Hacking Stories: How a Multi-Million Dollar Company Got Hacked Out Of Carelessness
So, this is a story from my personal experience.
The CEO of this company, let’s call him Mr. X, is a very intelligent person with outstanding management skills but zero technical knowledge.
It was 02:00 pm in the afternoon when I got a call from Mr. X. We talked for a while on Whatsapp after work. We had a really healthy conversation where I was explaining to him how cybersecurity plays a major role in his company. Thus, he challenged me to find vulnerabilities in his company’s website within 2 hours. I accepted the challenge and started working to find some bugs. After pentesting his company’s website, I was totally shocked to see that a multi-million dollar company could have such an insecure website.
I found a total of 6 security vulnerabilities. Two of them were critical level vulnerabilities and the rest were medium and low level. Immediately, I called Mr. X and explained about all the vulnerabilities and their consequences. However, the response I got from his side was not something I was expecting. He didn’t seem interested in knowing about those vulnerabilities and ignored my advice.
Let’s discuss those bugs briefly..
Bug 1: Directory Exposure
This vulnerability occurs when the website owner or developer forgets to make sensitive directories private which can result in leaking of important information to unwanted users.
Bug 2: Missing SPF records
If the website doesn’t have any support email registered then anyone else can make a fake support e-mail account and send phishing emails or any other malicious name under your company’s name. This could defame your company’s reputation or even result in some legal actions against your company.
Bug 3: Stored XSS
This was the biggest and the most critical one that I found. This vulnerability led me to redirect all the visitors of the website to any other website that I wanted or I can force the visitor to download anything malicious.valuable data.
This happens, when the developer of the website does not properly sanitize the input field, allowing only the necessary characters and banning all other unnecessary characters.
Bug 4 and 5: Chain Stored XSS
I was able to chain Stored XSS vulnerability with some others to make a higher impact! I chained HTML injection and Open redirection vulnerabilities with Stored XSS.
Bug 6: SQL injection
There was a login page where I tried SQL injection and was successfully able to fetch the users list along with their passwords. This was the second critical vulnerability after Stored XSS which required getting patched immediately.
SQLi is so dangerous that it can even deface and delete your website, if the hacker successfully extracts the administrator’s credentials.
Now, coming back to the story, I was continuously trying to explain to the CEO about the severity of these vulnerabilities but as I said he did not really care about it. I asked him to connect me to the developers’ team or security team so that I can make them aware of this blunder but again, there was no reaction.
In the end, the CEO wasn’t willing to spend a single penny in cyber security as he told me that he had already spent thousands of dollars in website development! He told me that until now the company hasn’t faced any problems with these vulnerabilities. So, he wasn’t planning on fixing them.
I still remember his words, “I am a non-technical CEO but understand the business well, and that’s why I have made a company worth more than a million dollars today. My business was mostly based on ground sales, that’s why I don’t have a need to update my website.”
A few weeks ago, I got the news that the same company had been a victim of a cyber-attack and faced a great loss of 80K USD. Still, they are struggling to recover from this attack. I just wish they had listened to my words and would have taken a proper step beforehand.
Tip for you: Never underestimate cyber security. It is better to be safe than sorry! Pentest your applications before it is too late.
Written by Rhythm Jain | Ethical Hacker
Image source: freepik