Read-only in practice, not inherently read-only in the way that e.g. CD-ROM is. Such systems still need to have their otherwise-static dataset updated "online" by an ETL pipeline agent-user. Which often means, in the DBMSes with less fine-grained security models, that such users need to have full DML (and even DDL) capabilities, rather than only insert capability.

This attack was only possible on databases with unsecured or weakly secured read-write access.