Dude where's my code?

HackedIN: Dude where's my code?

Security extends beyond your office walls.

When you involve third parties in your business, your attack surface expands in ways you might not have accounted for.

Let's walk through a real-world example to unpack the risks.

The Case of InstaBook

InstaBook appeared to be doing everything right. They had Cloudflare set up and had seemingly robust cybersecurity measures in place.

They'd outsourced the development to an offshore agency, ACMEgency LLC.

However, they were quick to downplay the risk, arguing that only two offshore developers were involved, making it negligible to their broader business risk profile.

The Search Begins

Despite InstaBook's opinions, I decided to look into the broader picture.

Though I couldn't find any vulnerabilities in their production environment, my attention turned to ACMEgency—the offshore development team.

The Power of Professional Networks

A quick LinkedIn search led me to two offshore developers working both for InstaBook and ACMEgency.

The client's claim was correct; only two were involved. But as I was about to demonstrate, even that could be too many.

If It's Online, It's Prod

After some more digging, I found a subdomain—instabook.acmegency.com.

Unlike the heavily fortified InstaBook site, this subdomain had no Cloudflare Web Application Firewall (WAF).

Even worse, an exposed /.git file was the golden ticket to InstaBook's entire source code.

Many companies are unaware that it's common practice for dev agencies to host demo apps and staging environments on their own infrastructure.

This often-overlooked practice can inadvertently open new pathways for attackers.

The Unraveling

With the source code in-hand, I found a vulnerability that would allow an attacker to extract applications the database credentials.

Just like that, InstaBook's secure environment was compromised, all because of a third-party development team consisting of just two developers.

Key Takeaways

1. Assess Your Third Parties

You must scrutinise not just your own infrastructure but also that of any third parties involved in your operation.

2. Never Assume

The people you partner with might not have the same security standards or protocols that you do. Never assume; always verify.

3. Extend Your Scope

When assessing your security posture, consider not only your immediate environment but all the environments your operation touches.

Final Thoughts

Your security is as strong as your weakest link. The addition of third parties to your operations presents new risks that must be carefully managed to ensure your data's integrity and your operations' continuity.

To discuss further, reach out via email at [email protected] or connect on LinkedIn.