This past week I was able to uncover some massive vulnerabilities, stemming from terrible configuration and just lazy work, on our cloud ERP provider. I can access other company’s data, including but not limited to, employee details, XML for tax documents, and even have access to the ERP provider’s DC (not as admin but that wouldn’t be too hard). None of this was acquired through penetration – hacking – but instead just knowing what to look for and where to look for it. Note, cybersecurity in the country I’m in is light years behind the ‘developed world.’

Anyways, we have been in the process of transitioning to this cloud ERP for about 5 months now, 1 of which I was not yet working for this company. Tomorrow I will be meeting with our company lawyer early to explain what was acquired and how, and later in the day we are attempting to schedule a meeting with the higher- ups of this ERP provider. I wanted to ask for some advice here as this is my first time in this situation. I am working towards a pen testing career so have taken some basic certs, but nothing has prepared me for being “thrown into the game” like this. I am worried about how to present my findings; any recommendations? Anything to focus on or anything to avoid? I know this is a very general question, and I apologize for it, but any advice at all would help me!

Share This Discussion

7 Comments

  • lawtechie

    November 8, 2021

    Check the ERP vendor for a bug bounty/ vulnerability disclosure policy.

    Reply
  • sharpkunai

    November 8, 2021

    Hey, amazing work! I would recommend that you gather evidences as in screenshots and make a small presentation that may be explained to you audience. Point out the method you used to bypass the ERP security and if possible suggest a fix/patch so that the provider can take in consideration.

    Reply
  • random869

    November 8, 2021

    See if they have a bug bounty program and submit this on your own for the $$$ and credit

    Reply
  • ConsistentComment919

    November 8, 2021

    If you can’t find the bug bounty program, try to find on LinkedIn anyone with a security title or even a CTO.

    Reply
  • mughal71

    November 8, 2021

    I’d say it’s a smart move to talk to your management team first as well as your corporate counsel, if possible, before engaging with the provider. The ERP provider can either respond well to your actions and try to correct the issues. There’s another version of this however, where they make react in a hostile, defensive manner and intimate that you’ve committed a crime by “hacking” their application.

    Yes, this doesn’t make sense, but sometimes, management teams are driven by risk, fear and lack of understanding, rather than by rational/logical thinking.

    There was a story recently about the US state of Missouri that is apparently suing a journalist that uncovered some security flaws in a state gov’t website:

    [https://www.wired.com/story/missouri-threatens-sue-reporter-state-website-security-flaw/](https://www.wired.com/story/missouri-threatens-sue-reporter-state-website-security-flaw/)

    ​

    Mind boggling.

    Good luck with your actions

    Reply
  • DrRiAdGeOrN

    November 8, 2021

    Consider a screen recording of you performing the actions, that way you are able to demonstrate highlights with out having to do it for real under pressure.

    Nice Job!

    Reply
  • _babycheeses

    November 8, 2021

    Having worked with a couple I can assure you they will 1) not take you seriously 2) ignore you 3) threaten you 4) possibly schedule a release addressing the issue next quarter

    Reply

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.