Hackers have exploited a gaping identity flaw that allows them to easily crack Oracle databases. The flaw allows anyone to do a brute force attack and access the data. A researcher presented the findings of the proof of concept attack at a security conference today in Argentina.
The flaw allows anyone with access to a user name and name to exploit Oracle’s authentication protocol. According to Dark Reading, researcher Martinez Fayo and his team first reported the bug to Oracle in May 2010. Oracle fixed it in mid-2011.
“But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable,” Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.
The flaw comes down to a an information leak that comes in the initial authentication handshake. There is no “man-in-the-middle” required. Security experts are recommending that IT administrators develop workarounds for the flaw.
Oracle has had several major security flaws discovered in recent months. This latest attack is striking due to its exploitation of the authentication protocol. Hackers can easily get to people’s data.
Man-in-the-middle attacks can wreak havoc, as impersonators can hack multiple accounts by impersonating users.
Salesforce.com announced a single sign-on for all enterprise apps at Dreamforce this week. These identity platforms will become increasingly important. Oracle’s flaw shows how much we need better protections so our data is safe.