Introduction
For the past couple of years, there has been a boom in the tech startup industry in Pakistan. New ideas for Cyber Security are getting spawned and we have seen all types of companies getting set up, building and expanding themselves, and generating huge revenues through their exceptionally good business models. Most of them are B2B applications and these companies are doing so well with their plan that they have received Venture Capital funding in millions of dollars and have expanded all over Pakistan and into several other countries as well.
The security team at BlockApex decided to test these applications for vulnerabilities that could compromise their data. We knew that the software industry in Pakistan always keeps security out of their toolkit to reduce the cost of development and cybersecurity in Pakistan does not have any importance. Despite having a huge amount of funding and a large team of developers, testers, project managers, and sales representatives they all are still lacking in one aspect which ultimately is security. Furthermore, the lack of security on these applications is just the first part, the other thing is the teams of these applications do not even bother whether the applications are secure or not, they never keep the security of their application and privacy of their data as the priority.
The purpose of writing this article is to create awareness about cybersecurity in Pakistan awareness and how it is still considered a non-serious issue in the tech industry of this part of the world. Product managers and developers with over 10 years of experience still don’t have any knowledge of how to secure their product, protect it from various cyber attacks, the importance of data, and how it can impact the privacy of their users.
Keeping all the parameters like funding, huge team, well-paid marketing, and massive network in our mind we decided to test the security of these applications and tried to find out how well these applications are secured from malicious actors and how well prepared they really are in case of a real cyber-attack or data breach. We analyzed and tested several B2B, E-commerce, and payment solutions applications. But for the purpose of keeping this concise, I will discuss three startups and how easily we were able to find critical vulnerabilities in those applications. The startups discussed below have raised millions of dollars in VC funding and have already expanded all across the country. I will not specifically name the startups here because some of the flaws are still not fixed.
We found the flaws and tried to report them to specific teams of each of these startups. But we have met with a non-serious response from the teams regarding the security & privacy of its users
Application We Tested Out!
Let’s dive in.
First Application:
Type: B2B Marketplace
Funding: $40M+
Employee: 500+
500+ employees and dozens of offices across the country. The team at BlockApex tested its android application and was able to find flaws through which the attacker would be able to view the private data, bypass security mechanisms and get hold of its private API Keys and use them for his multiple benefits. Besides these, there were some other issues like logic flaws on many endpoints. For testing cybersecurity in Pakistan, we selected this application. Let’s discuss these problems and the reaction from the team in detail.
Leaking of Personal Identifiable Information or PII:
For any organization operating all over the world, the data of its user is something that holds the most value and if that data contains any type of personally identifiable information then everyone always tries to double down their efforts on its protection and security. Moreover, when the firm has millions in funding from some of the most reputable venture capitalists they always try to make sure that they are protected in each and every way possible. But the story is the opposite here, in this case, the company behind the application doesn’t consider PII leakage as something of high or critical severity. Just to clarify further, the information that was getting leaked contains the whole transaction history of each user with all personal details like addresses, shipping info, dates, etc. The management team told us the only type of bug they would consider a security flaw was the one through which the attacker would be able to bring down the application completely. This further elaborates about how non-serious everyone is regarding software security in Pakistan.
We have worked with dozens of companies all over the world and for everyone an endpoint that is leaking even the slightest of information is considered a serious issue, but here when a huge chunk of data was getting leaked very easily it was not considered an issue by the team because they don’t consider data as something valuable.
Disclosure of API Keys:
The other type of flaw that we found in this application was the disclosure of most of the third-party API keys that they were using. Insecure storing of the private keys in their code was an issue that you would not expect from a multinational firm with a huge team of developers. They were using many paid services to process their data and to keep the user experience smooth and simple. But developers in the organization had no idea about how to securely store and further use those keys so that no one from outside the organization could get hold of them.
Here we tested this specific application for three days, during that time period we got many different keys. Fortunately, we didn’t get hold of any private Github keys or something of the similar severity but I am sure that if we would have looked further into it we could have been able to get those keys as well. There was almost no protection mechanism used to store them and the developers were just hard coded using them.
