A Global Broker Since 2010, Blackwell Global has supported clients in over 30 countries. We are a growing firm with 8 offices situated in Auckland, Beijing, Hong Kong, Lagos, Limassol, London, Melbourne, Shanghai and Singapore, as well as an international network of clients and partners.
Blackwell Global in Cyprus is a CySEC-regulated forex brokerage and located in Limassol, Cyprus. The company has a strong presence across Europe, Middle East and Africa (EMEA), offering services in a multilingual environment.
A critical SQL Injection vulnerability has been discovered in Blackwell Global web portal. The SQL Injection Vulnerability can be used to compromise the backend database. This attack could further be escalated to shell uploading. Once successfully uploaded, any malicious blackhat can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts. Vulnerable URL:
Proof Of Concept
The vulnerability was discovered on 10 April, 2015 & we immediately sent an email to the company along with POC. Thereafter we sent two reminder emails to the company but didn’t receive any response from their end & neither any steps were taken to fix this critical issue. After waiting for more than 9 months we finally decided to make this vulnerability publicly available.
- 10-Apr-2015: Vulnerability discovered. Email sent to the company along with POC.
- 25-Jun-2015: Reminder mail sent to the company.
- 23-Sep-2015: Second reminder email sent to the company.
- 01-Feb-2016: Public disclosure since company fails to take any action even after repeated reminders.
- 15-Aug-2016: Company informed us that vulnerability has been fixed.
No data has been dumped. Database was accessed only to take screen-shots so that we can make company believe that aforesaid flaw actually exist. The reason being, most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.
We respect the confidentiality of the company & their user’s so we restricted the contents of our screen-shots to some general database contents only & any personal information (if appear in screenshots has been kept hidden). We hope, after this public disclosure company will take some immediate steps to fix this issue.