Quantcast
Tuesday , September 26 2017
Breaking News
Home / Science & Technology / Technology / Researchers found SQL injection flaw in SAP medical app, allow other apps to get access to EMR Unwired database
Researchers found SQL injection flaw in SAP medical app, allow other apps to get access to EMR Unwired database

Researchers found SQL injection flaw in SAP medical app, allow other apps to get access to EMR Unwired database

MELBOURNE: A new flaw has been registered in SAP medical app, which affected Electronic Medical Records Unwired.

The issues were found in SAP’s Electronic Medical Records (EMR) Unwired, which stores clinical data about patients including lab results and images, said Alexander Polyakov, CTO of ERPScan, a company based in Palo Alto, California, that specializes in enterprise application security.

Researchers with ERPScan found a local SQL injection flaw that could allow other applications on a mobile device to get access to an EMR Unwired database. That’s not supposed to happen, as mobile applications are usually sandboxed to prevent other applications from accessing their data.

“For example, you can upload malware to the phone, and this malware will be able to get access to this embedded database of this health care application,” Polyakov said in a phone interview.

They also found another issue in EMR Unwired where an attacker could tamper with a configuration file and then change medical records stored on the server, according to an ERPScan advisory.

“You can send fake information about the medical records, so you can imagine what can be done after that,” Polyakov said. “You can say, ‘This patient is not ill’.”

On the other hand, SAP corporate statement said:

“SAP addressed the two vulnerabilities identified in SAP’s Electronic Medical Records (EMR) Unwired database in 2013. SAP continues to be committed to ensuring all of its product offerings are safe and reliable.”