The flaw, in Releases 1 and 2Ã'Â leaves the token that is provided by the server before authentication is completed open to a brute-force attack, said Esteban Martinez Fayo, the Application Security researcher that discovered the flaw. If successful, an attacker can gain access to the database.

"An authentication bypass is quite serious," Kevin Mitnick, a well-known white-hat hacker and founder of Mitnick Security Consulting, said in an email. "Basically, an attacker can get to the data stored in the database, and even change it."

The vulnerability stems from the way the authentication protocol protects session keys. When a client connects to the database server, a session key is sent with a salt. Because this happens before the authentication process is finished, a hacker working remotely can link the key to a specific password hash.

"Once the attacker has a session key and a salt, the attacker can perform a brute-force attack on the session key by trying millions of passwords per second until the correct one is found," Fayo .Ã'Â

Because the hack occurs before authentication is done, no login failure is recorded in the server, so a person can gain access without triggering an abnormal event.