ABC Inc. is an eco-friendly products manufacturer. ABC owns an e-commerce store via which it operates the D2C model. The store is backed by Shopify and ABC has also enabled Subscriptions via ReCharge.
ABC had initially outsourced the development of their e-commerce store, so they wanted to explore the security posture of the platform, a few upcoming portals and the Cloud Infrastructure backing the entire ecosystem.
Since the e-commerce portal was being driven by Shopify, we decided to focus more over Untracked exposures, followed by assessing the Cloud’s security posture and a few business centric & core functionality modules, custom implemented by the outsourced team.
The advent of Github has led to a tremendous advancement in strategising Collaborated Version Control of Source Code in the Developers Community. Our efforts embarked visibility on otherwise untracked multiple exposures via GitHub which could have leaked the entire datastore of ABC including Customers data, Orders & Subscriptions Data, Inventory Data & Control, amongst other Critical Information.
Additionally, there was little awareness & knowledge base about Cloud & Server Configuration and hence, there were a few vulnerabilities that could pave way for Remote Code Executions and reveal the meta data & even Service account credentials.
Being backed by an outsourced engineering team until recent times, there were specific business logic induced security issues that were discovered. Post VAPT, their new CTO is now actively focusing on continually safeguarding the application experience of its customers.
One of our automated fuzzy scans revealed that there existed a public GitHub repository where in one of the file’s old commit contained an auth token which was still active with access as illustrated below.
This vulnerability could have been misused to offer 100% discount on all products, cancel all subscriptions, and steal customer demographics, PII, and map Order patterns to make it saleable to other competitors.
“The GitHub Repository could have been like a Diamond Mine for an attacker !”
