Hello Markets CRM data still publicly available to all as security breach continues after company stated it had been resolved
Last week, FinanceFeeds reported that Hello Markets CRM data is fully available, including the intellectual property of all affiliates, to the public by simply following a few steps involving copying and pasting a URL. We approached Hello Markets, who stated that they had resolved it, however, the problem still prevails.
At the end of last week, FinanceFeeds reported that, following a series of tests conducted by FinanceFeeds in conjunction with several affiliates and white label partners of platform provider Hello Markets, the company’s CRM data had been publicly available and displayed the entire databases of affiliates by just copy pasting a URL.
As a result, we discovered that all affiliates could access the data of brokerages which are white label brands of this particular platform provider / market maker without any restriction whatsoever.
Hence, brands which use this platform risk having their own intellectual property displayed publicly, which in turn means that other brands could simply copy and paste it into their own databases.
FinanceFeeds has studied this in detail, and has performed several tests with regard to this, as well as drawing on the experience of several affiliates.
Both FinanceFeeds and the affiliates that we approached were able to replicate this several times, in a very simple copy/paste action relating to some of the source code from the Hello Markets platform which can be simply exported and pasted to a different part of the portal, exposing every CRM record in the system.
Upon testing this to a significant enough degree to realize that it is indeed an issue, FinanceFeeds raised the matter with Hello Group, the parent company of the Hello Markets platform.
At the time, we approached the company’s Senior Marketing Manager Khaled Slim, who is also head of Hello Markets’ Cyprus office, and during that particular interaction with the company, FinanceFeeds provided a full set of data and stages by which Hello Markets itself was able to replicate this.
Mr. Slim explained to FinanceFeeds that this would be investigated immediately, and shortly afterwards explained “We are very grateful for this having been pointed out, and have now taken it to our developers who have rectified it without delay.”
“Hello Group is absolutely committed to ensuring complete data security, hence this matter has now been completely resolved and we assure all affiliates and customers that there is no longer any ability to access such data” he concluded.
At that time, in the interests of attempting to assist Hello Markets in resolving the matter and mitigating any consequences to its clients, FinanceFeeds agreed with Mr. Slim not to publish the procedure that we discovered which reveals the data of all affiliates, in the agreement that the entire matter had been resolved.
However, this week, FinanceFeeds, again with the assistance of affiliates using the Hello Markets platform, have been consistently able to replicate this security error over and over, which confirms that it has not been resolved at all, and that the security breach still exists.
This is a grave situation in that it could be simply lack of due diligence on the part of developers and testers, which of course does happen in any software development environment from time to time, or it could be, or lack of will to resolve the matter.
In the interests of investigative journalistic ethics, FinanceFeeds took this matter up once again with Hello Markets, providing 24 hours for a corporate statement on the matter, and demonstrating that this matter has not been rectified, despite the company’s statement to FinanceFeeds last week having been adamant that it was resolved.
No reply was forthcoming from Hello Markets to our request from the company as to why this matter was not resolved.
