Security News > 2007 > March > Giuliani campaign fixes dangerous flaw on new Web site
http://www.smh.com.au/news/Technology/Giuliani-campaign-fixes-dangerous-flaw-on-new-Web-site/2007/03/27/1174761429592.html March 27, 2007 Republican presidential front-runner Rudy Giuliani's campaign hurriedly fixed its official website late Monday to remove a dangerous design flaw that could have allowed hackers to expose personal information submitted by volunteers. The vulnerability affecting Giuliani's site, http://www.JoinRudy2008.com, could have exposed confidential information stored in the campaign's databases. The website failed to block commands that can instruct it to improperly display sensitive information, a popular hacking technique known as "structured query language injection." The campaign fixed the website hours after The Associated Press notified it about the problem. No personal information was compromised, spokeswoman Maria Comella said. "The site has multiple levels of security to detect intrusions and ensure no user's identity was put at risk," Comella said. The campaign launched its new site last week. Giuliani described it in e-mails as "the place where any American can go to learn about my record and join our campaign" and urged supporters to tell their friends about the site. Its privacy policy reassures Internet visitors that the Giuliani campaign "considers your privacy paramount, and we are dedicated to protecting your privacy on the Internet." SQL injection vulnerabilities have been implicated in large-scale Web break-ins. The technique is among the most-critical Internet security vulnerabilities compiled by the SANS Institute, a cybersecurity research organisation, and is the subject of warnings by the U.S. Computer Emergency Readiness Team, part of the Homeland Security Department. "Anybody who knows anything about security could have found these problems in two seconds," said Marc Maiffret of eEye Digital Security Inc., a researcher who examined Giuliani's website at AP's request. The Federal Trade Commission sued Guess? Inc. in July 2003 over allegations it failed to protect consumers' personal and credit information because the fashion company's website was vulnerable to the same design flaw. The FTC's rules do not apply to presidential candidates, only companies, so there was no such legal exposure for the Giuliani campaign. Giuliani's business firm, Giuliani Partners, offered cybersecurity consulting services under a partnership with Ernst & Young until about 2004. Copyright 2006 AP DIGITAL _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org