Nokia developer forum hacked

Members' email addresses and personal information accessed

The community discussion part of Nokia's developers' forum web site has been hacked, and members' email addresses accessed, according to the mobile phone manufacturer.

The discussion part of the web site has been taken down and replaced by a message from Nokia explaining what happened and apologising to its members.

"During our ongoing investigation of the incident we have discovered that a database table containing developer forum members' email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL injection attack."

The firm added that there are more compromised addresses than it originally realised.

"Initially we thought that only a small number of these forum member records had been accessed, but further investigation has shown that the number is significantly larger."

Besides email addresses, dates of birth and homepage URLs, alternative contact information related to Skype, AIM, MSN and Yahoo has also been accessed.

Since no financial information was stored by the site, Nokia believes that nothing more dangerous than unsolicited emails will result from the hack.

SQL injection, the method of attack used, involves putting code into a webform and requesting restricted information from the database behind the web site. Properly coded, a webform will not allow code to execute, but the Nokia site, like many others, seems not to have been coded well.

Vincent Delaroche, chairman and chief executive of software analysis and measurement firm Cast, explained that webforms are often poorly coded owing to a lack of management focus.

"Look at large companies in banking, retail or telecoms. Management doesn't ask the coders to code well because on the whole, management doesn't care."

David Norton, research director at analyst firm Gartner, said this is only one side of the story, and that time and training play their part as much as management not being interested in coding.

"The issue with software development is that coders do not have the time, or the skills, to spot vulnerabilities or errors."