We listen and we don’t judge! How we saved our client from a $20M fine (Ruining their new year’s eve)
This is the story about how we ruined new years eve for one of our client’s CTO, CISO and whole red team by finding a company-bankrupting bug.
It was a pleasant afternoon. Euge (our CEO) and I were on a relaxed call, knowing there’s not much work on holidays when Simon (our VP of Eng) joined. He said: “Hey, I found something pretty weird” and he proceeded to show us how he could login to any account on the application.
At first, we thought it was a harmless, non-production glitch, until we noticed the email domains. Our jaws dropped. We went on LinkedIn and there it was: That person, with the exact same name, working on that company. We tried again, and hit another user. Same story.
Imagine if a bad actor got their hands on this. Customer data, credit cards, addresses, even job details; could be weaponized for phishing attacks or worse. We needed to contact the client immediately.
We messaged their CTO: “Hey, I think we found a vulnerability”. I’m not sure what they expected, but I’m damn sure they didn’t expect a huge vulnerability where user information is leaked, that also showed that the app is out of compliance, and potentially gave us the ability to change or make payments with users’ accounts. When we showed it to them, their faces went pale. The red team hopped on the call and they got to work.
