Light Dark
February 9, 2017 By Christopher Burgess 2 min read
Identity & Access
Data Protection

The Dutch police recently arrested a developer for crimes he committed by writing a website backdoor into e-commerce sites he created and using credentials retained after the engagement concluded. This backdoor provided the malicious insider with sufficient access to perpetrate a number of crimes by leveraging 20,000 users’ credentials.

The Crime

The developer was contracted to create e-commerce sites for his clients. As part of his development process, he placed a website backdoor into his code. He also took advantage of continued administrative access to websites when his clients neglected to revoke his credentials.

According to the Dutch police, the developer captured usernames and passwords through the backdoor and other script he had written. In instances where a client failed to remove his administrative access, he could log in and copy data without relying on the website backdoor. The developer then used these credentials to access user accounts on the websites. Password reuse allowed him to access email and social media accounts as well.

What’s Behind the Website Backdoor?

The developer was counting on the majority of users to exhibit poor online hygiene. He was able to breach social media and other external accounts because many customers reused login credentials across multiple services.

In addition, his clients apparently failed to conduct code reviews to determine functionality and identify points of leakage, which may have identified the backdoor scripts. Furthermore, clients who neglected to revoke the developer’s access upon completion or termination made themselves unnecessarily vulnerable. Anyone with access to his credentials could have breached the environment.

This rogue insider used the stolen credentials to make internet purchases, according to reports. He also leveraged OAuth to break into other accounts associated with the social networking accounts he had breached.

Information garnered from the social networks enabled the cybercriminal to launch social engineering schemes, which created various points of entry into his targets. He also used the data to commit identity theft, which enabled him to open multiple accounts on online gambling sites.

Protect Your Golden Keys

Website project managers must have a firm handle on who has access to back-end and customer data. Website developers, by and large, are an honest group of professionals who take great pride in their work. The case described above drives home the point that organizations should trust but verify the work of all contractors.

A scan of the e-commerce site could have uncovered the malicious code. Even a simple review of the code might have helped the project manager identify the script that permitted the website backdoor. At the very least, ensuring that any third-party credentials were revoked upon completion of the task would have made it more difficult for the malicious insider to steal data.

Access control is paramount. Access to the company’s assets must stop when the contracted work concludes. Furthermore, all e-commerce sites should require two-factor authentication and advise users to create unique user ID/password combinations. Users must protect those social network and email credentials like the golden keys they are.

 |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature