Amidst the ongoing times when the world is relying heavily on online payment service, it’s a requisite to ensure that these apps remain free from any flaws that could potentially risk the security of the service. Recently, a researcher caught a critical vulnerability in the payment service QIWI that could lead to remote code execution.
QIWI Vulnerability
A bug bounty hunter discovered a critical SQL vulnerability in the online payment service QIWI. As he observed, the vulnerability, upon exploitation, could allow an attacker to execute codes on the target servers.
Briefly, he found three SQL injections targeting different underlying queries, yet all in the same place. Describing the vulnerability details in a bug report, the researcher Pieter stated,
The API interface on https://contactws.contact-sys.com:3456/ accepts a <REQUEST/> body to interact with the server’s AppServ object. Because of insufficient input validation, an attacker can abuse the SCEN_ID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL statement. This leads to a blind SQL injection vulnerability, which in turn leads to Remote Code Execution on the server.
Hence, exploiting the bug could let an attacker compromise the availability, integrity, and confidentiality of the users’ data on the servers. This scenario also posed a threat to the sensitive financial information of the customers present within the company’s databases.
In his bug report, he has explained in detail how he could reproduce the exploit.
QIWI Patched The Flaw
Upon finding the vulnerability, the researcher reported the flaw to QIWI via their bug bounty program on HackerOne.
From the timeline, it seems he discovered and reported the flaw back in March 2020. Since then, the two parties remained in continuous communication to address the issue.
QIWI then finally deployed a security update addressing all three issues. Moreover, for these findings, they also rewarded the researcher with $7500 as a bounty.
QIWI is an online payment wallet service based in Nicosia, Cyprus. Besides Russia, the system also works in Ukraine, Moldova, Romania, Belarus, Kazakhstan, as well as in other regions like the UAE and the USA.