Pentesting of Blockchain Software and IT Infrastructure for a Fintech Company
The Customer is a US fintech company delivering Bitcoin wallets, crypto ATM solutions, and other blockchain software. Prior to this project, ScienceSoft already provided the Customer with pentesting services and participated in the development of their mobile crypto wallet.
Striving to ensure maximum protection of their clients’ data and financial assets, the Customer sticks to a proactive approach to cyber defense. To stay protected against the newest cyber threats, they perform regular security testing and continuous vulnerability management.
After the Customer’s IT infrastructure underwent significant modifications, they wanted to be sure that their annual penetration testing would be performed by an experienced and scrupulous team.
The Customer already knew ScienceSoft as a reliable penetration testing provider knowledgeable in blockchain. So, the Customer decided to reach out to us again and requested us to examine the security of their core software for crypto ATM, as well as their internal and external IT infrastructure components.
Having thoroughly analyzed the Customer’s security testing needs, ScienceSoft’s team decided to perform black box and gray box penetration tests. First, to explore the vulnerabilities that could enable a potential attacker to break through the Customer’s cyber defense, ScienceSoft’s team followed the black box approach, simulating the actions of real-world hackers. Then, for a more detailed investigation of how attackers could compromise the Customer’s apps and IT infrastructure once they infiltrated the system, ScienceSoft’s security engineers later switched to gray box methods.
ScienceSoft’s security team tested the Customer’s mobile and web applications, as well as their internal and external infrastructure components: servers, databases, APIs, Bitcoin nodes etc. The testing revealed multiple vulnerabilities of different severity levels. The most critical security issues included:
- Broken access control vulnerability: a person logged in as a regular user could give themselves admin rights.
- Insecure configurations of an SMTP server that enabled malicious actors to obtain valid logins by brute-forcing usernames, to perform man-in-the-middle attacks, and to observe traffic between the website and its visitors.
- Using outdated software (Nginx, OpenSSH, .NET CORE and more) with known vulnerabilities that could enable DoS and injection attacks, arbitrary code execution or disclose sensitive information.
- Mobile app brute force vulnerability: easy-to-guess activation codes.
- Enabled debug mode in the mobile app, allowing potential attackers to execute code and scripts of their choice.
To prevent potential security breaches and promptly close the revealed security gaps, ScienceSoft’s security experts recommended:
- Restricting access to user roles.
- Disabling the vulnerable SMTP configurations, switching to secure transport protocols.
- Patching or fully updating the outdated software.
- Changing the format of activation codes to make them harder to guess.
- Disabling the debug mode.
The Customer received detailed reports on the detected security issues, prioritized according to their criticality. ScienceSoft’s security testing team also provided detailed guidelines on the optimal corrective measures to remediate the discovered vulnerabilities and prevent their exploitation by malicious actors. Satisfied with the quality of ScienceSoft’s services, the Customer remained willing to continue our cooperation.
Technologies and Tools
Burp Suite, Qualys, Netcat, Nmap, SSLscan, cURL.