Royal Navy Website Hacked

A hacker claims to have gained full access to the website of the British Royal Navy and the underlying database through an SQL injection attack.f8b934d3915740a4b36827079ae56046

In a blog, TinKode claims that the compromise of www.royalnavy.mod.uk happened on November 5 at 22:55.

The hacker mentions that the attack vector was SQL injection, but fortunately, he doesn’t publicly disclose the vulnerable URL.

He does, however, link to a file hosted on pastebin.com, which contains sensitive information gathered from the Royal Navy Web server and database.

This includes a copy of the /etc/passwd file, a listing of MySQL databases, as well as the tables for some of them.

For the “globalops” database, which we assume corresponds to the “Global Operations” section of the website, TinKode lists the contents of the “admin_users” table. This includes the administrative accounts and their corresponding passwords hashes.

The hacker even decrypted the hashed password for the user called “admin,” posted it in plain text. Suffice to say that it’s ridiculously simple and in no way appropriate for a military website.

Furthermore, he also posted usernames and hashed passwords for the site’s “Jack Speak” blogs section, which appears to be running WordPress. We have alerted the Royal Navy Web team, but have yet to receive a reply. Meanwhile, the website remains online.

SQL injection is a type of vulnerability, which stems from a failure to properly sanitize user input. It allows attackers to execute rogue database queries by manipulating the vulnerable URL.

TinKode previously disclosed similar vulnerabilities on NASA and U.S. Army websites. At the end of October he announced compromises on websites belonging to the U.S. Army 470th MI Brigade, the U.S. Army Civil Affairs & Psychological Operations Command and the National Weather Service.

13 Comments

  1. I’d have to permit with you on this. Which is not something I typically do! I love reading a post that will make people think. Also, thanks for allowing me to speak my mind!

  2. An awesome share, I just given this onto a student who was doing a little research on that. And he in fact purchased me dinner because I found it for him…. smile.. So let me reword that: Thanks for the treat! But yeah Thnx for spending the time to talk about this, I feel strongly about it and love learning more on this topic. If possible, as you become expertise, would you mind updating your blog with more info? It is highly helpful for me. Big thumb up for this share!

  3. Amazing! It’s like you understand my mind! You seem to know so much about this, just like you wrote the book in it or something. I think that you could do with some pics to drive the content home a bit, but other than that, this is great blog post. A great read. I will definitely be back.

Leave a Reply

Your email address will not be published. Required fields are marked *