There are lots of red faces at Oracle this morning, as two of its sites, MySQL.com and Sun.com, were pwned over the weekend by veteran Romanian extremely-dark-gray-hat hacker TinKode and sidekick Ne0h. The sites were the victims of an as-yet-unidentified "blind" SQL injection technique -- the exact type of attack you'd think the devs and admins at MySQL would know how to protect against. Apparently, you'd be wrong.
Here's how it happened: Early on Sunday morning, Jackh4xor sent a message to the Full Disclosure mailing list explaining that MySQL.com was "vulnerable to blind SQL injection vulnerability." The message lists the target site as the MySQL.com customer view page. There's an impressive roster of databases, tables, and fields swiped from the MySQL.com site, as well as a short collection of usernames and passwords, both in their encrypted and unencrypted forms.

Shortly after, a lengthy listing claiming to come from TinKode and Ne0h at Slacker.Ro in Romania appeared on Pastebin. TinKode (or more accurately, someone using the handle TinKode) has been, uh, credited with cracking into a U.S. Army site, Eset, NASA, the U.K. Ministry of Defense, Reuters, and others. TinKode also calls Jackh4x0r "our friend," and he claims that he and Ne0h found the offending vulnerability in January.

The link for this article located at InfoWorld is no longer available.