Security Assessment Revealed an Account Takeover in A Mobility Startup

Security Assessment Revealed an Account Takeover in A Mobility Startup

Table of Contents

In our role as entrusted partners to an emerging ridesharing startup in Africa, we were given the significant responsibility of conducting a rigorous 7-day penetration test(security assessment) on their web and mobile applications. This security assessment led us to uncover a number of severe vulnerabilities that posed potential risks to the client’s operations and the security of their valuable user data.

Security Assessment – Identifying several vulnerabilities

Of utmost concern was the identification of a critical account takeover vulnerability within the client’s mobile application, which boasted a substantial user base of over 3,000 individuals. The presence of this vulnerability raised serious concerns as it possessed the potential to grant unauthorized access to malicious actors for any application user account, thereby compromising the security and privacy of other users’ accounts. This breach in security had the potential to expose sensitive information, including credit card details, previous locations, and other personal data. The implications of such unauthorized access could have been detrimental to both the users and the company.


Furthermore, we discovered a vulnerability within one of the client’s microservice APIs, which enabled us to gain unauthorized access to the Personally Identifiable Information (PII) of both drivers and customers. The inadvertent exposure of this information had the potential to lead to a breach in data privacy, allowing for the unauthorized disclosure of user data and potential account takeovers. Compounding the severity of this breach, the microservice also inadvertently exposed authentication details, further increasing the likelihood of unauthorized access and compromising the overall integrity of the client’s system.

Our comprehensive examination and identification of these vulnerabilities have provided the client with crucial insights, enabling them to take immediate and decisive action to mitigate these risks. By addressing these vulnerabilities promptly, the client can secure their operations and protect the sensitive data of their drivers and customers, ensuring a safe and secure ridesharing experience for all parties involved.

To summarize the severe vulnerabilities identified:

  1. Account Takeover: Reset any application user’s password
  2. Broken Access Control: User PII Leakage
  3. Privilege Escalation: Tier 3 User gaining access to Tier 1 User data

Our assessment team diligently uncovered over 50 vulnerabilities in total, illustrating the extent of security challenges within the client’s digital infrastructure. This abundance of issues underscores the critical need for immediate action to safeguard user data and system integrity.

Read The Client’s Clutch Verified Feedback

Our success in identifying these vulnerabilities can be attributed to the unique and tailored security methodology employed by the Bluefire Redteam. Our innovative approach enhances both effectiveness and efficiency in security testing and vendor services. By adopting our proactive stance and custom practices, we aim to fortify the client’s security posture, mitigate risks, and enable them to continue their journey as a trusted and secure ridesharing service provider in Africa.


In conclusion, our assessment has provided invaluable insights into the client’s security landscape, emphasizing the urgency of addressing the identified vulnerabilities. We remain committed to assisting the client in rectifying these issues and enhancing their security posture, ensuring the safety and trust of their drivers and customers.

Partner with us for holistic penetration testing for your assets. Contact Us Today!

Let's Protect Your Business Against Cyber Attacks

We appreciate you thinking of us as a reliable cybersecurity partner. We appreciate your interest in our services and look forward to speaking with you.

For more information on our offerings, please email us at [email protected].