Exclusive: Numerous Brokers Experience Serious Delays Due to MT4 Server Vulnerability
An attack on PrimeXM’s MT4 Server by an individual client caused more than 20 of the firm's brokerages a substantial
According to information obtained exclusively by Forex Magnates, an attack by a single user of one of the brokers connected to PrimeXM last Wednesday (15th of October) resulted in the company’s MT4 server suffering severely, with customers of more than 20 brokerages connected to the server experiencing delays between 10 and 15 seconds.
The event could be revealing a potentially disruptive structural weakness in the MT4 trading platform which resulted in several brokerages delivering very poor service to their customers last Wednesday. Coincidentally (or not) the disruption happened during the four most actively traded hours on the foreign exchange market in October and possibly throughout the year so far.
Join the iFX EXPO Asia and discover your gateway to the Asian Markets
With one single client exploiting this vulnerability singlehandedly, all of PrimeXM’s customers were affected materially with some reporting longer delays, frozen quotes and all of this when the EUR/USD staged its biggest single day rally in more than a year. Once the issue was identified, PrimeXM disabled the account from where the attack was coming from and proper client service was restored to the brokerages and their clients.
Forex Magnates reached out to PrimeXM and MetaQuotes to get more information officially. As of the time of publication MetaQuotes has yet to reply.
Suggested articles
Kohle Capital Strengthening Retail OfferingGo to article >>
Update:
Official information provided by PrimeXM reveals that the attack caused execution delays for clients between 5 to 30 seconds; frozen quotes inside the MT4 terminal and MT4 manager from 5 to 30 seconds; inability of the MT4 service to synchronize data via the Watchdog service; memory fluctuations of the MT4 service in the range of 300MB / second.
According to PrimeXM, steps taken to identify the issue ranged from removing all third party plugins, an in depth investigation of the network infrastructure, failing over the MT4 service to different hardware as well as different physical locations. The latter could not be done following standard procedure due to the attack’s disruptive impact on the ability of the MT4 server to synchronize data via the Watchdog service.
The above steps failed to restore normal service until further investigations revealed frequent reconnect attempts of this specific MT4 terminal. Once this account was disabled all symptoms disappeared and proper service was restored.
PrimeXM has shared with MetaQuotes and Forex Magnates specific details on how the attack was carried out, however, as it currently seems that such an attack could be initiated by any client terminal to any MT4 broker, Forex Magnates has been asked not to publish this information.
It seems incredible there would be no sanity checks preventing trader to book million pending orders… It is hard to believe that is the real issue.
There’s a max order setting on the MT4 Group Level that prevents these types of attacks… smh…
Alpari had the same issue back in 2011. And I know at least 4 other brokers that also forgot to set max order and were successfully targeted by spammers. But that was 2-3 years ago
Come on PrimeXM… such a silly mistake.
This is not vulnerability of MT4, but incompetence of the company who manages these mt4s. This is a simple MT4 setting as other people here outlined
The issue is in essence a technicality. There will be no fines launched and IronFX is now in fully compliance with the proper channels. It is my understanding that once the unsafe or unauthorized activity has ceased then steps towards full authorization will be granted.
The issue is in essence a technicality. There will be no fines launched and IronFX is now in fully compliance with the proper channels. It is my understanding that once the unsafe or unauthorized activity has ceased then steps towards full authorization will be granted.
Victor, that is true, but it does not change the fact that the service outage could have been prevented if the server was being managed well. I’ve dealt with these attacks myself on a regular basis in the past. First, it would be helpful to know exactly what the max order setting was on the Group that this account was in. I’m guessing it was a lot higher than what it should have been and the total number of open orders on the server was a contributing factor to the massive amounts of lag that traders experienced. But let’s just… Read more »
Hi all, in order to stop all the speculations please find the full story below: 1) On the 15th one of our MT4 WL servers in the UK was getting into severe issues due to one MT4 terminal. After we identified the issue, we sent the below email to the affected broker clients. We also contacted MetaQuotes and informed them about this vulnerability ——————————— Dear clients, after several hours of trouble shooting, removing plugins, failing over serves and switching hardware we were finally able to identify the source of all the issues we have been experiencing today. -> One MT4… Read more »
Hi Clive, Very interesting. Thanks for sharing these additional details. “”1) The client started to place and delete massive amounts of limit orders over the last days reaching a total of 1712218 closed orders this afternoon.”” > “last days” means more than 24 hours.. Over exactly what time period did those orders get placed/closed? “”Building up to such an amount of closed orders over the given timeframe did not impact the servers performance in a noticeable way nor did it trigger any permission limitations like for example the maximum number of open orders.”” > Thanks for clarifying this point. “”2)… Read more »
It would really be nice if Forex Magnates could get an official word from MetaQuotes (maybe even before publishing an article claiming that MT4 has a critical vulnerability).
Hi David, > “last days” means more than 24 hours.. Over exactly what time period did those orders get placed/closed? The account started to place and delete trades since last Friday. > My main questions are exactly how many orders need to be spammed and approximately how long does it take to hit the point where the MT4 Terminal starts to time out upon logon? We don’t know what the limit is, I guess it depends highly on how fast the MT4 server can deliver the history to the MT4 terminal which will not only depend on the hardware the… Read more »
Do people understand now why brokers like MB Trading has a system of measuring order fills vs total order requests? And charging a fee for overuse? You dont want people abusing the system.
But it is good that this was detected now. Although brokers should have their own private detection rules in place; mt4 alone should not be fully trusted to catch everything. Although it will be interesting to hear MQ’s response.
MB Trading is totally capable of producing a delayed datafeed on there on – without any outside attackers. They would always lag behind during high vol periods. Granted, it was years ago i had an account with them.
Hi Clive,
Thanks for these clarifications despite the sensitiveness associated to that…
“We have many hyper active accounts on our server, most of them modifying limit/stop or sl/tp orders simulating trailing stops. Such clients accounts will naturally show similar or even more activity than this account did.“
But I understand here that the user was piling up opened orders instead of modifying existing one, or closing and rebooking. I would be surprised there are many users piling up millions of opened orders in the MT4 segment, no? Your view would be interesting.
Nicolas
Hi Nicolas, >But I understand here that the user was piling up opened orders instead of modifying existing one, or closing and rebooking. I would be surprised there are many users piling up millions of opened orders in the MT4 segment, no? The user was piling up closed orders, not opened ones. We configure restrictions on open orders for all groups, as its a known that too many open orders can affect the servers performance. We noticed that this account was hyperactive and also informed the broker to tell this client to tune things down. However as we have a… Read more »
Hi Clive,
No blaming games or will to start useless polemics from me. Was just interested to understand what was going.
So thanks again for these precisions.
Best regards,
Nicolas