SQL injection bug found in PanamaPapers Law Firm Mossack Fonseca

A hacker by the name, 1×0123, has revealed he found a flaw in the Panamanian tax company, Mossack Fonseca, which was involved in the #PanamaPapers leak of last week.

The hacker who found the SQL bug on Saturday might be too late for the Panamanian firm, which is busy handling the aftermath of the offshore companies saga. He revealed he found the bug on the custom online payment system of Mossack Fonseca, which is called Orion House, and he put some of the configuration data inside a Paste.ee file.

The self-styled, “underground researcher” said through his 1×0123 Twitter account handle, “They updated the new payment CMS, but forgot to lock the directory /onion/,” he said.

Mossack Fonseca is a Panamanian based company which specializes in setting up offshore accounts for the rich and wealth. The company claims they do not, nor have they ever done anything wrong. The leak of its data has created a huge political stink in many countries that might take months and even years to handle. The company’s lawyers have reiterated that the leak was due to a hack and not a whistleblower as previously thought.

1×0123 sent an email to the company notifying them of the issue and took a screenshot to prove it. However if Mossack Fonseca will reply soon or at all is too soon to tell since they are still recovering from the massive data leak of last week which caused shocks around the world. Mossack Fonseca was allegedly hacked, and several terabytes of data were revealed in what is said to be the biggest leak since WikiLeaks.

The 1×0123 timeline on Twitter shows that although he hacks companies servers illegally, he still manages to notify them if he finds any flaws in their systems providing details. Such type of hackers is called grey hat hackers. He has also been involved with Edward Snowden, whom he notified of a blind XSS (cross site scripting) on the Freedom of the Press Foundation website. This is a project the US whistleblower is working on personally and thanked 1×0123 via Twitter on Sunday.

He has also been a grey hat hacker for The New York Times, NASA, Telegram, and SourceForge. His tweets also reveal that he might be the same person who tried to sell access to the LA Times after he had managed to leverage a vulnerability in the Advanced XML Reader WordPress plugin.

His account also indicates that he might have access to personal information of people who are signed up to an adult site, Naughty America.

Ali Raza

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a master degree, now he combines his passions for writing about internet security and technology. When he is not working, he loves traveling and playing games.