A software development house got more than it bargained for after an alert email from the HaveIBeenPwned (HIBP) data breach monitoring site wiped all its helpdesk support tickets.
Recreational vehicle app developer QB8 LLC had signed up for the free HIBP messages to check for compromised accounts on its fyre.io domain.
When a message from HIBP arrived to QB8's helpdesk address after a recent data breach, it was automatically turned into a ticket in the company's tech support system, the open source
Gestionnaire Libre de Parc Informatique (GLPI) version 9.4.5.
The QB8 techs read the HIBP report, checked the data and alerted users to the breaches.
After that, the ticket was assigned to one particular technician, and marked as solved.
By assigning the ticket to a particular team member, the GLPI system parsed the ";--" characters in the header of the HIBP email, and interpreted it as a Structured Query Language database command that deleted data in the helpdesk system.
"I and the other techs quickly noticed that every single ticket description had been deleted and replaced with partial header data from the HIBP email," one QB8 staffer wrote.
The SQL injection (SQLi) vulnerability is fixed in GLPI version 9.4.6 as it had been discovered prior to the HIBP email incident.
As the bug is very simple to exploit for malicious purposes, with the SQLi code being hideable in HTML marked up emails, QB8 warned that it could have serious consequences and urged GLPI users to upgrade to the latest version of the helpdesk system, or look for alternative software.