nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

SQL injection vuln found at Panama Papers firm Mossack Fonseca

Grey hat hacker continues probing scandal-hit lawyers

By John Leyden, 11 Apr 2016

Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca.

A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers.

“They updated the new payment CMS, but forgot to lock the directory /onion/,” he said via the “1x0123” Twitter profile.

Mossack Fonseca specialises in helping its clients to set up firms in tax havens such as the British Virgin Islands. The leak of its client information as part of the Panama Papers has created a huge political stink

The lawyers informed clients in early April that the leak to journalists has been traced back to a hack on its email server, rather than a whistleblower. Its apparent failure to adequately lock down its systems is surprising in the circumstances.

“It looks like MF [Mossack Fonseca] had really very low security level, [such] that hackers continue to hack them for fun,” a security intelligence source who notified us of the claimed vulnerability told El Reg.

In between flagging up security issues with Mossack Fonseca, the same hacker has been busy over the last week attacking major media outlets, such as the LA Times and New York Times, and offering to sell access to insecure systems at NASA, among other hi-jinks.

The same hacker (1x0123) contacted Edward Snowden, notifying him of some bugs on one of his projects. Snowden acknowledged the bug report on the Freedom of the Press Foundation website on Sunday. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing