A Grey Hat Hacker with online handle "Human Mind cracker" has discovered SQL Injection vulnerability in some Tunisian Bank websites. Central Bank of Tunisia(bct.gov.tn) and Bank of Tunisia and the UAE (bte.com.tn) are vulnerable to SQLi .
In an email sent to EHN , hacker provided us the vulnerable link and the Proof-of-Concept(POC). As he recommend us not to publish the vulnerable , we are not providing the link here.
According to hacker, he reported the vulnerability to them but they didn't fix the vulnerability so he hacked into the database.
He has published some database information compromised from the server that includes database name and few username.
Also, he has discovered Cross site scripting (XSS) vulnerability in Central Bank of Tunisia,atb.com.tn and Banque de Tunisie(bt.com.tn).
SQL Injection is one of the most critical vulnerability, as attacker can extract the entire database by exploiting it. Banks should really buff up their security measures ,as cyber criminals mainly target Financial institution.