injection attack that in turn enabled him (or her) to deface the forum website.
Nokia has now emailed all its developer forum members alerting them to the fact that not only has the website been defaced, but the hacker also gained access to records, which – fortunately for Nokia – did not contain passwords, credit card details or other sensitive information.
Nevertheless, Nokia says, roughly 7 percent of accessed records did include birth dates, website URLs and/or usernames for services like AIM, ICQ, MSN, Skype or Yahoo.
SQL injection attacks usually occur when user input in the database layer of an application is not filtered for escape characters and is then passed into an SQL statement, or when a user supplied field is not strongly typed or is not checked for type constraints and thereby unexpectedly executed.
Nokia says it initially believed only a small number of forum member records had been accessed, but that further investigation has identified that the number is ‘significantly larger’ – Nokia did not disclose exactly how many records were accessed or any other details about the security breach.
The company also says it has taken down its developer community website offline as a precautionary measure while a Nokia team conducts further investigations and security assessments.
(Thanks for the heads up, Robert)