Amana Capital Group is a Financial Services Group specialized in providing brokerage services in international financial markets namely currencies, commodities, and stock indices. Stemming from the Arabic word for integrity, Amana is the defining name the Group adopted to reflect the spirit of its business practices and dealings. The Group operates several entities regulated and authorized by reputable regulatory bodies.
The vision of the group is to be a trusted leader in delivering innovative financial services in anticipation of the needs of the investors.
Summary
A critical Blind SQL Injection vulnerability has been discovered in Amana Capital web portal. Using this vulnerability an attacker can easily access or even download their entire database. On discovery, company was immediately notified about the vulnerability along with proof of concept. This was subsequently followed by a reminder but company failed to take any action as on date of making this blog post. Vulnerable URL:
Proof Of Concept
POC Video
As reported earlier, company fixed SQL Injection Vulnerability by deleting the application file but it fails to fix an issue affecting Administrator Panel. Even after our reminder few days ago, there wasn’t any response from the company so we decided to create a quick video showing how any of their client’s personal or financial data can be accessed.
Disclosure Timeline
- 20-Mar-2015: Initial report to company via email along with proof of concept.
- 23-Mar-2015: Company responded by saying that they will treat it as critical issue.
- 16-Apr-2015: Sent an email to the company asking about the current status.
- 18-Apr-2015: Received response from the company stating they are still working on it.
- 26-May-2015: Once again sent an email to the company asking about the current status.
- 25-Jun-2015: Public disclosure. No further response received from the company.
- 01-Feb-2016: The vulnerable application file has been deleted.
- 27-Apr-2016: The current status has been kept as Unfixed until the company resolves issue affecting their admin panel.
- 07-Nov-2016: Company informed us that issue has now been fixed.
Vulnerability Status – Fixed
Disclaimer
No data has been dumped. Database was accessed including few account logins (which we already notified to the company & even apologized about the same) only to take screen-shots so that we can make company believe that aforesaid flaw actually exist. The reason being, most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.
We respect the confidentiality of the company & their customers & therefore we restricted the contents of our screen-shots to disclose general database information & table counts only.
