Vulnerabilities in SmartVista payment platform discovered

12.10.2017

BPCgroup-vulnerabilities

 

SQL injection vulnerabilities have been detected by Rapid7`s cybersecurity specialists in the SmartVista e-payments suite sold by Swiss-based BPC Banking Technologies. The flaws put sensitive information at risk of hacking.

The SmartVista platform is used by large organizations around the world for online banking, e-commerce, ATM and payment card management, and fraud prevention. The main components of SmartVista are Front-End and Back-Office systems.

Rapid7 has found that SmartVista Front-End, specifically version 2.2.10 revision 287921, is affected by two SQL injection flaws.

A hacker who has access to the SmartVista Front-End interface can exploit the vulnerabilities to obtain data stored in the backend database.

The “Transactions” page in the “Customer Service” section of SmartVista Front-End allows users to see the transactions details of a specified card or bank account. The fields where the card and account number are entered fail to sanitize user-supplied input.

This allows hackers to use specially crafted queries to get the application to display data from the backend database, including usernames, passwords, card numbers, and other transaction details.

Rapid7 specialists reported the vulnerabilities to BPC Banking Technologies on May 10, but the company has not yet released patches.

CERT/CC and SwissCERT also tried to contact the company, but without any success.

Would you like to comment on this article?

Share

Latest news

20.10.2017

University expelled student for using hardware keylogger

Kansas University has expelled a student for installing a hardware keylogger.

20.10.2017

Fancy Bear hacker group exploits recently patched Flash vulnerability

Russia-linked cyber espionage group has been using a recently patched Adobe Flash Player vulnerability in attacks aimed at government organizations and aerospace companies.

20.10.2017

Sockbot enslave Android devices into botnet

A newly discovered Android malware that can add the compromised devices to a botnet that could launch DDoS attacks.

Sign up for our online newsletter!