Did Your Developer Leave a Website Backdoor?
The Dutch police recently arrested a developer for crimes he committed by writing a website backdoor into e-commerce sites he created and using credentials retained after the engagement concluded. This backdoor provided the malicious insider with sufficient access to perpetrate a number of crimes by leveraging 20,000 users’ credentials.
The developer was contracted to create e-commerce sites for his clients. As part of his development process, he placed a website backdoor into his code. He also took advantage of continued administrative access to websites when his clients neglected to revoke his credentials.
According to the Dutch police, the developer captured usernames and passwords through the backdoor and other script he had written. In instances where a client failed to remove his administrative access, he could log in and copy data without relying on the website backdoor. The developer then used these credentials to access user accounts on the websites. Password reuse allowed him to access email and social media accounts as well.
What’s Behind the Website Backdoor?
The developer was counting on the majority of users to exhibit poor online hygiene. He was able to breach social media and other external accounts because many customers reused login credentials across multiple services.
In addition, his clients apparently failed to conduct code reviews to determine functionality and identify points of leakage, which may have identified the backdoor scripts. Furthermore, clients who neglected to revoke the developer’s access upon completion or termination made themselves unnecessarily vulnerable. Anyone with access to his credentials could have breached the environment.
This rogue insider used the stolen credentials to make internet purchases, according to reports. He also leveraged OAuth to break into other accounts associated with the social networking accounts he had breached.
Information garnered from the social networks enabled the cybercriminal to launch social engineering schemes, which created various points of entry into his targets. He also used the data to commit identity theft, which enabled him to open multiple accounts on online gambling sites.
Protect Your Golden Keys
Website project managers must have a firm handle on who has access to back-end and customer data. Website developers, by and large, are an honest group of professionals who take great pride in their work. The case described above drives home the point that organizations should trust but verify the work of all contractors.
A scan of the e-commerce site could have uncovered the malicious code. Even a simple review of the code might have helped the project manager identify the script that permitted the website backdoor. At the very least, ensuring that any third-party credentials were revoked upon completion of the task would have made it more difficult for the malicious insider to steal data.
Access control is paramount. Access to the company’s assets must stop when the contracted work concludes. Furthermore, all e-commerce sites should require two-factor authentication and advise users to create unique user ID/password combinations. Users must protect those social network and email credentials like the golden keys they are.