Sometime back, I wrote about how MFAs are not foolproof, and how social engineering attacks can happen when the client device or application is compromised. You would be surprised (or may not be!) to know that it’s possible for social engineering attacks on server side to happen! Let’s look at how this happens, and how to protect ourselves and our organisations’ assets from such attacks.
A typical social media platform promises account security through MFA. Ok, so, I am satisfied that I need to enter a code generated to login to my account. Once I am into that account, I am into the server space and I assume that I am safe, which need not be the case. There are multiple ways a hacker could already be present on a social media platform and doing social engineering attacks by making people click on things that are interesting and that we generally trust as safe, but unfortunately, they aren’t.
On a typical social media platform, on the left pane, you will find several options – Explore, Search, Notifications, etc. Each of these options could be a potential threat wherein an unsuspecting user could click on a plain link or a link hidden by the way of a hashtag. Once they click on them, they would be taken to an URL where the personal account information or financial information of the user would be grabbed, or malware or spyware injected into the client’s device through the already established secure connection!
From a testing perspective, this is rarely that we foresee, but it is definitely a security testing use case that we need to check. When code is written, quality folks who review the code along with the developer can ask the developers to do additional checks to make the code prevent such attacks. While post-development testing is done, testers can test this case thoroughly to make sure that such possibilities are totally avoided.
In summary, we, as clients, trust that the servers are safe, but they aren’t. It is best to apply zero trust principles when we use the servers. Many cybersecurity attacks happen due to human fallibility, and hence it is important for the client and server code to look for such possibilities and prevent them totally.
For more information and to plan how to prevent such attacks in your software, feel free to have a discussion with me.
Let’s build secure software towards great software quality!