Unsafe Objects in the Retail Industry

Working as subject matter experts within the internal audit function of a large retailer, we performed an external pentest to provide technical feedback to management as well as reporting to the audit and risk committee. 

The retailer’s website had a function to accept applications, requiring customers to submit supporting documents containing sensitive information. Within this function, we found an insecure direct object reference, which allowed us to access all other applications and supporting documents. From a financial perspective, the risk to the retailer was likely quite low, but the same can’t be said about the individual whose information could have been accessed by malicious actors. 

Full credit to the retailer for implementing an immediate fix, thereby protecting their customers and their own reputation.  

Let Mobius Binary determine whether your application, system, or network is clearly secure or not.

Contact us