Website flaw exposed a Canadian ISP’s entire customer database

Canadian internet provider Altima Telecom has fixed a flaw in its website that could have given an attacker full access to its customer database.

The customer database was connected to the company’s website, but could be remotely accessed with a blind SQL injection attack. Daley Borda, founder of Underdog Security, found the bug and reported it to TechCrunch, which we passed on to Altima.

Altima Telecom bills itself as one of the largest independent Canadian internet service providers, serving Montreal and Toronto.

The database contained 427 tables, containing millions of records on customers — including billing data, support tickets and other user data, according to Borda. Although the researcher could probe the database by entering commands into his browser’s address bar, he said that a malicious attacker could easily dump its contents and download the entire database.

He also found several database columns storing credit card data, including card numbers, expiry dates, security codes and addresses.

When reached, Altima’s chief executive Frank Yang told TechCrunch that the database was protected using an encryption key management service. But when we asked several security researchers about the flaw, they said that a successful injection attack would appear as a request from a legitimate user.

“We really appreciate you and the security researcher bringing this to our attention,” said Yang. “We are taking this matter very seriously.”

It’s a surprisingly simple flaw that could have caused significant damage — even for a mid-sized ISP. Altima’s exposure is the latest in a string of security incidents at internet providers. Comcast has patched several flaws that allowed improper access to customer data. New York cable provider RCN recently admitted to storing customer passwords in plaintext.