Timesofmoney SQL Injection Vulnerability

TimesofMoney is India’s leading digital payment service provider, and serves a varied client database. Spanning Indian and international clients, our offering includes specialized NRI services, India Money Transfers, Global Money Transfers, ePayments and Co-branded cards. Conceptualized and built to serve diverse communities, TimesofMoney’s services offer convenience, connectivity and flexibility across a global platform. The conglomerate continually strives to deliver the best to its clients, ensuring flexible service and meeting global standards.

General Information

• Website: www.timesofmoney.com
• Vulnerability Type: Hidden SQL Injection Vulnerability
• Database Type: Oracle Database 11g Enterprise Edition
• Alert Level: Critical
• Threats: Complete Database Access, Database Dump

Proof of Vulnerability

Worst Case Scenarious

Any malicious smart black hats can create much more devastating attacks using this critical flaw such as:

• Complete access to database which may later on can be misused to access various client’s confidential information;
• Complet Database Dump; and
• Much more . . .

Lastly, no doubt that this critical flaw can affect the TimesofMoney’s customer relations! At least to fix  this issue, TimesofMoney needs to take immediate steps to prevent further possible coming attacks.

Disclaimer

No data has been dumped; we randomly tried the security of timeofmoney’s website and within no time this flaw has been discovered. Database has been accessed just to take screenshots so that we can make company believe that the vulnerability actually exist.

Later on, we sent two reminder email’s to the company concerned highlighting the said issue and asked them to fix the same but we have not received any response from their end except for an auto generated reply. It seems they didn’t bother to fix this critical vulnerability. So atlast, we are disclosing this vulnerability publically.