Okay, so here it goes. I am the Red Team Lead, and as described earlier; not far (like about a week), I posted this. At the time, I was looking for a beautiful technical title which could match down my findings. I mentioned it as 'Weak Password Policy'. Since most of the penetration testers failed, I had to take the assignment and made through the entire thing successfully. Now, there is a little situation (in which the client had already mentioned the test had to be a black-box and not white-box in specific {we were not given any credentials}).
Now after patching up the identified vulnerabilities, we got exactly this reply from them (isn't it why you woudl sign a NDA for this at the first place if you had never trusted the company you push your black-box pentest into!?):
What was the intent ? backdoor?
It it ethical? Shouldn't we just let the party know that week password, instead of creating a secondary account(with fake name) and NOT informing US about it. NOT ACCEPTABLE!
How do we trust that no data was downloaded and mis-used?
How do we make sure there were not more accounts created with some malicious intention?
What happened here was, for testing purposes like more often in a black-box pentest, the tester requires to test additionally all the checks, if a priviledged account could had been achieved. There is this situation (afore-mentioned) which keeps bugging me, what would I say here? I need opinions and a great in-sight to reveal if what I did was wrong or they shuld had known what a 'black-box' assessment was for the first place (to reveal impacts!)
Aucun commentaire:
Enregistrer un commentaire