SQL injection in appointment system of the AMC.
Due to improper input sanitization in the appointment system it was possible to run arbitrary SQL commands. The AMC has dealt with the problem very efficiently, were very kind, and have done absolutely everything in their power to make this right. This is by far the best way I have seen a company/institution deal with a problem so far. They could not have reacted more professionally/effectively.
User affected: 2385
- Adres(Street + nr, postalcode,city)
- Social Security Number
- Insurance company/number
- Name/address of both their dentist and doctor
- Reason/Datetime of visit
- AMC Number
Whilst making an appointment to get my wisdom-tooth removed I saw this in the response to a post request made to the server
Assessing the damage
After I saw this, I popped the request into SQLMap, and what do you know, SQL injection. I listed the columns, to see what data was exposed and did a row count, to see how many users where affected.
When I do projects like this, I create a RAM disk where I store things like BURP sessions, Python data parsers to create the statistical information I provide in this disclosure. The contents of a RAM disk are lost when you power down the computer(assuming you don’t live in a freezer). All the obtained data is gone, with exception of some screen-shots and the column list.
Questions I asked them:
How did you verify the data wasn’t obtained by anyone else?
The AMC representative has told me that they have analyzed the log files and have come to the conclusion that the vulnerable system was only exploited by me.
Are you going to inform the users?
The AMC has send out a email to all the affected users on 28/02/2017.
Are you going to inform the Dutch Data Protection Authority?
They have informed the DPA pretty much immediately.
Founder @ BinaryIT | Nelson.Berg@binaryit.net (PGP)
Pentester @ Securify B.V. | Nelson.Berg@securify.nl (PGP)