A Romanian hacker, well-known for discovering SQL injection vulnerabilities in popular Websites, discovered similar vulnerability on RBS WorldPay's site. The RBS WorldPay is the U.S.-based payment processing division of the Royal Bank of Scotland. The hacker, called "Unu", said that he accessed RBS WorldPay's database after unprofessional response to his email warning of the vulnerability. The organization reports that Unu break into test database that didn't carry any real data, and that no merchant data accounts were compromised. However, Unu posted two additional examples of flaws on another RBS site after the company claimed his first find was merely a test database. Aside from the SQL injection bugs, Unu also found weak password usage on the site, including one app that wasn't even password-protected, and another that showed the administrative password in the clear. According to RBS WorldPay's report, experts had started investigation of vulnerability, and had enacted security measures. The same web site was hacked last year in a breach that exposed 1.5 million credit card accounts. The researchers discover similar holes at the beginning of this year in the Websites of security firms Kaspersky Lab and BitDefender. For more information, users should read original new at darkREADING website.
