Our client was a prominent and widely recognized unicorn in the meal-kit industry, operating across the United States and several European regions. The goal was to determine whether our team could assist the client in strengthening the security of their various brands and products, consequently enhancing their overall security measures.
The client opted for our services in web penetration testing for several notable reasons. Our specialization in their specific industry and the expertise backed by certifications, such as CEH and CISSP, made us their choice. They found our utilization of cutting-edge tools and tailored approaches to address their unique security requirements particularly appealing. Past successes and our adherence to industry compliance standards provided a foundation of trust. They recognized our team’s potential to enhance their security measures and ensure the security of their brands and customers.
Our mission was to assess the security of our client’s multiple brands and products, evaluating them for vulnerabilities that could impact their customers. The primary focus was on Account Takeover, Personal Identifiable Information (PII) Disclosure, and server-side misconfigurations.
During our assessment, our penetration testing team discovered critical, high, and medium-severity vulnerabilities that posed potential risks. One of the most critical vulnerabilities was an Account Takeover issue related to their token generation method. The token was generated based on epoch time – a numerical representation of the date and time since January 1, 1979. Exploiting this vulnerability, we executed a Race Condition attack on the vulnerable API, allowing us to take over victim accounts by obtaining the same token simultaneously.
It is worth noting that this vulnerability had gone unnoticed by both the client’s in-house team and previous third-party entities that had conducted penetration tests on their system. This vulnerability, which affected all their brands, put their customers at risk for potential account takeovers.
Our collaboration with the client proved to be mutually beneficial. The client had an opportunity to assess our skills, leading them to approach us for additional dedicated projects. Simultaneously, the client significantly enhanced its security posture. This improvement not only protected the client’s reputation but also reassured their customers of a safer and more secure experience.