14 DAY TRIAL // A group of gray hat hackers claim to have identified a critical SQL injection vulnerability in the website of Dukascopy Bank SA, a company that runs a Swiss foreign exchange marketplace.
"Dukascopy offers direct access to the Swiss Foreign Exchange Marketplace (SWFX). This market provides the largest pool of ECN spot forex liquidity available for banks, hedge funds, other institutions and professional traders," the company says on its website.
The hackers, who form an IT security research group named zSecure, warn that the SQLi vulnerability gives attackers complete access to the site's database and allows them to upload shells.
The group published screenshots with the Dukascopy database's contents. One table called admin contains administrative credentials with plaintext passwords.
Storing passwords in plain text is a major security oversight for any modern website, especially one that deals with personal and financial information.
Another table called clients stores client names, email addresses, phone numbers, and company names. Other columns can reveal last login IP and other information useful in targeted attacks against those individuals.
The ability to upload shells is very dangerous and can be leveraged to inject malicious code into the site's pages. This makes it possible to launch drive-by download attacks against visitors and infect them with malware.
Since the site's visitors are likely to be individuals that work in the financial sector or have access to significant assets, they represent a high value target for cyber criminals.
The Geneva-based company has yet to confirm the compromise or issue an alert. The website was still online and functioning normally at the time of writing this article.
The zSecure group claims to follow a code of ethics whose basic rule is to never damage systems or harm users. However, the group clearly states that it doesn't take into account the fact that security auditing without authorization from website owners is illegal in some countries.