SQL Injection: Mossack Fonseca's latest Security Flaw

The IT security problems of Panamanian law firm Mossack Fonseca (MossFon), which gained notoriety for their loss of the so-called »Panama Papers«, do not seem to stop. An »underground researcher« who goes by the Twitter handle @1x0123 has found an SQL-injection vulnerability in MossFon's electronic online payment system.

According to a screenshot of an email the researcher sent to the firm in order to inform them about the vulnerability he obtained among other things the login credentials of staff members, credentials to the email server as well as the configuration file of the payment system »Orion House«.

@1x0123 says he/she is part of a private market for vulnerabilities, grey hackers who uninvitedly break into systems but inform the concerned parties of the breach afterwards.

focusing on private information security to point out vulnerabilities to improve safety & security products ,we are startig a new exploit-market. collected high profile sites databases & private exploits + vulnerabilities in different systems

Login-Screen des Online-Bezahlsystems »Orion House« von Mossack Fonseca

It should also be noted that the email traffic going to the address of »Orion House Services (HK) Limited« of Hong Kong, where customers are supposed to receive their login credentials from, is, like it was the case with MossFon, not encrypted.

Fehlende Verschlüsselung bei Orion House (Screenshot/tlscheck.com).

 

NB: This is the translation of an article originally written in German and published on 12 April 2016.