Skip to main content

Carrefour

· 6 min read
Anderson de Souza

Way before A.I. popped up with its magical vibe-coding, the power to build solutions in form of software was in developers' hands. And sometimes we saw that in movies.

Our character used to believe in that—so much so that he possessed such creative capacity, but he always lacked sales skills. The very first client he sold a website to even tried to help him, even lending him a book on sales, but he didn't listen to the advice and chose instead to focus on developing skills compatible with his role.

Because of this, he was always looking for a sales partner. The key person who would sell the solution and launch them into the game. He tried a few times: his brother, his wife, a friend, multiple friends, until a sharp-looking, successful multi-entrepreneur came along.

He believed he had found the missing ingredient for the recipe of success—the business and sales guy. So, without wasting any time, he laid his cards on the table and showed the huge potential of the whole idea: action plan, key features, branding, everything for the new mobility app. At the time, basically a single option dominated the market, and there was barely any competition.

"Entrega já!" (Deliver Now!) was the name.

The guy showed great interest and accepted the partnership offer. In addition to capital, he would handle marketing and other sales operations.

Le coup

After a few days of working on the MVP and presenting the procurement needs (expanding the team, etc.), a new problem arose: "Entrega lá!" (Deliver there!) — the "blessed" guy had hired a company from SC to develop the project. (And holy sh*t, he didn't even try to hide it a bit with the name...) 🤡

The anger of being played for a fool served as fuel to the fire of his revenge, and he immediately set out to claim his victory.

He tracked down the company that had sold the software and found out the price at the time: R$ 6,000.00.

Developed in vanilla PHP without any framework, the app's API had more flaws than features. Right off the bat, he found an IDOR 1 in the users endpoint. The very first registered user, with ID 1, was the admin. After that, he was able to list all user information: full address, personal data, etc. Luckily, the system didn't handle payments, so there was no credit card data stored.

Le contrecoup

Next, he tried what would probably be the entry point for any pentester or hacker: a SQL injection 2 in the login form. Guess what? Totally vulnerable!

Voilà! The system was his!

From that point on, he could:

  • exfiltrate the data from the entire system;
  • trigger total chaos in the system with fake orders and messed-up information;
  • make the whole platform unavailable with DoS attacks 3;
  • and even compromise the entire server with an RCE attack! 4

Coup de grâce?!

His fingers rushed to the keys to type. But instead of crafting and executing an attack, he set out to generate a report.

He contacted the software house, introducing himself and listing the vulnerabilities he had found. All in vain! The manager's ignorance and arrogance felt like a bucket of cold water.

Once again, that little voice in his left ear tried to convince him to wreak havoc:

  • "Let 'em be hoist by their own petard." — it whispered...

But he wasn't about to flirt with a "career choice" that involved being woken up right after 0500 by the Federal Police. And yeah, sooner or later, anyone who plays stupid games gets caught. No matter how good the hacker is.

Besides, ethics is about doing the right thing regardless of the situation, and it takes just one wrong move to ruin an otherwise spotless track record.

Du coup

The outcome? He left everything exactly as it was, and the case became just "another CD under the bed."

"Entrega lá!" didn't last long: within a few months, the app had vanished from the Play Store, and the domain no longer pointed to any IP address.

After that, he didn't even bother to look up the company that had developed the platform. It's possible that somewhere on the internet, a flawed "mobility" app is still exposing its users. But that's not his problem.

(Well, after all it looks like his lil' friend was quite right about their petard...)

"Revenge is never sweet, it kills the soul and poisons it." - Don Ramón (El Chavo del Ocho)

Notes


    • OWASP: Insecure Direct Object Reference Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application's URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

    • OWASP: SQL injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

    • OWASP: Denial of Service The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users.

    • CloudFlare: Remote Code Execution A remote code execution (RCE) attack is one where an attacker can run malicious code on an organization’s computers or network. The ability to execute attacker-controlled code can be used for various purposes, including deploying additional malware or stealing sensitive data.