GlowTrack Auctions:
6 Vulnerabilities Found in 24 Hours
A Harare-based auction platform asked us to check their website before going live to the public. We found a critical vulnerability exposing customer data on day one.
6
Vulnerabilities found
<24h
Time to first report
7 days
All issues resolved
The Situation
GlowTrack Auctions runs online and in-person auctions for buyers and sellers across Harare. Before opening their platform to the public, they wanted an independent check of their website security.
They had a developer who built the site but had no security background. The platform handled user registration, live bidding, and payment coordination — all of which required storing personal customer data.
They contacted Vanorika Technologies for a website security audit. We signed a written authorisation agreement and started work the same day.
What We Found
Six vulnerabilities across the platform, ranging from critical to low severity. The most serious was found and reported within the first few hours of testing.
Unauthenticated API endpoint exposing customer records
A REST endpoint returning bidder names, email addresses, and phone numbers required no authentication. Any visitor who knew the URL — or guessed it — could download the full customer list.
SQL injection in the auction search function
User input passed directly to a database query without sanitisation. An attacker could extract, modify, or delete database records — including bid history and user accounts.
No rate limiting on the login page
The login form had no brute-force protection. An attacker could run unlimited password attempts against any account with no lockout or delay.
Reflected cross-site scripting (XSS) in lot descriptions
HTML was rendered unescaped in the lot listing page. A malicious seller could inject scripts that run in the browser of every visitor who views that lot.
Outdated dependencies with known CVEs
Three third-party packages had publicly disclosed security vulnerabilities. One had a patch available for over 18 months. These are the first things automated scanners look for.
Verbose error messages revealing server internals
Stack traces and database error messages were displayed to end users on certain error conditions — leaking the server framework, database type, and file paths to anyone who triggered an error.
The Report
Every finding was written up in plain English — not just a list of CVE numbers. Each issue included what it was, what an attacker could do with it, and exactly what needed to change to fix it.
Findings were ranked by priority so the developer knew what to fix first. The critical API issue was flagged verbally on day one — before the written report was even complete — so work could start immediately.
The client's developer handled the patches. We did a verification retest on day seven to confirm all six issues were resolved before the platform went live.
Timeline
Authorisation signed, scan begins
Critical API vulnerability identified and reported immediately
All 6 findings documented by end of day
Written report delivered with fixes ranked by priority
Critical and high findings patched by client developer
Verification retest — all 6 issues confirmed resolved
Outcome
GlowTrack Auctions launched with all six vulnerabilities resolved. The platform that went live was materially more secure than the one we tested — with no customer data exposed and no trivially exploitable entry points.
Had the platform gone live with the critical API vulnerability in place, any visitor could have downloaded their full customer database. It would likely have gone unnoticed until something went wrong.
Want to know what we'd find on your website?
Request a Free Security CheckGet Started
Ready to Secure Your Business?
Whether you need a penetration test, a professional website, or both — we respond within 2 hours and can start your engagement in under 48 hours.
No commitment · Free passive scan included · ZW DPA 2021 Compliant