Skip to content

The one where we breached an insurance giant through image uploads

How an innocent image upload function became a dangerous entry point.

Three days. That’s all it took for our Swarm to gain complete control over a major insurance provider’s web servers, AWS domains, and sensitive database information.

What started as a proof of concept engagement quickly evolved into a stark demonstration of why constant, targeted attack is the only way to truly understand your vulnerabilities. This is a story about how seemingly innocent image upload functions became dangerous entry points, and why traditional security testing just isn’t enough.

Panoramic shot of the city of London

The setup

When this insurance provider initially approached us in January 2024, budget constraints delayed our engagement by three months. Once the proof of concept was greenlit in March, they asked us to focus on their client login portal – a seemingly straightforward request that would prove to be particularly prescient.

The discovery

Our Swarm operates differently. We don’t just test – we attack from multiple angles simultaneously. While examining the client portal, we identified not one, but three separate image upload areas intended for IDs, documents, and profile pictures. To the untrained eye, these might seem like standard features. To the Swarm, they were potential breach points begging to be tested.

The breach

This is where the power of the Swarm really showed its teeth. Within hours of discovering the upload functionality, we had:

  • Confirmed the server was running PHP
  • Deployed a custom proof-of-concept payload
  • Successfully executed system commands
  • Established a reverse shell connection
  • Gained complete control over their AWS environment
  • Accessed all eight of their domains and associated databases

But we weren’t done. By day three, we’d discovered SQL injection vulnerabilities in their search functionality, allowing us to exfiltrate sensitive data at will. The client’s perceived security and their actual security posture were worlds apart.

The turning point

The moment we confirmed these vulnerabilities, we demonstrated our unique value proposition. Instead of simply documenting findings for a report, we immediately assembled key Swarm members and the client’s team for a live demonstration and collaborative remediation planning session. This real-time response is exactly what sets constant attack apart from periodic testing.

The lesson

The client’s CISO said it best when they immediately began discussions about expanding our engagement to their sister companies. They understood what we’ve always known: sporadic testing for a limited time just won’t cut it when it comes to closing the cyber risk gap. Constant threat demands constant, targeted attack.

Your organization might have the same vulnerabilities right now. The question isn’t whether attackers will find them – it’s whether you’ll find them first.

The gap between perceived and actual security can be devastating, leading to financial losses and reputational damage that could have been prevented.Don’t wait for a real attack to expose your vulnerabilities. Join the growing number of forward-thinking organizations that understand the power of constant, targeted attack via subscription.

Let the Swarm be your first line of defense — because in the end, it’s not about if you’ll be attacked – it’s about who finds your vulnerabilities first: us or them?

Swarm. Defeat. Repeat.