The information that users share on online dating sites is unusually personal, so businesses running these sites must have absolute confidence in their information security arrangements. Our client, a provider of online dating and matchmaking services, asked us to test a number of its white label sites and their corresponding back-end systems. The applications were hosted on a staging environment, allowing for testing prior to launch.
We assessed the applications' functionality from a number of security perspectives and identified several mission-critical and high-risk issues that could lead to a loss of confidentiality and integrity, and threaten the availability of data. The most critical of these was the presence of a malicious file on the back-end servers. This type of file is usually stored on a compromised server by attackers to extend their attacks or to gain access to the server in the future.
We identified a range of other issues: input validation vulnerabilities, which made the applications vulnerable to a type of attack known a Cross-Site Scripting; a critical SQL injection flaw that could have given cyber attackers access to sensitive information in the back-end database; and a vulnerability that could have allowed cyber attackers to view arbitrary files located on the web server. Poor coding practices and insecure web server configuration also contributed to poor security overall.
Our final report provided detailed technical analysis of the areas requiring attention and prioritised them according to the level of risk they represented. We also set out recommended remediation steps to increase the level of security, providing our client with the insight required to develop secure applications that would meet customers’ expectations.
If you need help securing your sensitive information, speak to one of penetration testing consultants or read more about our technical security and penetration testing services.
If you would like to develop your knowledge and skills in the latest growing penetration testing techniques, then find out about our range of ethical hacking training courses.