Oracle Corporation’s Database 12c has come under attack at the Defcon 22 conference in Las Vegas, where a researcher has demonstrated how easy it is to subvert its much-hyped data redaction feature.

David Litchfield, author of The Oracle Hacker’s Handbook and a security specialist at Datacomm TSS, revealed that Database 12c’s data redaction feature is so vulnerable that it can be hacked even without exploit code – because its own code is so riddled with flaws.

Database 12c’s data redaction feature is designed to mask sensitive information in the database either by fully obscuring or partially masking said information. An example of this is it would only show up the last four digits of someone’s credit card number when a search is initiated.

But all that’s needed to crack it is a little bit of knowledge in SQL, claims Litchfield.

“If Oracle has a decent security development lifecycle in place anyone would have found these flaws and stopped them in tracks,” he said. “Anyone with a modicum of SQL would have found these bugs.”

Litchfield said that he found several serious flaws in Oracle’s code within just five minutes of investigating the data redaction feature, and has documented these here. On stage, he demonstrated how anyone – either an employee or someone who can gain remote access to inject SQL queries – can give themselves the privileges necessary to get past data redaction and access all of the data its locked away.

During his talk, Litchfield also called out Oracle CEO Larry Ellison’s previous claims that Oracle’s database hasn’t been hacked in two decades. He said that the famous Sony PlayStation Network hack back in 2011 was achieved by hacking Oracle’s database.

Explaining why he likes to target Oracle so much, Litchfield told his audience that his main motivation was that Oracle is painfully slow to patch exploits when it’s made aware of them. Even worse, its fixes are often incomplete as Oracle’s engineers will usually patch the exploit code rather than addressing the fundamental flaw.

Litchfield highlighted Microsoft’s approach to database security as the way forward. He said that its entire Microsoft SQL 2005 development team was ordered to review the software’s code in a security from Bill Gates, something that led to a huge drop in patching and flaw detection. Litchfield advised Oracle to follow Microsoft’s approach, and further says that customers should demand it do so.

“If you’re running Oracle database servers and don’t like the way they are treating you on security, then get on the phone to them, because we really need to get this sorted,” he said.

Oracle has yet to address the bugs described by Litchfield at the time of writing.

photo credit: Mark Turnauckas via photopin cc