Sony Music Japan hacked through SQL injection flaw

Filed Under: Data loss, Vulnerability

Sony Music Japan logoAnother day, another attack on Sony. I reported yesterday on the SQL injection attack exposing user information on SonyMusic.gr and today attackers have found flaws in SonyMusic.co.jp.

The Hacker News sent us a tip this evening documenting a couple of vulnerable web pages on SonyMusic.co.jp that allowed hackers to access their contents through SQL injection.

Screenshot of Sony Japan hack from Pastebin.com

The good news? The database information that was published does not contain names, passwords or other personally identifiable information. The attackers noted that there are two other databases on the site that are vulnerable and it remains unclear whether they contain sensitive information.

It isn't clear whether the hackers are able to inject data into the database, or simply access the tables and records it contains. If they are able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the site.

The attackers appear to be the same crew who targeted Fox.com earlier this month. Known as Lulz Security, the group appears to attack sites primarily for fun and political reasons, not to steal credit cards and commit other types of fraud.

This doesn't change the criminality of their behavior. Accessing systems without authorization is still a crime in most countries.

Will Sony stop the bleeding? The attackers stated in their message "This isn't a 1337 h4x0r, we just want to embarrass Sony some more."

While there is an enormous target on Sony's back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?

I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.

, ,

You might like

6 Responses to Sony Music Japan hacked through SQL injection flaw

  1. Anonymous · 1247 days ago

    You dont know why this is happening? Really?!

    They've breached their customers rights over and over again. They started a war with the hacking community as a whole. They started a war with any one who thinks their information should be safe.

    • There are definitely companies who have done far worse things than what you speak of. The reason why Sony is being targeted is because it is a media and entertainment industry. Everybody wants entertainment in life so hey, mainstream. Everything a company like this does is in the spotlight since it effects quite a few people just a tad bit.

      It seems as if some companies can get away with murder (or more). ex. I have heard that that blood diamond movie that I have never watched is pretty close to the truth.

      Personally, I find it quite silly for Sony to be targeted like this.

  2. Anonymous Anonymous · 1247 days ago

    ...that's not a SQL injection. that's just an insecure API.

  3. Alex · 1247 days ago

    Who is securing their sites? Sony is a huge company, and most have large contracts with security firms, shouldnt a monthly security have identified these attack vectors?

  4. George · 1247 days ago

    It seems that lately Sony music has serious problems with the hackers. First i was the incident in Greece now Japan.

  5. anonymous · 1245 days ago

    IMO it reaks of politicizing of internet anonyminity... There are always contexts where something can be perceived as being bad whether it be economic / criminal / statistical etc. At my estimate the news covers 10x more hacking news lately, maybe its just what we are interested in and they are gaining reviews or maybe it has to do with the next world talks in france.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.