Who’re you gonna call when you need to break into an unmanaged legacy app? Ethical hackers!

Anastasija Uspenski

What do you do when the developer of the mission-critical application goes missing while leaving no documentation behind? Try to hack it!

When we hear the word “hacker,” we immediately think of someone who uses his expertise and technical knowledge to gain unauthorized access to a computer system, exploiting its weaknesses and potential errors, often driven by malicious motives. Over time, a bad connotation has occurred due to frequent misuse and representation of malicious hackers in the media.

Hackers have the skill to create algorithms to crack passwords, penetrate networks, or disrupt network services. Malicious hacking primarily focuses on stealing valuable information or seeking financial gain. However, not all hacking activities are harmful. This brings us to ethical hacking. But what exactly does ethical hacking involve, and why is it relevant? Andreas Creten, CEO and Founding Partner at madewithlove, answered this question.

He and his team used ethical hacking techniques to break into an unmanaged legacy application for a customer. The developer of a critical application disappeared without leaving behind any documentation, so their only option was to hack the system! This was also the topic of his lecture at the Full Stack Europe conference in Antwerp, which took place this October, and after his talk, we had the following conversation.

When is hacking acceptable?

Andreas explained a situation in which a customer asked his company for help. According to his words, a customer approached them when they had lost contact with the developer who created their application. So, they needed to discover the hosting location of the application or identify the server’s manager.

As they were using the application as the mission-critical part of their company, they needed to change it and couldn’t reach him anymore. After they were rejected by a couple of agencies, Andreas and his team were asked to rebuild it from scratch:

We were like their last resort, and we sad OK, let’s try to figure out if we can work with what we have and get the data out of it because it’s of course, essential for them to get all the data, and the historical data as well.

They decided to hack their system ethically to retrieve the data for future use. From there, and as soon as they had the data hacked out of it, they rebuilt the whole application.

Of course, before all that, they tried to reach the developer who initially worked on the mentioned application, but it turned out that he could not be of any help to them:

We have been in contact with him, and it turned out he was in the hospital, but he was unwilling to cooperate with transferring the application. The customers were locked in functionally. They couldn’t get access to the service anymore. But also, from a legal perspective, the guy was unwilling to let go.

What distinguishes ethical hackers from regular ones?

Andreas explained that if the developer had only signed a paper and said: “ok, you can take over the application and get access to my servers,” it would have been a different situation because they wouldn’t need to hack it. But the developer kept declining to help. So they had to do it this way – to hack the system ethically.

Also, he highlighted the fundamental contrast between ethical hacking and just hacking. Ethical hacking involves identifying security vulnerabilities and reporting them to companies instead of causing harm:

It’s about discovering and utilizing security flaws for our customers’ benefit. Good intentions ultimately drive ethical hacking.

The main tool they used was SQL map

Their primary tool was SQL map, which exploited the SQL injection. After all, that’s the whole thing about hacking:

I showed an example of doing it for a good cause, but I could use the same thing to pull, let’s say, all the Belgians’ data out of the national system. I find a hole like that. So, we use the same tool and build the tooling around it to make it easier to get all the data out.

As he concludes, typically, a hacker wants to get one database table: the users, their email addresses, and phone numbers, so they can start phishing them. He and his team needed all the data because they wanted to rebuild the application.

> subscribe shift-mag --latest

Sarcastic headline, but funny enough for engineers to sign up

Get curated content twice a month

* indicates required

Written by people, not robots - at least not yet. May or may not contain traces of sarcasm, but never spam. We value your privacy and if you subscribe, we will use your e-mail address just to send you our marketing newsletter. Check all the details in ShiftMag’s Privacy Notice