We listen and we don’t judge!

3 min read Original article ↗

We listen and we don’t judge! How we saved our client from a $20M fine (Ruining their new year’s eve)

Tom Piaggio

Press enter or click to view image in full size

This is the story about how we ruined new years eve for one of our client’s CTO, CISO and whole red team by finding a company-bankrupting bug.

For context, we’re building Autonoma, an agent for finding bugs on web and mobile apps created for product people.

It was a pleasant afternoon. Euge (our CEO) and I were on a relaxed call, knowing there’s not much work on holidays when Simon (our VP of Eng) joined. He said: “Hey, I found something pretty weird” and he proceeded to show us how he could login to any account on the application.

At first, we thought it was a harmless, non-production glitch, until we noticed the email domains. Our jaws dropped. We went on LinkedIn and there it was: That person, with the exact same name, working on that company. We tried again, and hit another user. Same story.

Imagine if a bad actor got their hands on this. Customer data, credit cards, addresses, even job details; could be weaponized for phishing attacks or worse. We needed to contact the client immediately.

We messaged their CTO: “Hey, I think we found a vulnerability”. I’m not sure what they expected, but I’m damn sure they didn’t expect a huge vulnerability where user information is leaked, that also showed that the app is out of compliance, and potentially gave us the ability to change or make payments with users’ accounts. When we showed it to them, their faces went pale. The red team hopped on the call and they got to work.

A day later, we run our tests again and they broke. Mission accomplished! We just saved this company a potential fine from $10M up to $50M given the data that we could access (and some other out of compliance stuff we found). This customer joined as a design partner, which means we charge them a flat fee < $1,000 / month. We started working only a couple of months ago, so the ROI is around 10,000x the initial investment, just for this bug. You’re welcome.

I think it’s safe to say they’re sleeping better knowing we have their back. I’m thrilled to see Autonoma making such a difference for our customers, catching bugs, saving money, and keeping their data safe. If you’re as excited about AI-powered QA as we are, reach out! We’d love to hear your story.

We’re proud of the product we’re building. Autonoma isn’t just finding bugs, it’s giving our customers peace of mind. If you think a QA agent like this could help your organization, let’s chat. We’re fully committed to our current batch of design partners, but we’d love to add you to our waiting list.