A hacker going by the handle of His Royal Gingerness (HRG) hacked into the official website of Norwich International Airport last month after sending several warning emails to the airport staff to fix vulnerability on their site.
In a YouTube video uploaded on 8th November 2015 the hacker explained everything about the hack, ie. how he did and why?
It all started when HRG found a simple SQL vulnerability in the Norwich International Airport website (City of Norwich within Norfolk, England). He decided to contact the authorities and inform them about the flaw so they can fix it. Initially, he received some feedback claiming the site had been fixed but when HRG checked, the vulnerability was still there and it took him one to two minutes to hack the site again.
According to HRG, when he breached the site he gained access to the airport’s emergency broadcast system, IP addresses, emails, passwords and personal information of several other users including the site’s developers, various high-level staff within the airport including its security department and it’s media centre.
Screenshot shows how hacker was able to breach the airport site:
This screenshot shows hacker has access to a file that contains emails, names and passwords:
The data from the servers also included passenger information, full names, emails and their plain text passwords which were used by the hacker to log into the airport’s media center page as a demonstration.
The hacker also revealed that his friends at the Muslim Electronic Army (another hacking group) contacted him and informed that they have “a good breach” on the Norwich Airport for trading which they plan to “have fun with around Christmas.”
“I was contacted by a friend of mine in the Muslim Electronic Army and he informed me they had a good breach on Norwich Airport to trade which they were planning on having fun with around Christmas which could cause alarm or disruption to many people’s Christmas, knowing the information was genuine I had to trade three very good system breaches and 100 high spec RATed systems from my botnet to get him to leave this site to me which any geek would realise is a shit trade and a pain in the ass,” according to the HRG’s YouTube video.
However, the airport’s general manager, Richard Pace has a different story to tell, while talking to BBC he stressed that physical security had not been compromised and that the hacker breached into the “standalone website which did not compromise operational systems.”
After the slow reply and lack of interest from the airport authorities His Royal Gingerness (HRG) showed disappointment and said:
“A black hat defaces a website or crashes a server and everyone freaks out and changes are made, us greys or whites try to inform people nicely that there are issues and we get ignored or fobbed off so I’ll let the public deal with this.”
“Do you want to fly from an airport that may not have control of their own computers?” the hacker asked.
It was kind of the HRG hacker to inform the airport authorities about the flaw. If it was a criminally minded hacker things would have gone very differently. But, at the same time the lack of interest shown by the airport authorities in fixing a simple vulnerability on their website explains that awareness about online threats should be the key issue of the discussion.