Tons of Logical Flaws:
Besides the above-mentioned anomalies, there were many logical flaws that any attacker could easily take leverage of and chained them to create a greater exploit. This includes issues like bypassing the MFA protection, using and reusing the fake identity information by sending in fake and invalid identity cards in the verifying process, easy to brute force-sensitive endpoints, and many more. All of this disclose the lack of security in the whole application and how poorly everything was coded when it comes to security.
TEAM REACTION:
We reported the above-mentioned vulnerabilities with a few more to the product manager directly and also conducted many meetings with the team but in the end, there was no positive response from them. They decided not to pay much attention to the bugs due to already discussed reasons.
We also tried to get follow-up from the product team but it eventually got in vain. Despite having a large budget and funding from silicon valley, the team itself had no knowledge of the cybersecurity domain and its importance in the current world situation. As of writing this article we still haven’t gotten any type of further update from the company.
IMPACT ON USERS:
Here the end-users of the applications could be easily exploited as their personal identifiable information was getting leaked. The privacy of the user’s information and activity history on the application was not safe. An attacker could easily get access to the user’s data and could use it for any malicious purpose. In the past, we have seen countless times how the data is sold and how it is treated as a modern gold. Furthermore, the application was not using proper security mechanisms so in any case where any user’s credentials were leaked, they could not depend on 2FA to protect their accounts.
Second application:
For the second case study, we have a health-based startup with a presence all across Pakistan
Type: Health-Based Startup
Funding: Almost $10M
Employee: 200+
In this, we had web and mobile applications both. We noticed that the web application was somewhat secured but the mobile app was full of flaws and vulnerabilities. There were many endpoints that were fully secured on the web but the mobile app was leaking data. The vulnerabilities that we found were quite critical. We also managed to find several account takeovers without any user interaction through the mobile applications. Besides that, there were flaws like the application was full of XSS and IDORs. The logic was poorly written that could easily be exploited by an attacker. The main problem lies in the reaction of the team. They were extremely non-serious about security that a company of over 200+ employees didn’t even have any cybersecurity engineer or penetration tester. The list of the flaws are following:
Account Takeover Through An IDOR:
Account takeovers and IDORs are probably the two most favorite vulnerabilities for any attacker to exploit and if they both are combined into a single flaw then it could cause massive destruction for the organization as well as all its users. This was the case in this application, we found an endpoint on which just by changing a sequential number in the request we were able to gain complete control over the victim’s account, in this way the attacker could have gained access to any account on the application and would have gained access to all the data and authorizations in it. Furthermore, after taking over the victim’s account the attacker could lock it permanently through a logic flaw due to which the victims would not be able to gain back the control of their own accounts even through Forgot Password or Reset Account features.
This bug could have been a gold mine for any attacker and they could have caused havoc on this application through this vulnerability. But this does not end here as there are many more to discover.
XSS On Many Parts Of The Application Which Was Leading to Account Takeovers:
We noticed that the web application to some degree was protected from many different attacks but the mobile app was completely open to attacks. As both were interconnected with each other, the data was reflected from one to the other. There were XSS protection mechanisms implemented on the web app but on the same features in mobile apps, there wasn’t any kind of protection. So we just put stored XSS payloads in some fields like name and address through the android app and opened the account on the web application. The payload was successfully getting triggered there bringing in the victim’s session cookie and token. We were also able to send those cookies to the attacker-controlled domain just to make sure that the attack was a success.
There were dozens of different places where the names were getting reflected to other users, through these features we were able to steal the cookie of any user and temporarily take over their accounts.
Endpoints Leaking the Medical Details Of Its Users:
Among the many endpoints through which the attackers could leak private data, there was one through which the medical details of each user were getting leaked. This contains private PII information about the users. This kind of data could be easily used against the victims and the organization because medical conditions and problems are something that anyone could easily take advantage of and use against.
TEAM REACTION:
Despite having huge vulnerabilities that could easily compromise all the data on the servers and database, the reaction of the team was not serious at all. They even said to us that currently, their main focus is to market the product leaving the product’s security to a bay. The product manager of this application said they are trying to hire a security engineer that will look after these issues but are not sure when the engineer will join them.
