Home Hacking News Critical Vulnerability Found In Russian Payment Service QIWI
Hacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

Critical Vulnerability Found In Russian Payment Service QIWI

by Abeerah Hashim
written by Abeerah Hashim
QIWI vulnerability

Amidst the ongoing times when the world is relying heavily on online payment service, it’s a requisite to ensure that these apps remain free from any flaws that could potentially risk the security of the service. Recently, a researcher caught a critical vulnerability in the payment service QIWI that could lead to remote code execution.

QIWI Vulnerability

A bug bounty hunter discovered a critical SQL vulnerability in the online payment service QIWI. As he observed, the vulnerability, upon exploitation, could allow an attacker to execute codes on the target servers.

Briefly, he found three SQL injections targeting different underlying queries, yet all in the same place. Describing the vulnerability details in a bug report, the researcher Pieter stated,

The API interface on https://contactws.contact-sys.com:3456/ accepts a <REQUEST/> body to interact with the server’s AppServ object. Because of insufficient input validation, an attacker can abuse the SCEN_ID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL statement. This leads to a blind SQL injection vulnerability, which in turn leads to Remote Code Execution on the server.

Hence, exploiting the bug could let an attacker compromise the availability, integrity, and confidentiality of the users’ data on the servers. This scenario also posed a threat to the sensitive financial information of the customers present within the company’s databases.

In his bug report, he has explained in detail how he could reproduce the exploit.

QIWI Patched The Flaw

Upon finding the vulnerability, the researcher reported the flaw to QIWI via their bug bounty program on HackerOne.

From the timeline, it seems he discovered and reported the flaw back in March 2020. Since then, the two parties remained in continuous communication to address the issue.

QIWI then finally deployed a security update addressing all three issues. Moreover, for these findings, they also rewarded the researcher with $7500 as a bounty.

QIWI is an online payment wallet service based in Nicosia, Cyprus. Besides Russia, the system also works in Ukraine, Moldova, Romania, Belarus, Kazakhstan, as well as in other regions like the UAE and the USA.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses