* Could leave companies open to sabotage, espionage, fraud
* Vulnerability lets hackers make stealth attacks
* SAP says only vulnerable if customers ignore advice
* Research to be presented at Black Hat Europe conference
BOSTON, April 7 (Reuters) - Companies using SAP AG’s (SAPG.DE) business management software could be vulnerable to stealth attacks by hackers if their systems are not properly configured, according to a computer security expert.
The vulnerability could leave SAP’s customers open to sabotage, espionage and fraud through so-called backdoor attacks, said Mariano NuÑez Di Croce, director of research and development with computer security firm Onapsis.
The problem is significant because many of the world’s largest corporations use SAP’s software to handle accounting, manufacturing and other crucial tasks.
“In a typical default installation, anybody can connect to an SAP database, modify standard programs and do whatever they want without detection,” said Nuñez Di Croce, who will discuss the vulnerability next week at the Black Hat Europe computer security conference in Barcelona.
SAP, the world’s biggest maker of business management software, said that customers were only at risk of attack if they did not follow the company’s advice on how to protect their computer systems.
“We believe that if customers follow our guidelines for security, the risk of illegitimate access through a backdoor can be excluded,” said SAP spokesman Saswato Das.
The software maker builds several layers of security into its programs. But Nuñez Di Croce said that hackers can bypass those safeguards by manipulating those programs through an attached database whose security settings are not properly set.
Once hackers gain access to an SAP system, they could install malicious programs to manipulate critical business processes or steal sensitive information, Nuñez Di Croce said.
Nunez Di Croce, whose company will release a free software tool to help companies protect against the threat, said he was not sure how frequently hackers had taken advantage of the vulnerability. (Reporting by Jim Finkle; Editing by Richard Chang)