The reaction here was also not satisfactory and it was clear to us that they don’t want to address the security issues currently and it is something that they have kept as the lowest priority in their pipeline.
IMPACT ON USERS:
The impact on the users was pretty severe here, taking over the account of any user and gaining access to the account was extremely simple for the attacker here. If the attacker can open the account of anyone, view all the information, and get access to sensitive medical information then it is a critical flaw in the system, and that was exactly happening here. The medical records of all the users were not secure, they could easily be leaked and sold because this type of health-related data is most expensive on the dark web. There were several endpoints through which the attacker can gain access into the user’s account, so we can deduce that the whole application was not made in a secure way.
Third application
Keeping the article short, this is the last case study and for this purpose, I have taken another B2B application
Type: B2B Marketplace
Funding: $3.5M
Employee: 150+
For the last example, we have another B2B application that is quite successful in gaining seed funding and has a team of the most skilled developers and leads. The problem here is similar to what every other tech company in Pakistan has and that is giving close to no importance to security and not agreeing to put some extra revenue to make the systems more secure. So here we were able to find many security issues with this application which we reported in an almost 30-page report. Let me discuss three of those flaws with you here and also the reaction from the company.
Pre-Auth Account Takeover of Anyone:
The working mechanism of the application was kind of different. There was a specific process to use it which I would not disclose here, but we were able to take over an account by exploiting a logic in it and gained access to the accounts of the user beforehand. Specifically speaking, we were able to get access to the accounts beforehand. When the user would have authenticated the account through their identity for the first time the attacker would get all the data from the users. It was a flaw in the working of the application and if it was exploited the attacker would get hold of the accounts. We could call it a pre-authentication account takeover.
The bug was quite severe as the attacker would be already sitting inside the accounts as soon as the victim authenticated their data would be compromised. It was placed under a critical bug according to the CVSS score.
Changing the Transactions and View Its History:
Another flaw in that B2B application was that we were able to view the history of each and every transaction that was held by every user. Moreover, we were also able to change the data in the incomplete transactions. Considering the application was a type of supply chain method, it was sensitive and severe. This bug was also written in the report beside various other flaws.
Disclosure of Keys:
Disclosure of private keys is something that we usually see much more common. Developers still have a hard time safely storing and using the API keys. Most of the time they simply hardcode them in the front end of the application. This issue was very common with all the applications that we tested so it is something that every company in Pakistan should be extra careful about. A lot of sensitive information usually passes through third-party vendors and with just an API key anyone could easily get hold of all of it. Therefore, this is something we should put more effort into.
TEAM REACTION:
The team reaction was similar here also. The team did pay a little attention to the bugs but they said that they will look into them in the future more closely and will contact us back once they come to any conclusion. It’s been weeks now since we heard from them in any way and the application is still insecure on the internet, open for any cyber attack to exploit.
IMPACT ON USERS:
Here the security flaw was impacting the usability of the application and stopping anyone from using the app itself which was impacting users as well as the system. Moreover, the attacker could trace the activity of users on the platform, and view their preferences and order history. Once again I would like to add, that this type of data where the psychological behavior of any person could be identified is very valuable in the eyes of any malicious actor and that was exactly what was happening here. Users could be easily identified in real life and their privacy could be severely compromised.
The Verdict:
Besides the above-mentioned startups and tech companies, we are also currently in talks with many other startups with millions in VC funding. Although we are hopeful, I don’t think that we would get any positive response from them also. The problem lies in the general environment that is created regarding outsourcing cybersecurity in Pakistan and how we perceive the importance of software security.
As we have discussed many flaws in some of the most heavily funded startups in the country and conveyed them to each of the specific teams. The response we got from everyone was extremely non-serious towards security and data protection. Most of the companies didn’t even have a proper team dedicated to security. We have seen in the past how companies in Pakistan are targeted, hacked, and extorted. We have seen countless times that data of Pakistani companies are being sold on the internet. If this attitude towards security continues then we will not foresee the protection of our data on the internet! We aim to change the landscape of cybersecurity in Pakistan, so we can make our internet more secure.