H-Online: A vulnerability in its forum software has been exploited by a hacker to compromise mobile phone maker Nokia‘s developer forum. The attacker used SQL injection to access the forum database at developer.nokia.com and, according to Nokia, obtained email addresses of registered users. Where configured to be publicly available, the table also includes details such as the user’s date of birth, web site URL and Skype, ICQ or other IM username; this is reported to be the case for around 7 per cent of users. The database did not contain passwords or credit card information. The issue does not, according to Nokia, affect any other Nokia accounts.
The attacker, calling himself pr0tect0r AKA mrNRG, temporarily redirected the developer forum to a site containing a message for Nokia:
“LOL, Worlds number 1 mobile company but not spending a dime for a server security! FFS patch your security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!!“
The link that was used to deliver the message may change browser window sizes and positions.
Nokia has apologized for the incident and has temporarily taken the forum offline. The company states that, although the vulnerability was fixed immediately, it is still investigating the incident.