Vulnerabilities in SmartVista payment platform discovered

12.10.2017

BPCgroup-vulnerabilities

 

SQL injection vulnerabilities have been detected by Rapid7`s cybersecurity specialists in the SmartVista e-payments suite sold by Swiss-based BPC Banking Technologies. The flaws put sensitive information at risk of hacking.

The SmartVista platform is used by large organizations around the world for online banking, e-commerce, ATM and payment card management, and fraud prevention. The main components of SmartVista are Front-End and Back-Office systems.

Rapid7 has found that SmartVista Front-End, specifically version 2.2.10 revision 287921, is affected by two SQL injection flaws.

A hacker who has access to the SmartVista Front-End interface can exploit the vulnerabilities to obtain data stored in the backend database.

The “Transactions” page in the “Customer Service” section of SmartVista Front-End allows users to see the transactions details of a specified card or bank account. The fields where the card and account number are entered fail to sanitize user-supplied input.

This allows hackers to use specially crafted queries to get the application to display data from the backend database, including usernames, passwords, card numbers, and other transaction details.

Rapid7 specialists reported the vulnerabilities to BPC Banking Technologies on May 10, but the company has not yet released patches.

CERT/CC and SwissCERT also tried to contact the company, but without any success.

Would you like to comment on this article?

Share

Latest news

15.12.2017

Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.

15.12.2017

Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.

15.12.2017

Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!