Hackers Seize Control of 3,000 Companies Through Critical Vulnerabilities

In a groundbreaking cybersecurity investigation, researchers identified several critical vulnerabilities in a target system, eventually gaining control over 3,000 subsidiary companies managed by a parent organization.

The exploration leveraged flaws in API configurations, bypassed key security protocols, and exposed sensitive employee and customer data.

This research spanned three weeks and demonstrated the persistent risks of inadequate access controls in modern, API-driven infrastructures.

The research team discovered these exploits while conducting tests on an organization’s APIs.

During their assessments, they identified unusual responses when submitting certain requests, which hinted at potential backend API access via path traversal.

The researchers attempted to use the traversal method but encountered a Web Application Firewall (WAF) blocking the requests.

However, through further analysis of JavaScript (JS) files, they located a production domain that bypassed the WAF’s restrictions, opening the door for deeper exploration.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Backend Exposure

The researchers conducted extensive fuzzing, eventually uncovering an application.wadl endpoint linked to microservices responsible for the company’s payment system.

This endpoint mapped frontend API paths to internal backend microservices.

The team exploited this to extract sensitive operational data, including employee Personally Identifiable Information (PII), fingerprints, and customer invoices via mobile numbers.

These findings underscored a failure in backend request validation, allowing unauthorized access to confidential documents.

The investigation then led to an administrative superpanel managing all 3,000 subsidiary companies.

Initially, access to this panel required valid authentication credentials.

Employing username enumeration and custom wordlist-based brute-forcing, the researchers successfully bypassed the login, gaining administrative control.

This enabled them to modify national IDs, passwords, and other sensitive data across the company’s entire ecosystem.

Bypassing KYC Verification for Telecom Number Takeover

In a parallel attack on the company’s telecom operations, the researchers found methods to bypass Know Your Customer (KYC) checks.

Originally, backend requests for number transfers returned a “417 Expectation Failed” error.

However, by directly interacting with the backend API, they bypassed these checks and transferred customer phone numbers with fraudulent credentials, exposing subscribers to account takeover and identity theft.

One of the critical exploits relied on discrepancies in how the organization’s APIs handled authentication and authorization.

While the Frontend API blocked unauthorized requests, the Backend API interpreted malformed path traversal requests differently, bypassing authentication.

This revealed a fundamental weakness in request normalization and path sanitization practices.

This case illustrates the severe consequences of overlooking backend API security.

The researchers reported the vulnerabilities, and while the organization addressed certain issues, the scope of the discovered risks demanded a comprehensive overhaul of security practices.

Key recommendations include implementing uniform request validation across frontend and backend systems, enforcing WAF protections in all environments, and periodically auditing API endpoints for misconfigurations.

This extensive exploit chain highlights how minor misconfigurations, when methodically exploited, can snowball into catastrophic breaches, affecting thousands of users and stakeholders.

Cybersecurity professionals must treat API protection as a cornerstone of modern security strategies.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!