Hackers Seize Control of 3,000 Companies Through Critical Vulnerabilities

In a detailed disclosure, cybersecurity researchers achieved full control of a super admin panel, granting access to over 3,000 companies.

The researchers uncovered and exploited critical vulnerabilities within the target company by bypassing multiple security measures, including improper API authentication, inadequate KYC checks, and flawed backend authorization mechanisms.

The entire process took three weeks and demonstrated the alarming impact of weak secure coding practices.

Multiple Layers of Security

The initial breakthrough occurred when an API endpoint revealed backend paths upon manipulating request parameters.

The response behavior hinted at improper input validation, foreshadowing deeper flaws within the target’s infrastructure.

Despite encountering a Web Application Firewall (WAF), researchers identified a production domain via analysis of JavaScript files that bypassed the WAF.

Testing on this domain revealed identical backend APIs, and further path traversal techniques exposed the backend API architecture.

By fuzzing the application, the team discovered an internal endpoint (application.wadl) that documented microservice functionalities, including payment system APIs.

These backend endpoints divulged sensitive data, such as employees’ personally identifiable information (PII) and biometric fingerprints, through unsecured document retrieval APIs.

Further explorations yielded access to customer invoices linked to phone numbers, allowing extraction of additional sensitive information.

The turning point occurred when researchers accessed a super admin login page through methodology combining brute-forcing and username enumeration.

Default credentials failed initially, but by creating a custom wordlist using company-specific terms and leveraging AI tools, researchers uncovered valid login credentials.

With the super admin token in hand, the researchers gained unparalleled control over the company’s operations, including modifying user credentials, accessing national IDs, and overriding sensitive customer data.

KYC Bypass and Account Takeovers

A particularly severe flaw involved bypassing Know Your Customer (KYC) verification in the company’s system.

By targeting the backend API directly bypassing frontend security layers the system permitted unauthorized phone number transfers.

This created significant risks of identity theft and unauthorized account access across telecom networks.

The root cause of these exploits was the inconsistent implementation of authentication and authorization checks.

While the frontend API enforced many restrictions, the backend API lacked equivalent controls, allowing direct access to sensitive functionalities when properly targeted.

Path traversal techniques, combined with misconfigured responses, opened the doors to these vulnerabilities.

This comprehensive chain of exploits underscores critical mistakes in security architecture.

The researchers bypassed previously patched vulnerabilities by interacting directly with underlying backend APIs, exploiting discrepancies between frontend and backend request sanitization.

Normalized path handling differences between the two layers played a key role, exposing user and corporate data.

The disclosure serves as a critical reminder for organizations to ensure secure coding practices, enforce uniform authentication across all API layers, and implement appropriate access controls at every level of the application stack.

With the rising sophistication of attacks, the case exemplifies the need for proactive penetration testing and robust post-patch validation to identify and mitigate systemic security flaws.

Also Read:

Hackers Impersonate USPS to Deliver Malicious PDFs in Mobile Device Attacks

See more