In a groundbreaking cybersecurity investigation, researchers identified several critical vulnerabilities in a target system, eventually gaining control over 3,000 subsidiary companies managed by a parent organization.
The exploration leveraged flaws in API configurations, bypassed key security protocols, and exposed sensitive employee and customer data.
This research spanned three weeks and demonstrated the persistent risks of inadequate access controls in modern, API-driven infrastructures.
The research team discovered these exploits while conducting tests on an organization’s APIs.
During their assessments, they identified unusual responses when submitting certain requests, which hinted at potential backend API access via path traversal.
The researchers attempted to use the traversal method but encountered a Web Application Firewall (WAF) blocking the requests.
However, through further analysis of JavaScript (JS) files, they located a production domain that bypassed the WAF’s restrictions, opening the door for deeper exploration.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Backend Exposure
The researchers conducted extensive fuzzing, eventually uncovering an application.wadl endpoint linked to microservices responsible for the company’s payment system.
This endpoint mapped frontend API paths to internal backend microservices.
The team exploited this to extract sensitive operational data, including employee Personally Identifiable Information (PII), fingerprints, and customer invoices via mobile numbers.
These findings underscored a failure in backend request validation, allowing unauthorized access to confidential documents.
The investigation then led to an administrative superpanel managing all 3,000 subsidiary companies.
Initially, access to this panel required valid authentication credentials.
Employing username enumeration and custom wordlist-based brute-forcing, the researchers successfully bypassed the login, gaining administrative control.
This enabled them to modify national IDs, passwords, and other sensitive data across the company’s entire ecosystem.
Bypassing KYC Verification for Telecom Number Takeover
In a parallel attack on the company’s telecom operations, the researchers found methods to bypass Know Your Customer (KYC) checks.
Originally, backend requests for number transfers returned a “417 Expectation Failed” error.
However, by directly interacting with the backend API, they bypassed these checks and transferred customer phone numbers with fraudulent credentials, exposing subscribers to account takeover and identity theft.
One of the critical exploits relied on discrepancies in how the organization’s APIs handled authentication and authorization.
While the Frontend API blocked unauthorized requests, the Backend API interpreted malformed path traversal requests differently, bypassing authentication.
This revealed a fundamental weakness in request normalization and path sanitization practices.
This case illustrates the severe consequences of overlooking backend API security.
The researchers reported the vulnerabilities, and while the organization addressed certain issues, the scope of the discovered risks demanded a comprehensive overhaul of security practices.
Key recommendations include implementing uniform request validation across frontend and backend systems, enforcing WAF protections in all environments, and periodically auditing API endpoints for misconfigurations.
This extensive exploit chain highlights how minor misconfigurations, when methodically exploited, can snowball into catastrophic breaches, affecting thousands of users and stakeholders.
Cybersecurity professionals must treat API protection as a cornerstone of modern security strategies.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar