The educational start-up is India's premier web and mobile app platform, offering a complete solution for online competitive test preparation. They collaborate with the leading coaching institutes, individual tutors, and publishers to give genuine and up-to-date study materials for a variety of tests. They offer preparation materials for all key exams, including the CAT, GATE, IES, and Civil Services, among others. Despite being a new company, they already have over 5 million users.
Examine the mobile app and the company's servers for potential vulnerabilities.
Preventing the misuse and public disclosure of user information.
Keeping the software from being reverse engineered and used for malicious purposes.
3 million app downloads.
PAN India Operation had to be taken into consideration.
Engagement of over 5 million students 10,000 tutors and patrons.
The organization approached Kratikal's security testing department to identify technical and logical vulnerabilities in their mobile application and servers. To get recommendations on how to mitigate the dangers of exploiting those vulnerabilities.
The test has been carried out in a dummy environment.
The test was conducted as a Black Box exercise.
Various hacks were attempted to test their mobile application and there server.
The tests were conducted in accordance with the best practices available in the industry such as Open Web Application Security (OWASP).
One of the findings was parameters pertaining to the billed amount of any book or course can be changed.
Parameters such as the customer's mobile number, personal information, and so on could be changed.
The SSL mechanism for encrypting confidential information such as usernames and passwords had been configured incorrectly.
It was revealed that the SSH connection was only authorized using a private key and no password.
The APK file's subsequent source code, database structure, and mobile architecture were discovered to be vulnerable to reverse engineering.
The server was discovered to be vulnerable to a privilege escalation vulnerability, which might allow an attacker to gain root access.
Because the billing amount parameters can be tampered with, attackers can buy a book/course for Rs.1/- only and cause the consumer to lose a lot of money.
Using the OTP verification mechanism, attackers could flood the SMS box of the users of this portal.
Attackers can sniff and manipulate data (going to the server via the Mobile application) due to poor protection at the transport layer.
The private keys used to secure the SSH connection can make the server susceptible if the device or email account with which they are associated is hacked.
Because the application is vulnerable to reverse engineering, attackers can inject malicious content (such as malware) into the code and exploit it to spy on clients or conduct corporate espionage.
An attacker might get root access to the system by using the privilege escalation exploit and local user access. He could then deface the website, copy customer data, delete/modify databases, and infect the server with malware.
By changing the pricing parameter, one might sign up for free transactions worth Rs 1,000 each transaction. More than? 100 crores could have been lost because of this.
Their server has been found to be vulnerable to a privilege escalation hack, which allows an attacker to –
a. Create any file.
b. Add users
c. Modify any file
d. Revoke access to any user.
The attacker might take their servers offline for an unlimited amount of time. This could result in a significant income loss.
Tampering with the source code of an application can convert it into a tool for spying on individuals or corporate espionage.
An attacker may use the privilege escalation exploit to install ransomware, copy user3's data, and deface the website.
The company could suffer significant financial losses, potentially costly lawsuits, and a deterioration of their brand image.
To address the issue of parameter tampering, we recommended to the company that parameters be validated at the server and the server's response matched the request sent by the application.
We recommended that the SSH connection be configured with a passphrase to improve the security of the application's server.
Critical changes in the application's architecture and authentication process be made.
Detailed documentation of the web application vulnerabilities was provided, outlining the problem, its cause, and how to fix it.
We advised them to patch their servers to prevent privilege escalation and automate the patch management procedure.
For database security and server design, we advised the company on advanced controls and cryptographic techniques (such as obfuscation techniques).