Blackwell Global SQL Injection Vulnerability
eToro is a financial trading company based in Cyprus. It provides personal online financial services in forex, commodities and stock indices through its own electronic trading platform. eToro is primarily a platform and a software provider; it is not itself a financial broker. Rather, it connects its customers with third party brokerage services provided by various brokers.
eToro was founded in 2007 in Limassol, Cyprus by brothers Jonathan and Ronen Assia together with David Ring. eToro launched its platform version in a visual trading mode which presented online currency trading (forex) as a series of games. Initially eToro’s financial trading platform was a download only product, incorporating graphic trading visualizations which conceptualized the trading process as a race between currencies and a visual tug of war amongst others.Later the company expanded its product offering by launching a professional trader’s application “Expert Mode” and a web based trading platform “WebTrader”.
Summary
During our random visit to eToro portal, mistakenly we discovered a flaw which allows access to one of their database and even the complete database can be dumped / downloaded. Vulnerable URL:
Proof Of Concept
Disclosure Timeline
During our random visit to the eToro Portal, mistakenly we discovered a flaw in eToro’s web portal which allows the access to one of their database and even the complete database can be dumped / downloaded.
- 15-Feb-2012: Company notified about this security issue.
- 11-Mar-2012: Reminder sent to the company.
- 23-Mar-2012: No response received from the company. Public disclosure.
- 05-Jun-2012: Company representative contacted us with reference to the public disclosure.
- 06-Jun-2012: Company notified us that issue has been fixed.
Vulnerability Status – Fixed
As per company’s official representative, the said database was previously connected with their old blog portal and doesn’t use to store user’s credentials. User’s credentials are stored on a different database and hosted in a different server.
Disclaimer
During our random visit to the site, mistakenly we discovered a flaw in eToro’s web portal which allows the access to one of their database and even the complete database can be dumped / downloaded. The screenshots as shows above are taken from the contents persist inside the database just to make company believe that the vulnerability actually exists. We further confirm that the said database has not been downloaded by any of our staff member.
Notification mail about the vulnerability has been sent to company immediately on discovery of this vulnerability but no action has been taken. Later on a reminder email has been sent to company including few of their staff’s as well but still no action was taken or it seems they are not bothered to fix up the issue. So at last we decided to post this small piece of information publicly.
Related posts
