Panama Papers: Hacker claims SQL injection vulnerability found in Mossack Fonseca server
A hacker, who runs the Twitter handle 1x0123, has claimed to have discovered an SQL injection vulnerability in one of the servers of Panamanian law firm Mossack Fonseca. The firm is currently facing an investigation following the leakage of more than 11 million secret documents called the Panama Papers.
The hacker found the SQL bug recently on the custom online payment system of Mossack Fonseca called Orion House and put some of the configuration data from the server inside a Paste.ee file. He tweeted saying, "They updated the new payment CMS, but forgot to lock the directory /onion/ here is a config file found inside the directory /onion/orion-config.php."
1x0123 even posted a screenshot of the email he sent to Mossack Fonseca informing them about the flaw. The firm is currently quite busy handling the massive leak, even as prosecutors of a newly organised crime unit raided its headquarters.
#MossackFonseca privatehttps://t.co/aWiTdjfE88 pic.twitter.com/jCfd38UuPd
— 1x0123 (@1x0123) April 9, 2016
SQL is a kind of security flaw that allows attackers execute malicious SQL code to control a web application's database server. This vulnerability could affect any website or web application that uses an SQL-based database. It is considered to be one of the oldest and most dangerous web application vulnerabilities.
As his Twitter timeline suggests, 1x0123 hacks servers illegally but notifies the companies about the vulnerabilities that exist in their systems. He is a grey hat hacker, who has reported bugs to the New York Times, Nasa, Telegram and SourceForge.
His tweets reveal he has tried selling access to the LA Times dashboard after he found a vulnerability in the Advanced XML Reader WordPress plugin. Besides, his tweets also reveal that he reportedly had access to thousands of accounts and plaintexted passwords from adult site Naughty America.
#naughtyamerica.com db for sell (150k accounts)
plaintexted passwords 1 BTC
1CjWV1muWBA7sCy793rG6q4iWtihv2awZL pic.twitter.com/JnETMuVZOz— 1x0123 (@1x0123) April 7, 2016
.@naughtyamerica ping me i got security news for you pic.twitter.com/ubKwiUPNsh
— 1x0123 (@1x0123) April 7, 2016
The same hacker informed Edward Snowden about blind XSS (cross-site scripting) in the Piwik service used on the Freedom of the Press Foundation website, which is a "non-profit organisation dedicated to helping support and defend public-interest journalism focused on exposing mismanagement, corruption, and law-breaking in government." Snowden later on thanked the hacker for reporting the Piwik vulnerability.
.@Snowden i guess you are busy so u can't reply me. your piwik version is vulnerable to #xss + blind #sqli pic.twitter.com/6FLwhHFIqg
— 1x0123 (@1x0123) April 5, 2016
Thanks to @1x0123 for reporting a piwik vulnerability to @FreedomofPress! Great work. Got a bug report? Please contact @ageis with details.
— Edward Snowden (@Snowden) April 10, 2016
Mossack Fonseca director Ramon Fonseca has denied any wrongdoing. He said the firm had suffered a hack on its database and described the leak as "an international campaign against privacy", according to Reuters. All of those implicated in the ICIJ Panama Papers report have been afforded the opportunity to respond: Visit the ICIJ website to read the responses.
© Copyright IBTimes 2024. All rights reserved.
-
Football Clubs With The Most Arrests And Bans in 2022-23
-
Oil Prices Slip As Investors Eye Israel's Response To Iran Strike
-
Billionaire Declared Missing And Dead In 2018 Is 'Possibly Living In Moscow With Mistress'
-
Wendy's Sued For $20M After 11-Year-Old Gets Brain and Kidney Damage From 'Dirty Meal'
