"If Oracle has a decent security development lifecycle in place anyone would have found these flaws and stopped them in tracks, Litchfield said. "Anyone with a modicum of SQL would have found these bugs."
"Another way to gain access to the data is with an iterative inference attack. It is possible to access data in a SELECT's WHERE clause. This gives an attacker the opportunity to essentially guess or brute-force the data in a redacted column using a WHERE data LIKE predicate. Consider the following PL/SQL procedure. This simply tests the value of a given character at a given offset into the string. When it gets the first character correct it moves on to the next character and so on until all 16 characters of the credit card have been ascertained," he said in the paper.
"There are issues that are trivial to find. They're still not learning the lessons that people were leaning in 2003," he said. "It's 2014 and yet I'm still able to sit down and in the space of a few minutes find a bunch of things that I can send to Oracle as exploitable."