Startups are subject to cyber attacks — MiTM Case Study

Bahaa Alatassi |

A famous Berliner startup for supermarket delivery services heavily relies on IT solutions. After all, creating a comprehensive delivery system making use of customer interaction is technology-dependent. One thing they neglected in their development is data security.

In March 2021, security researchers shared the result of an investigation aimed at pen-testing the startup company platform. They found a critical security gap that reveals the name, address, order, and even credit card details of thousands of customers. The security gap stems from the fact that the data interface was not properly secured allowing for access to customer information. As a rule of thumb: An advanced hacker could reveal the information of thousands of users by exploiting this gap in no more than half an hour.

The startup company and the pen-testing team did well by discovering this vulnerability before being exploited. This shows that investing in a secure system would protect against catastrophes.

What happened?

Machine-in-the-middle (MITM) is a common type of cybersecurity attack that allows attackers to eavesdrop on the communication between two targets. The attack occurs between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation they should typically not be able to listen to, hence the name “machine-in-the-middle.” MITM does not compromise only the confidentiality of the communication, but also it threatens the integrity since the attacker could have the necessary tool to manipulate the original communication.

The researchers took advantage of the following main flaws:

  1. Broken authentication and
  2. DB Injection.

It happens to be that these two flaws are number one and two on the top of the OWASP risks list for 2017.

Below image shows the returned JSON file of the experimental query passed to the database server taken from iphone-ticker.de:

Why had it happened?

  1. Authorization flaw: Their successful MiTM attack managed to intercept the communication between the client`s app and the server. They were able to view messages exchange including the critical ones. The success of the MiTM attack relies on improper authorization tokens set up and the lack of encryption when it is needed. For example, if the server/app messages were encrypted and the encryption key was stored safely and unlinked to the session token, researchers would not be able to act as the MiTM.
  2. Un-immune database: When the researchers managed to communicate to the server pretending to be the victim using their machine, they used a common database attack called “injection”. It happens when an attacker injects an SQL query within a standard HTML text that is submitted to the server. The startup company server failed to recognize the submitted text as normal text and accordingly passed the SQL query to the database server which responded immediately with the query result (the company users’ data in this case).

How to fix it!

To immune their database, the startup company could counter the injection attack by disabling the special characters in any text submitted to the server like the HTML tagging characters “<>” and “</>”.

Final remarks

According to the GDPR, every company is responsible for protecting the customers’ data (whether data is stored or processed). Accordingly, reaching that security gap by a hacker before the pen-testing team would result in severe legal consequences for the startup company, in addition to extreme damage to the company’s business reputation.

The startup company reacted quickly and secured this gap. Also, it stated that it took additional measures to protect the system in a step to show that their company learns from its mistakes and will more invest in securing its cyber system.

Thanks for reading! If you want to learn more about Security, Risk and Compliance please visit our website or contact us on our social media.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SRC - Security, Risk, Compliance

Beratung, um Security, Risk und Compliance bei Ihnen als Enabler für das Business zu etablieren.