Being responsible - Helping local businesses stay secure

Covid-19 has been referred to as the 'economic tsunami' hitting businesses causing a global recession. The global economy is shrinking, which is a fact. We are already experiencing a significant contraction in economic activity that will likely last through the first half of the year. When economic times are tough, the first step businesses usually take is to reconsider their budget. This often includes reducing its cybersecurity budgets in an attempt to reduce costs and minimize business losses. Cybersecurity is usually seen as an afterthought or a luxury, and as not having a direct benefit to the business profits.

As a Cyber consulting company, we are witnessing - on social media channels and news - an increased amount of malicious cyber attacks. Unfortunately, many threat actors have started to abuse the panic and discomfort of the pandemic to launch specially crafted malware and phishing attacks worldwide. We have already volunteered our time to help the NHS and public sector with our time and expertise should they need us any time.

Our team is staying vigilant helping local businesses stay secure online. One classic case happened with our co-founder, Arjun Pednekar. This is while booking an online parent-teacher meeting using a portal link emailed to him from his son's school.

"I happen to do my appointment booking online at this portal using my details including DOB and my son's details as well. I couldn't stop myself from noticing how the application was designed. A quick look into the underlying proxy revealed that they could be vulnerable to direct object reference", Arjun said. Following this, and being the responsible parent that he is, a single-digit tweak in his browser resulted in obtaining personal details of other users within the portal.

Arjun says, "I had to stop using this portal, knowing they were vulnerable to something which should be picked if they had conducted a regular penetration testing using certified consultants". He proceeded to immediately notify the software developers based in the UK. The customer care was emailed the details of the vulnerabilities and potential other disclosure within the underlying API that could cause gaining full control of other registered user accounts or launching password guessing against the high privilege user accounts.

Within 24hours the developers reached out to us, notifying that they have:

1. Conducted their application assessment last year but this issue seems to have been left undetected
2. Working on the fix to minimize the disclosure
3. Most importantly, ensuring no unauthorized access to other users personal details were possible

This trivial vulnerability could have been exploited by a malicious threat actor for malicious gains. "Knowing I did my bit to help a business stay secure gives me a decent sleep at night", says Arjun.

We are here to help with our experience in testing a wide range of applications over several years. Web application relies on several technologies that need to be tested as part of any methodology. This includes:

1. The web application itself which follows the OWASP Top 10 checks
2. Supporting API needs to be tested against the OWASP API Security Project
3. The security of the supporting web server, which is often neglected
4. Finally, the business logic if several users are involved and how they are interlinked to modules in use.

During these tough times, we need to help each other. We are doing our bit, are you?

A follow-up email from the developers to confirm they have fixed in place following our conversation with them: