Famous security Pentester and Hacker Kapustkiy managed to break into another government website and this time in Italy where the target was Dipartimento della Funzione Pubblica.
He did this by running a simple SQL injection and gained access to the database which has details of more than 45,000 users. The details include login credentials for services that are handled by the Italian cities.
The researcher took this issue to Pastebin and shared part of the database, saying that he decided to leak only 9,000 of the entries in order to give time to the Italian authorities to fix the security flaw.
The worst part of this whole issue is that the we mails and requests sent by Kapustkiy are ignored by the government officials and event the site’s administrators did not take any time to patch the issue.
“I did not get any response from them. I hope that they will look in the database now after this breach and make their security better,” he told us.
We’ve also reached out to the Italian ministry to ask for more information about the hack, but at the time of publishing this article, an answer is not yet available – we will update the post if an official statement is provided.
Kapustkiy has been really busy lately, as he managed to break into several other government websites across the world, including the Paraguay Embassy of Taiwan. Furthermore, he also breached into sites belonging to the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya, leaking database information that includes the details of thousands of users, such as names, phone numbers, and emails.
The Indian government has even issued a public statement to thank the hacker for exposing flaws in their websites, acknowledging that the country needs to do more work to block attacks.
“Thank you for your advice,” Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology, said. “We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help.”
If remains to be seen if the Italian government issues a similar statement, but judging from their lack of response so far, such a thing is very unlikely.
UPDATE: Andrea Rigoni, Italian security expert who is also an adviser to NATO and other governments, criticised the lack of reaction from country’s authorities, explaining that it’s a mistake that “nobody has listened to the boy.”
Italian IT admins took the website down during the weekend to fix the vulnerabilities and now everything seems to be back to normal.