They never imagined or thought that we would go to a certain place and hack their server.
A week ago, our company colleagues told us that we needed to integrate with a third-party CRM. We were somewhat happy because we were supposed to get a bonus for this work, and that’s why we agreed to do it.
Things took a turn when we didn’t receive the bonus, and one of our senior colleagues noticed that we were fetching data without a password. They weren’t very aware of this matter.
We had seen a technique on the internet that explained how you can log in through cookies, so we understood that by saving everything in a variable, we could fetch the data.
When our boss saw this, he went there and had a meeting with them about what was going on. They said it was nothing, just cookies, and that we were using them. However, the issue is that when you bring the API, we will accept you.
When we had completed all the work, we realized that yes, we could do this because we had done it three times before. However, when we looked into it and saw that this was happening, we had been keeping an eye on that opposing company for quite a while. We thought, let’s check their website because they were showing this data in their CRM.
We suspected that the developers they had weren’t very experienced, as they had made many mistakes in the code. They were using a third-party CRM, which was a large company and generally very secure, but these people weren’t secure because their directories were open, and they had embedded API keys directly in JavaScript in many places.
When we realized that they had placed all these keys in JavaScript, we managed to grab the API and retrieved the documentation for that CRM from the internet.
Once we obtained the documentation, we found out that all the data was coming from there. We discussed this with our team, and one of our very good friends said that they wouldn’t pay us.
We said, “Alright, if they don’t pay, then let them be, but they will realize where we stand, and then everything will change from there.”
With this PHP script, we ran a loop and stored the API key and ID in a variable. At that moment, we had limited time because the API had a request limit, so we decided to wait for Monday or Saturday or Sunday—these two days we could work and grab all the information from the CRM.