Etoro
Last updated
Last updated
During the security assessment, I discovered a critical vulnerability involving the exposure of sensitive financial documents and PII related to eToro’s operations. The investigation revealed that certain documents—including bank transaction invoices, SWIFT MT-103 copies, and other payment confirmations containing account numbers, client details, and transaction information—were previously exposed through publicly accessible URLs and archived in the Wayback Machine.The risk extends beyond the immediate exposure of data. Should this information be publicly disclosed, eToro’s reputation could suffer irreparable damage. Negative media coverage from reputable outlets like Bloomberg, CNBC, and Forbes could label the incident as a “catastrophic security failure,” potentially triggering a mass exodus of clients to more secure platforms. This cascading effect would severely undermine public trust and could precipitate regulatory scrutiny and legal repercussions.
Additional tip: RetailFX Limited is (or was) a corporate entity linked to eToro. Historically, eToro either started as RetailFX before adopting the “eToro” brand globally, or used RetailFX Limited as its legal name/corporate name for certain operations. (I say this from the transactions I found).
Exposure of Sensitive Information: The leaked documents contain sensitive financial data and PII such as account numbers, transaction amounts, SWIFT/BIC codes, and customer names and addresses.
Inadequate Access Controls: Although current direct access via the S3 URLs returns a 403 Forbidden error, the historical exposure indicates that these documents were once publicly accessible without proper authentication, suggesting potential misconfigurations in the access control mechanisms.
Severe Impact: This vulnerability poses a significant risk to eToro’s reputation, as the exposure of such sensitive financial and personal data could lead to fraud, regulatory scrutiny, and a massive loss of customer trust. It represents a clear violation of data protection principles and could potentially result in legal repercussions.
Copy the original URL and paste it into your browser. Notice that the link automatically redirects to an S3 URL and returns a 403 Forbidden error.
Open the Wayback Machine and paste the same URL. Observe that the archived version returns a 200 OK response, indicating that the document was publicly accessible at some point in the past.
This demonstrates that confidential documents containing sensitive financial information were exposed, even if only historically, which poses a serious security risk.
The public exposure of this critical financial information has the potential to trigger a chain reaction of negative consequences for eToro. The mere fact that such sensitive documents can be easily retrieved via the Wayback Machine reflects a failure in safeguarding customer data. In today’s fast-paced digital environment, any indication that a financial platform cannot secure its core assets may lead to:
Immediate Negative Media Coverage: Reputable media outlets could highlight this incident as a severe security lapse, branding it as a “catastrophic security failure.”
Erosion of Public Trust: Legitimate eToro clients—such as Lubona Enterprises Ltd, THE CYPRUS POPULAR BANK LTD, Expo Stars International Ltd, Marfin Laiki Bank, and Challenge.fr—might lose confidence in eToro’s ability to protect sensitive information. The moment these customers become aware that their financial data is exposed publicly, they could cancel their operations with eToro, leading to a mass exodus to competing platforms.
Long-term Reputational Damage: Once public trust is compromised, restoring eToro’s brand image becomes significantly more challenging. The fallout could include regulatory investigations, legal actions, and a substantial impact on the company’s market value.
Given these factors, the exposure of such sensitive data is not merely a technical oversight—it represents a profound risk to eToro’s reputation and long-term business viability.
403 Forbidden S3 AWSCode 1.29 KiBUnwrap lines Copy Downloadhttp://www.etoro.com/partners/attachments/INVOICE_eToro_MVD_April.pdf http://www.etoro.com/partners/attachments/FOREXSTREET-3470USD.pdf http://www.etoro.com/partners/attachments/expo%20star%20inv..pdf http://www.etoro.com/partners/attachments/beatrice%20hassa-2337%20usd.pdf http://www.etoro.com/partners/attachments/shopminder-289%20usd-statement.pdf http://www.etoro.com/partners/attachments/speedplot-577%20usd.pdf http://www.etoro.com/partners/attachments/CHALLENGES.FR.pdf http://www.etoro.com/partners/attachments/CMVOCENTO%207000%20EUR%20approval.pdf http://www.etoro.com/partners/attachments/fxcash%20etoro%2010%202009.pdf http://www.etoro.com/partners/attachments/Netaffiliation-500%20eur.pdf http://www.etoro.com/partners/attachments/Netgrp%20swift%2029.06.09.pdf http://www.etoro.com/partners/attachments/TVA%2015000%20swift.pdf http://www.etoro.com/partners/attachments/MA%2016339%2C%20%201000EUR%20SWIFT.txt http://www.etoro.com/partners/attachments/Netgrp%20swift%2029.06.09.pdf http://www.etoro.com/partners/attachments/payment%20aug%204500%2C%20%2013746.txt http://www.etoro.com/partners/attachments/vertical%20traffic-6978%20usd-statement.pdf http://www.etoro.com/partners/attachments/1_ma%2016995%2016939%2C%2032585%20usd.txthttp://www.etoro.com/partners/attachments/martin%20schranz-5378%20usd.pdf
Thank you for taking the time to review my report. I remain fully available to provide any additional information or clarification you may require. I appreciate the opportunity to contribute to enhancing the security of your platform.
Best regards,
Juan Felipe Osorio Z - Security Researcher
