SAP hackers Alexander Polyakov and Alexey Tyurin say Oracle PeopleSoft contains unpatched vulnerabilities and weaknesses that allow attackers to easily obtain admin passwords.
The hackers say the PeopleSofts credential can be yanked from the TokenID contained within password recovery sites and cracked using a cheap graphical processing unit within a day.
That feat is possible because of poor key generation standards, forcing admins to use very long passwords unless they are running the latest PeopleSoft installations, Polyakov says.
Oracle has been contacted for comment.
"There are multiple default credentials in PeopleSoft itself and
Weblogic Application server," Polyakov says.
