The Anatomy of a Data Breach

You can’t imagine how hard it is for me to take the time to write about these findings. I stumble across so many unique attack vectors every day, that I could spend 10–15 hours a week just writing about and documenting them.

I’ll try to post more often because I know it helps our cybersecurity community advance. Anyway…

I was working on an assignment on a target a few days ago when I came across a series of unsecured databases and storage spaces — as I was doing my recon. Loads of user sensitive data and transactions were exposed. I needed to make a decision.

I could stop my assignment and try to understand what was behind these leaks and contact the appropriate people behind them to secure them. Or I could just mind my own business and move further with my assignment.

All these unsecured databases belong to companies with no bounty programs so this would be a pro-bono act. I decided to do the right thing.

I spend the rest of the entire day, about 6–8 hours, trying to understand what was happening with them (more than 10 targets) and then tracking down the right people/emails/social media accounts to raise their awareness of these issues.

Without getting into technical details, I’ll briefly explain one of the targets, the image that you can see at the top of this writing.

Here we are dealing with an unprotected Administration Panel for a mobile application with more than 50,000 downloads, allowing users to perform financial transactions, quite a serious issue if you ask me.

There’s a lot of analytics here, data about transactions, user emails/names/contacts, and much more. I wonder what the person building this panel was thinking of when leaving this sensitive asset unprotected.

I didn’t get deeper into uncovering other potential flaws (which I’m sure there were) by looking into the mobile app itself because of time constraints. I left it there, contacted who I thought to be in charge of this and moved on.

The bottom line, you cannot grasp the amount of sensitive information publicly available out there on the internet, waiting to be used for malicious purposes.

If you’re a security researcher, do your job and do the right thing. If you’re in it for the money, you could leverage such skills ethically and responsibly on bounty platforms or on external bounty programs. Do the right thing.