SQL injection vulnerability found in Mossack Fonseca
SQL injection vulnerability found in Mossack Fonseca Getty

A hacker, who runs the Twitter handle 1x0123, has claimed to have discovered an SQL injection vulnerability in one of the servers of Panamanian law firm Mossack Fonseca. The firm is currently facing an investigation following the leakage of more than 11 million secret documents called the Panama Papers.

The hacker found the SQL bug recently on the custom online payment system of Mossack Fonseca called Orion House and put some of the configuration data from the server inside a Paste.ee file. He tweeted saying, "They updated the new payment CMS, but forgot to lock the directory /onion/ here is a config file found inside the directory /onion/orion-config.php."

1x0123 even posted a screenshot of the email he sent to Mossack Fonseca informing them about the flaw. The firm is currently quite busy handling the massive leak, even as prosecutors of a newly organised crime unit raided its headquarters.

SQL is a kind of security flaw that allows attackers execute malicious SQL code to control a web application's database server. This vulnerability could affect any website or web application that uses an SQL-based database. It is considered to be one of the oldest and most dangerous web application vulnerabilities.

As his Twitter timeline suggests, 1x0123 hacks servers illegally but notifies the companies about the vulnerabilities that exist in their systems. He is a grey hat hacker, who has reported bugs to the New York Times, Nasa, Telegram and SourceForge.

His tweets reveal he has tried selling access to the LA Times dashboard after he found a vulnerability in the Advanced XML Reader WordPress plugin. Besides, his tweets also reveal that he reportedly had access to thousands of accounts and plaintexted passwords from adult site Naughty America.

The same hacker informed Edward Snowden about blind XSS (cross-site scripting) in the Piwik service used on the Freedom of the Press Foundation website, which is a "non-profit organisation dedicated to helping support and defend public-interest journalism focused on exposing mismanagement, corruption, and law-breaking in government." Snowden later on thanked the hacker for reporting the Piwik vulnerability.

Thanks to @1x0123 for reporting a piwik vulnerability to @FreedomofPress! Great work. Got a bug report? Please contact @ageis with details.

— Edward Snowden (@Snowden) April 10, 2016

Mossack Fonseca director Ramon Fonseca has denied any wrongdoing. He said the firm had suffered a hack on its database and described the leak as "an international campaign against privacy", according to Reuters. All of those implicated in the ICIJ Panama Papers report have been afforded the opportunity to respond: Visit the ICIJ website to read the responses.