Problem#

A client application provided test credentials for login.
During authentication, the application returned a permission-related error, even though the actual issue was a missing network connection.

Constraints#

  • Only test credentials available
  • No direct access to backend systems
  • Application treated as a black box
  • Behavior inconsistent with expected network failure handling

Approach#

Treat the application as an observable system:

  • Analyze error behavior and compare it with actual network conditions
  • Inspect connection attempts and identify target endpoints
  • Observe that the application connects directly to a publicly reachable MySQL port using TLS
  • Analyze the application binary to understand how authentication is handled

Finding#

The application contained a private key used for database authentication within its binary.

Authentication logic and permission handling were implemented on the client side instead of being enforced by a backend service.

Outcome#

  • Database access could be established using the extracted key and provided test credentials
  • Full access to the database was possible, including data extraction
  • Security issue documented and reported to the customer

Recommendation#

Authentication and authorization must be handled server-side.

Clients should never:

  • contain private keys
  • directly access databases
  • implement permission logic locally

Instead, access should be mediated through controlled interfaces (e.g. APIs), enforcing validation and authorization on the server.

Key Insight#

If the client enforces security, there is no security.