Client Assessment Summary: Security assessment for a riding startup.
The client is a riding startup in Africa with many drivers and customer users, the client had their web applications and mobile application for the pentest for a 7-man day test. We engaged with the client between May 9, 2022, to May 17, 2022, and during the course of testing, we managed to find several critical vulnerabilities in the client’s mobile and website applications.
The client’s mobile application with 500+ users was vulnerable to a critical account takeover vulnerability which could have allowed a malicious user to gain access to other application user’s account which contains their sensitive information like credit card information, last used locations and much more information, also on one of the client’s microservice API.
We managed to gain access to the PII of the driver and customer users of the application by only a single driver account leading to information disclosure and account takeovers as the microservice also leaked the authentication details for a specific user.
Severe vulnerabilities Identified:
Account Takeover - Mobile application
Broken Access Control: User PII Leakage.
Broken Access Control: Tier 3 User gaining access to Tier 1 User data.
The assessment team was able to identify 50+ Vulnerabilities in total.
The reason we were able to identify such vulnerabilities in the client's assets is due to our custom methodology of security operations at the Bluefire Red team. With this new operations model, we come out as an effective and efficient security vendor.