This is absolutely nuts.
-
This is absolutely nuts. SQL Injection 101 attack on a site authorized by DHS for TSA vetting of known crew members. I’d bet there aren’t even audit logs that would be able to show if the system was tampered with.
How many other auxiliary sites with deep ties into critical infrastructure are this poorly secured?
Bypassing airport security via SQL injection
We discovered a serious vulnerability in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs used by the Transportation Security Administration.
Bypassing airport security via SQL injection (ian.sh)
-
@gregatron5 @briankrebs @dangoodin Whoa whoa whoa.
If you want input sanitization on your software system that's going to cost you extra, my friend.
DHS isn't made of money, you know.
-
@gregatron5 @briankrebs @dangoodin
Apart from the SQL injection and other issues they found, why was the system even accessible on the open internet? 2FA not being used?