Did Your Developer Leave a Website Backdoor?

The Dutch police recently arrested a developer for crimes he committed by writing a website backdoor into e-commerce sites he created and using credentials retained after the engagement concluded. This backdoor provided the malicious insider with sufficient access to perpetrate a number of crimes by leveraging 20,000 users’ credentials.

The Crime

The developer was contracted to create e-commerce sites for his clients. As part of his development process, he placed a website backdoor into his code. He also took advantage of continued administrative access to websites when his clients neglected to revoke his credentials.

According to the Dutch police, the developer captured usernames and passwords through the backdoor and other script he had written. In instances where a client failed to remove his administrative access, he could log in and copy data without relying on the website backdoor. The developer then used these credentials to access user accounts on the websites. Password reuse allowed him to access email and social media accounts as well.

What’s Behind the Website Backdoor?

The developer was counting on the majority of users to exhibit poor online hygiene. He was able to breach social media and other external accounts because many customers reused login credentials across multiple services.

In addition, his clients apparently failed to conduct code reviews to determine functionality and identify points of leakage, which may have identified the backdoor scripts. Furthermore, clients who neglected to revoke the developer’s access upon completion or termination made themselves unnecessarily vulnerable. Anyone with access to his credentials could have breached the environment.

This rogue insider used the stolen credentials to make internet purchases, according to reports. He also leveraged OAuth to break into other accounts associated with the social networking accounts he had breached.

Information garnered from the social networks enabled the cybercriminal to launch social engineering schemes, which created various points of entry into his targets. He also used the data to commit identity theft, which enabled him to open multiple accounts on online gambling sites.

Protect Your Golden Keys

Website project managers must have a firm handle on who has access to back-end and customer data. Website developers, by and large, are an honest group of professionals who take great pride in their work. The case described above drives home the point that organizations should trust but verify the work of all contractors.

A scan of the e-commerce site could have uncovered the malicious code. Even a simple review of the code might have helped the project manager identify the script that permitted the website backdoor. At the very least, ensuring that any third-party credentials were revoked upon completion of the task would have made it more difficult for the malicious insider to steal data.

Access control is paramount. Access to the company’s assets must stop when the contracted work concludes. Furthermore, all e-commerce sites should require two-factor authentication and advise users to create unique user ID/password combinations. Users must protect those social network and email credentials like the golden keys they are.

Share this Article:
Christopher Burgess

CEO at Prevendra

Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security strategies, be they for your company, home or family. Christopher co-authored "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century" (Syngress, March 2008) and authored the e-book, "Senior Online Safety" (Prevendra, March 2014) and is the voice behind the website, "Senior Online Safety." Prior to the founding of Prevendra, Christopher held a variety of private and public sector positions, which included, chief operating office and chief security officer of a big data analytic company, Atigeo; Senior Security Advisor to the CSO of Cisco, a Fortune 100, and 30+ years within the Central Intelligence Agency. The CIA awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher resides in Woodinville, WA with his family, two dogs and two horses.