The vulnerability on the eu-eset.com website allows you to register the product for free
Not all vulnerabilities in websites are harmful - at least not for us, end users. However, the same manufacturer and distributors of the ESET NOD32 Antivirus solution may have less reasons to be satisfied, because the bug on the eu-eset.com/me/activate website allows to generate any number of usernames and assigned passwords, enabling the use of a "full-fledged" license obliging to technical support, updating signature databases and updating only software files.
At the very beginning, we calm everyone down - the antivirus program is not susceptible to attack, but the manufacturer's website. The vulnerability was discovered by Mohamed Abdelbaset Elnoby when registering a new user account at eu-eset.com/me/activate. An independent researcher discovered the vulnerability in the authentication mechanism that allows the SQL Injection attack to be performed.
Attacks of this type directed at web applications and websites are very often used by hackers. An attacker by injecting a specially crafted parameter directly forwarded to an SQL query can get eg access to the database (write, read, or this and that), bypass authentication or execute its own code in the operating system on which the database or web server works.
In the case of this vulnerability, the potential attacker may use the bug in the authentication mechanism and generate a free license for ESET NOD32 with a 1 year license, which normally costs $ 29.
As far as we know, ESET does not run its own Bug Bounty, but as a thank you, Mohamed has offered one license for the ESET Smart Security program, which seems like a ridiculous reward for the "weight" of the discovery. Anyway, Daniel Chromek - Cheff Information Security Officer said that the prize is simply "pathetic". It even came to the fact that the manufacturer confirmed that the eu-eset.com website is dependent on them, however, it can be managed and maintained by a third party or an authorized distributor in the Middle East region.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.