Hotforex is an award winning, fully regulated and licensed online forex and commodities broker. Offers various accounts, trading software and trading tools to trade Forex and Commodities for individuals, fund managers and institutional customers. Retail, IB and White Label Clients have the opportunity to access inter-bank spreads and liquidity via state of the art automated trading platforms.
Hotforex positioned itself as the forex broker of choice for traders worldwide, through its policy of providing the best possible trading conditions to its clients and allowing both scalpers and traders using expert advisors unrestricted access to its liquidity.
A critical Blind SQL Injection vulnerability has been discovered in Hotforex web portal. Using this vulnerability an attacker can easily access or even download their entire database. On discovery, company was immediately notified about the vulnerability along with proof of concept. This was subsequently followed by a reminder but company failed to take any action as on date. Vulnerable URL:
Proof Of Concept
- 09-Apr-2014: Initial report to company via email along with proof of concept.
- 14-Apr-2014: No response from company. Reminder sent to company asking them to fix the vulnerability.
- 04-May-2014: Public disclosure via blog post, since no action has been taken by the company to fix the vulnerability
- 06-May-2014: Received response from IT Department – “We have already taken measures to ensure that such vulnerabilities do not affect our clients and our systems”. However, the vulnerability was still active & exploitable. IT Department was informed about the same.
- 09-May-2014: Re-testing confirms that vulnerability has been patched.
No data has been dumped. Database was accessed only to take screen-shots so that we can make company believe that aforesaid flaw actually exist. The reason being, most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.
We respect the confidentiality of the company & their customers & hence we restricted the contents of our screen-shots to disclose general database information & table counts only. After this public disclosure, we expect company to take immediate steps to fix this critical vulnerability.