ExploitHub confirms breach
Posted on 13 December 2012.
ExploitHub.com, the well-known online marketplace where one can buy exploit code for disclosed vulnerabilities, has confirmed that its web application server was compromised, but that no confidential or sensitive data was stolen during the attack.

A group called "Inj3ct0r Team", which apparently runs a rival online exploit market, claimed responsibility for the attack. To prove they did it, they published a small part of a database they found on the server.

"The exploit information provided in Inj3ct0r's attack announcement text file and SQL dump consists of exploit names, prices, the dates they were submitted to the market, the Authors' IDs, and the Authors' usernames, all of which is publicly available information retrievable from the web application's normal browse and search functions; this is not private information and it was already publicly accessible by simply searching the product catalog through the website," ExploitHub commented the leak.

"The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part."

"Being a high profile target, the ExploitHub endures attacks daily. Due to this high level of risk, the ExploitHub system is architected in such a manner as to drastically limit and contain the impact of a successful compromise of its public-facing component, the web application server, to prevent the further compromise of any valuable product data such as exploit code," they explained.

"Current assessment of the attack indicates that the impact was limited to compromise of data from only the web application server which does not house exploit code or other product data," they concluded, and added that they will continue the investigation into the matter.


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th