Hacked: HDFC Bank Database

Do not fret startups, if you are accused of letting loose the security holes in your webapp. After CCAvenue hacking incident, HDFC bank’s customer database was hacked and it took HDFC 22 days to respond to the alert.

As per zSecure, HDFC’s customer DB had a critical SQL injection vulnerability and the hackers were able to access the entire customer database.

The aforesaid vulnerability was discovered on 15-July-2011 and was reported on 17-July-2011 (reminder sent on 24-July-2011). The HDFC Bank’s team took around 22 days to respond to our e-mail and their first response came on 08-August-2011 with a message:

Details

  • Website: www.hdfcbank.com
  • Vulnerability Type: Hidden SQL Injection Vulnerability
  • Database Type: MSSQL with Error
  • Vulnerability Discovered: 15-July-2011
  • Alert Level: Critical
  • Threats: Complete Database Access, Database Dump, Shell Uploading
  • Current status: Fixed.

HDFCBank_3