NetoTrade is a global Forex brokerage and investment company that specializes in global financial markets. We offer the most advanced online trading tools and the best customer support for international market trading. At NetoTrade, a client can trade both currencies and CFDs, including stock indices and commodities.
NetoTrade was founded by a team of financial experts with over 50 years of combined experience in the foreign exchange market. Our mission is to provide clients with the best prospects of success by offering comprehensive investment and trading services. The Company facilitates general trading, import, export, purchase, exchange and sales services, as well as the supplying of various products, services and other similar products.
A critical Blind SQL Injection vulnerability has been discovered in NetoTrade web portal. Any malicious black hat can create much more devastating attacks using this critical flaw which includes but not limited to – Uninterrupted database access; Database Dump; Possibility of shell uploading which may result in defacement of website. Vulnerable URL:
Proof Of Concept
We discovered a hidden sql injection vulnerability in the company’s portal and post discovery we immediately sent an email [firstname.lastname@example.org] which followed 2 repeated reminders on regular intervals but as on day of writing vulnerability is still active.
Customers are sharing their personal/financial information with the company in a good faith believing company will deploy necessary measures to protect their privacy from third parties and for the company, protection of their customers personal/financial information should be utmost priority but in the present it looks company doesn’t care about their customers. No doubt this critical flaw might affect the Netotrade customer relations & to prevent any possible coming attack, the company’s security team needs to take immediate steps to fix this issue.
- 15-Apr-2013: Company notified about this vulnerability.
- 22-Aug-2013: First reminder sent.
- 02-Oct-2013: Second reminder sent;
- 04-Oct-2013: Public disclosure since no action has been taken by the company to fix the vulnerability.
- 24-Oct-2013: Vulnerability fixed by the company.
No data has been dumped. Database has been accessed only to take screen-shots so that we can make company believe that aforesaid flaw actually exist. The reason being, most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.
Since the company doesn’t care about the confidentiality of their customers, at-least we do. We respect the confidentiality of the company & their user’s so we restricted the contents of our screen-shots to some general database contents only & any personal information (if appear in screenshots has been kept hidden). We hope that after this public disclosure, company will take some immediate steps to fix this critical vulnerability.