4XP is an online forex broker that specializes in providing an all-inclusive trading package backed by a caring and devoted support team. 4XP was founded by a group of retail-ended entrepreneurs and capital market dealers sharing a vision for creating a customer-oriented brokerage service that would provide a compelling trading solution. 4XP strives toward creating the most professional and transparent trading environment possible.
A critical Blind SQL Injection vulnerability has been discovered in 4 XP web portal. Any malicious smart black hats can create much more devastating attacks using this critical flaw such as – Uninterrupted access to the database; Database Dump; Possibility of shell uploading which may result in defacement of website and much more. No doubt this critical flaw may affect the 4XP’s customer relations. At least to fix this issue, 4XP security team needs to take immediate steps to prevent any possible coming attack(s). Vulnerable URL:
Proof Of Concept
4XP web portal has a Critical SQL Injection Vulnerability and was discovered around May 2012, which as on date of publishing this blog post is still active. One of our team member discovered this critical flaw and immediately informed the company by sending an e-mail to the ID published on their website [i.e. firstname.lastname@example.org]. Thereafter, we waited for almost a week but unfortunately didn’t hear any response from their end. So, the same mail was forwarded again to alert them about this issue and this process has been repeated 4 times but we didn’t hear any response from them & neither any action undertaken by company to fix this vulnerability.
Before publishing this blog post we even tried contacting their live support twice but every time we kept on hold & left waiting beyond the reasonable time. Even after waiting beyond reasonable time we were not attended by any live support staff & with this, our last option to make company aware about this vulnerability also vanished. So, now we decided to put this small advisory publicly available.
At last, this made us think how careless a Regulated Forex Broker can be when it’s storing more than hundreds of thousands of their customer’s personal information inside their database but didn’t even bother to protect them including customer’s personal details, financial transactions, credit card details etc. Their website quotes “Our 24 hour customer support and dealing team are here to provide you with VIP service par excellence” but we were not even attended by their live support staff even after waiting beyond reasonable time (which in our case was around 20 minutes) during our two attempts, then what a normal user can expect from them?
- 02-Jun-2012: Company was informed about the vulnerability along with proof of concept.
- 10-Jul-2012: Public disclosure since no response was received from the company.
- 12-Jul-2012: As informed, company’s security team started working actively to resolve vulnerabilities as soon as they are aware of them post our blog post.
- 30-Sep-2012: Company informed us that vulnerability has been fixed.
No data has been dumped. Database has been accessed only to take screen-shots so that we can make company believe that the aforesaid flaw actually exist. The reason being, most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.
We respect the confidentiality of the company & their user’s so we restricted the contents of our screen-shots to some general database contents only & any personal information (if used has been kept hidden). We hope that after this public disclosure, company will take some immediate steps to fix-up this critical vulnerability.