The website of Norwich International airport is still down today after a hacker managed to take it offline over the weekend in just a few minutes, in a bid to expose common web security failings.
The hacker, who told the BBC he worked in the tech sector, explained in a YouTube video that he came across the site vulnerability whilst using sqlmap—an SQL injection and database takeover tool.
“In a world where computers rule nearly every aspect of our lives, privacy and security are now more important than ever before and failure to take basic steps is inexcusable even for the most basic websites,” he wrote.
“With online guides and wiki pages detailing step by step, free and secure patch fixes to most hacks and an entire worldwide compendium of knowledge on every single aspect of the computer sciences this is not acceptable.”
In fact, the hacker claims that he was forced to act after a friend in the “Muslim Electronic Army” confided that he was “planning on having fun” with the vulnerability around Christmas time, which could have caused “alarm or disruption” during the festive period.
“Do you want to fly from an airport that may not have control of their own computers?” he added.
Although the hack only yielded access to the site admin systems and data associated with the website, the airport’s operations director, Richard Pace acknowledged that removing it had inconvenienced passengers.
He told the BBC that a replacement would be operational “within weeks.”
WhiteHat Security founder, Jeremiah Grossman, claimed the hack highlighted the “security Achilles Heel” that many websites represent.
"Not every hacked website can be used to establish a foothold on the network to pivot to something that’s truly vital, and not every web hacked website falls under breach reporting regulations. Here’s the thing though, the public doesn’t know that—and they have no way of knowing that—which is crucial to appreciate,” he added.
“Imagine if the ‘official' airport website is hacked and easily defaced with something designed specifically to cause public concern, or worse—panic. Or what if the site started delivering malware to visitors? Just because the site doesn’t store confidential information, it doesn’t mean its security can be ignored.”