Oracle's software was hacked by interns in an hour, researcher says


Oracle chairman Larry Ellison

Business Insider

Oracle executive chairman Larry Ellison

Oracle, like all the rest of the big software makers, regularly patches many security holes found in its software.


Just this month, Oracle issued 154 new security patches for its software. 12 of those patches were for Oracle's E-Business Suite, its main financials app (the app that competes with rival SAP's main enterprise resource planning product).

Six of those 12 holes were found in about an hour by interns working at security researcher ERPScan Research, founder Alexander Polyakov tells Business Insider.

Complimentary Tech Event
Discover the future of SaaS in India
The 6-part video series will capture the vision of Indian SaaS leaders and highlight the potential for the sector in the decades to come.25th Aug, 2022 Starts at 04:00 PM (40 mins)Register Now
Our Speakers
Dan Sheeran
Sandeep Gupta

Some of the holes the interns found were very dangerous and could allow a clever attacker to gain a control of the apps, Polyakov says.

ERPScan Research set the interns on Oracle's software after Oracle Chief Security Officer Mary Ann Davidson got herself into hot water last August.


Davidson want on a rant in a now-deleted blog post about how she doesn't want Oracle's customers or outside security researchers to look for and report security bugs in Oracle's software products. She told the world that Oracle was more than capable of finding all the holes itself.

Oracle took down the blog post and spokespeople quickly distanced Oracle from Davidson's comments, saying they "didn't reflect" the company.

So maybe it's not big surprise that security is a big focus for the company right now.

On Tuesday afternoon, Oracle's executive chairman and CTO Larry Ellison will be giving details on his company's brand new plans to make Oracle's software more secure. He hinted that the new security tech could be built into Oracle's hardware, possibly inside the computer chip itself, and will be turned on by default, with no way to turn it off saying:

It's just a huge problem that most of the security features we give you, we give them to you and we tell you how to use them and we tell them how to turn them on and we train you. Wouldn't it be nicer if it was always on and always works and you didn't have to do anything?

NOW WATCH: The CEO who raised the price of a life-saving pill 5,000% is doubling down