TimesofMoney is India’s leading digital payment service provider, and serves a varied client database. Spanning Indian and international clients, our offering includes specialized NRI services, India Money Transfers, Global Money Transfers, ePayments and Co-branded cards. Conceptualized and built to serve diverse communities, TimesofMoney’s services offer convenience, connectivity and flexibility across a global platform. The conglomerate continually strives to deliver the best to its clients, ensuring flexible service and meeting global standards.
A critical Blind SQL Injection vulnerability has been discovered in Timesofmoney web portal. Any malicious smart black hats can create much more devastating attacks using this critical flaw such as; Complete access to database which may later on can be misused to access various client’s confidential information; complete database dump; and much more. There’s no doubt that this critical flaw can affect the TimesofMoney’s customer relations! At least to fix this issue, TimesofMoney needs to take immediate steps to prevent further possible coming attacks.
Proof Of Concept
No data has been dumped; we randomly tried the security of timeofmoney’s website and within no time this flaw has been discovered. Database has been accessed just to take screenshots so that we can make company believe that the vulnerability actually exist.
Later on, we sent two reminder email’s to the company concerned highlighting the said issue and asked them to fix the same but we have not received any response from their end except for an auto generated reply. It seems they didn’t bother to fix this critical vulnerability. So at-last, we are disclosing this vulnerability publicly.
We discovered alike Vulnerability In HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulnerability doesn’t get fixed by the bank at an earliest then our next post may disclose that concerned vulnerability publicly.We hope that both the companies (timesofmoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities.