CNIL Recommendations on the Prevention and Remediation of SQL Injections

10/10/2020


CNIL Recommendations on the Prevention and Remediation of SQL Injections

Securing an information system is essential to guarantee that the customers’ personal data is not stolen or compromised. SQL injection is a widespread attack, which can cause serious harm to individuals. It can allow a remote control of the server or installing a keylogger.


The CNIL outlines the five steps of the attack:


Step 1: An attacker targets a site with SQL injections and attacks it, for example using a SQLmap tool
Step 2: The attacker gains access to a username and password of the administrator account, stored in the database and hashed by using MD5 hash function without salt
Step 3: SQL injection also allows it to retrieve the website's "users" table, containing the personal data of customers: last name, first name, email address, passwords, physical address, telephone number, etc. To do this, the automated tools generate a large number of queries through the vulnerability to identify the database schema, the tables and, ultimately, the data contained in them
Step 4: The attacker executes shell commands on the targeted website because some of the server directories are open for writing. The attacker uses the shell command to run a script or program that opens a false browser window (iframe) when a customer places an order and add a keystroke logger (keylogger)
Step 5: Users wishing to carry out an online transaction then enter their banking information in the false window and the attacker gains access to such data


In case that organizations/individuals experience the SQL injection attack, the CNIL recommends following:


Unauthorized access to banking information, generally poses a high risk to the data subjects. The organizations should inform affected individuals to:


    • Change their password associated with their email address on the attacked website
    • Change their password on other sites where the same usernames and passwords are used
    • Block their bank card, in order to prevent further harm to affected individuals


In addition, the data controller must:


    • Record the data breach in its violation register    
    • Notify the CNIL within 72 hours


It is important for a data controller to have their website audited, in particular on technical aspects, regularly and without waiting for a first attack. The most classic flaws can thus be discovered:


    • Vulnerability to SQL injection;
    • Directories allowing writing;
    • Passwords hashed with MD5 without salt.


The press release is available here.


Photo by Wiredsmart from Pexels.


The text is not legal advice. All recommendations are made by the CNIL.Visit their press release for  full details.