Background

In a recent penetration test, our team uncovered a critical security flaw in a multi-tenant call center platform that exposed highly sensitive customer data and gave direct access to internal systems across all tenants. The client—Company A, one of the tenants—requested a routine security assessment of their environment. What we found went far beyond their scope.

The Systems Involved

The call center platform was made up of three core components:

• Client Portal: Where tenants like A, B, C, and D could log in to view their own customer records, support cases, and contact information.

• Operator Portal: Used by the call center’s customer service team to manage live calls, support tickets, and customer interactions.

• Admin Panel: Restricted to internal staff, used for managing tenant accounts and system configurations.

Each system is connected to shared databases containing large volumes of personally identifiable information (PII) such as names, addresses, phone numbers, and call histories. These could be abused for identity fraud or phone-based social engineering attacks.

The Discovery

Our pentester began testing the Client Portal with random login credentials to simulate an attack using leaked or guessed logins.

• As expected, the system returned an “Invalid login” message.

• However, while analyzing the URL structure and front-end code, the tester noticed a hidden endpoint embedded in the page source.

• Opening this link in a new tab redirected the tester to the Admin Panel—with full access, no authentication prompt.

From this panel, the tester was able to:

• View and manage user data across all tenants.

• Create new accounts, assign elevated privileges, and access sensitive client records.

• Directly manipulate customer data, operator permissions, and even partner-facing configurations.

Root Cause & Remediation

Upon reporting, the call center confirmed that an internal admin had quietly implemented this backdoor for convenience—so they could bypass authentication when passwords were forgotten. The flaw had never been documented or secured.

Following the report:

• The backdoor was permanently removed.

• The Admin Panel was placed behind strict authentication and role-based access controls.

• Front-end code and URLs were audited to eliminate exposed endpoints.

This case highlights the dangers of "convenient shortcuts" in production environments and the importance of regular, unbiased security reviews.

Do you know what’s hiding in your code? Let us find out before someone else does.