Royal Navy Offical Website Hacked

Talk about not being able to catch a break, a Romanian security enthusiast who goes by the handle "TinKode" has hacked the Royal Navy official website and uploaded proof onto his blog. More from this source.

The grey hat hacker specializes in finding Web vulnerabilities like SQL injection and cross-site scripting.

Back in July he disclosed a high-risk weakness in YouTube, which was subsequently misused to poison video comments.

In a new post on his blog, TinKode claims that the compromise of www.royalnavy.mod.uk happened on November 5 at 22:55. Time zone is not specified, but Romania is in UTC +02:00.

The hacker mentions that the attack vector was SQL injection, but fortunately, he doesn't publicly disclose the vulnerable URL.

He does, however, link to a file hosted on pastebin.com, which contains sensitive information gathered from the Royal Navy Web server and database.

This includes a copy of the /etc/passwd file, a listing of MySQL databases, as well as the tables for some of them.

For the "globalops" database, which we assume corresponds to the "Global Operations" section of the website, TinKode lists the contents of the "admin_users" table. This includes the administrative accounts and their corresponding passwords hashes.

The hacker even decrypted the hashed password for the user called "admin," posted it in plain text. Suffice to say that it's ridiculously simple and in no way appropriate for a military website.

The pastebin.com upload with all the juicy details can be found here. TinKode's blog is here. The Royal Navy website is here, and is currently offline as of this blog post.