The Dutch police recently arrested a developer for crimes he committed by writing a website backdoor into e-commerce sites he created and using credentials retained after the engagement concluded. This backdoor provided the malicious insider with sufficient access to perpetrate a number of crimes by leveraging 20,000 users’ credentials.

The Crime

The developer was contracted to create e-commerce sites for his clients. As part of his development process, he placed a website backdoor into his code. He also took advantage of continued administrative access to websites when his clients neglected to revoke his credentials.

According to the Dutch police, the developer captured usernames and passwords through the backdoor and other script he had written. In instances where a client failed to remove his administrative access, he could log in and copy data without relying on the website backdoor. The developer then used these credentials to access user accounts on the websites. Password reuse allowed him to access email and social media accounts as well.

What’s Behind the Website Backdoor?

The developer was counting on the majority of users to exhibit poor online hygiene. He was able to breach social media and other external accounts because many customers reused login credentials across multiple services.

In addition, his clients apparently failed to conduct code reviews to determine functionality and identify points of leakage, which may have identified the backdoor scripts. Furthermore, clients who neglected to revoke the developer’s access upon completion or termination made themselves unnecessarily vulnerable. Anyone with access to his credentials could have breached the environment.

This rogue insider used the stolen credentials to make internet purchases, according to reports. He also leveraged OAuth to break into other accounts associated with the social networking accounts he had breached.

Information garnered from the social networks enabled the cybercriminal to launch social engineering schemes, which created various points of entry into his targets. He also used the data to commit identity theft, which enabled him to open multiple accounts on online gambling sites.

Protect Your Golden Keys

Website project managers must have a firm handle on who has access to back-end and customer data. Website developers, by and large, are an honest group of professionals who take great pride in their work. The case described above drives home the point that organizations should trust but verify the work of all contractors.

A scan of the e-commerce site could have uncovered the malicious code. Even a simple review of the code might have helped the project manager identify the script that permitted the website backdoor. At the very least, ensuring that any third-party credentials were revoked upon completion of the task would have made it more difficult for the malicious insider to steal data.

Access control is paramount. Access to the company’s assets must stop when the contracted work concludes. Furthermore, all e-commerce sites should require two-factor authentication and advise users to create unique user ID/password combinations. Users must protect those social network and email credentials like the golden keys they are.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today