The client is a fully-owned subsidiary of a leading international telecommunications company in South Asia. In this region, it ranks as the second-largest GSM mobile service provider and the third-largest mobile service provider based on its substantial subscriber base. Concerns were mounting for the client as the threat landscape evolved. This prompted them to address vulnerabilities in their publicly accessible infrastructure. Prior to engaging Ebryx, our client was determined to uphold its security but had yet to identify and address these potential threats.
They chose us due to our track record in conducting rigorous Black-Box penetration testing and our reputation for delivering thorough assessments. Our client believed that our expertise could provide them with an impartial and comprehensive evaluation of their security posture.
The reasons our reputation precedes us are fairly compelling. Clients select our Black Box Penetration Testing services because we offer comprehensive assessments, even without prior system knowledge, demonstrating dedication to thorough security evaluation. Furthermore, our expert team possesses diverse skills and knowledge, effectively addressing a wide range of security concerns. We employ advanced tools and cutting-edge methodologies, ensuring the efficacy of our testing. Through real-world attack simulations, we provide actionable security insights. Our tailored approach, clear reporting, and adherence to industry standards reflect our dedicated catering to client-specific needs.
Our mission was to conduct a comprehensive Black-Box penetration testing operation on our client’s assets, with a primary focus on identifying vulnerabilities that could compromise their infrastructure and, by extension, their extensive customer base.
Our dedicated penetration testing team embarked on a meticulous examination of our client’s public infrastructure, utilizing a rigorous Black-Box approach. Their efforts yielded a significant number of Critical and High severity vulnerabilities. These vulnerabilities not only posed a direct threat to our client’s security but also exposed new avenues for potential attacks and financial abuses.
A notable discovery was the public accessibility of our client’s website source code. This breach exposed internal network domains, authentication credentials, and crucial information, potentially allowing attackers to remotely execute code on the internal network.
Furthermore, the team discovered multiple Account Takeover vulnerabilities across various domains. These vulnerabilities, when exploited by skilled malicious actors, could lead to unauthorized access to customers’ accounts. Sensitive customer information was also exposed, creating opportunities for phishing and scamming attacks. The vulnerabilities discovered spanned from Account Takeover and Source Code Disclosure to Verifiable Credentials Disclosure, highlighting critical business logic flaws and input validation errors.
In total, the team identified 7 Critical, 3 High, and more than 50 Medium Severity Vulnerabilities. Each of these findings underscored the urgent need for remediation to secure our client’s infrastructure and customer data.
The impact of our penetration testing was profound. Our client’s security posture improved significantly, and customer data and infrastructure were safeguarded from potential threats. Critical vulnerabilities were addressed, and measures were taken to prevent unauthorized access and data breaches.
The result was an infrastructure that was not only more secure but also more resilient to evolving threats. Our client could continue providing services to its vast customer base with greater confidence in the security of the company’s operations.