TimesofMoney is India’s leading digital payment service provider, and serves a varied client database. Spanning Indian and international clients, our offering includes specialized NRI services, India Money Transfers, Global Money Transfers, ePayments and Co-branded cards. Conceptualized and built to serve diverse communities, TimesofMoney’s services offer convenience, connectivity and flexibility across a global platform. The conglomerate continually strives to deliver the best to its clients, ensuring flexible service and meeting global standards.
General Information
* Website: www.timesofmoney.com
* Vulnerability Type: Hidden SQL Injection Vulnerability
* Database Type: Oracle Database 11g Enterprise Edition
* Alert Level: Critical
* Threats: Complete Database Access, Database Dump
Worst Case Scenarious
Any malicious smart black hats can create much more devastating attacks using this critical flaw such as:
* Complete access to database which may later on can be misused to access various client’s confidential information;
* Complet Database Dump; and
* Much more . . .
Lastly, no doubt that this critical flaw can affect the TimesofMoney’s customer relations! At least to fix this issue, TimesofMoney needs to take immediate steps to prevent further possible coming attacks.
Disclaimer
No data has been dumped; we randomly tried the security of timeofmoney’s website and within no time this flaw has been discovered. Database has been accessed just to take screenshots so that we can make company believe that the vulnerability actually exist.
Later on, we sent two reminder email’s to the company concerned highlighting the said issue and asked them to fix the same but we have not received any response from their end except for an auto generated reply. It seems they didn’t bother to fix this critical vulnerability. So atlast, we are disclosing this vulnerability publically.
source
General Information
* Website: www.timesofmoney.com
* Vulnerability Type: Hidden SQL Injection Vulnerability
* Database Type: Oracle Database 11g Enterprise Edition
* Alert Level: Critical
* Threats: Complete Database Access, Database Dump
Worst Case Scenarious
Any malicious smart black hats can create much more devastating attacks using this critical flaw such as:
* Complete access to database which may later on can be misused to access various client’s confidential information;
* Complet Database Dump; and
* Much more . . .
Lastly, no doubt that this critical flaw can affect the TimesofMoney’s customer relations! At least to fix this issue, TimesofMoney needs to take immediate steps to prevent further possible coming attacks.
Disclaimer
No data has been dumped; we randomly tried the security of timeofmoney’s website and within no time this flaw has been discovered. Database has been accessed just to take screenshots so that we can make company believe that the vulnerability actually exist.
Later on, we sent two reminder email’s to the company concerned highlighting the said issue and asked them to fix the same but we have not received any response from their end except for an auto generated reply. It seems they didn’t bother to fix this critical vulnerability. So atlast, we are disclosing this vulnerability publically.
VULNERABILITY STATUS: UNFIXED
We discoverd alike vulnerability in HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulneraiblity doesn’t get fixed by the bank as an ealiest then our next post may disclose that concerned vulnerability publically.
We hope that both the companies (timesofmoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities.
Proof of Vulnerability:We hope that both the companies (timesofmoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities.
source
