Project Information
-
Client Name: TaskHive CRM Pvt. Ltd.
-
Industry: SaaS / Customer Relationship Management
-
Service Provided: Web VAPT + Data Security Assessment
-
Duration: 6 Days
Send Us mail
ZeroDay offers a range of Cybersecurity services for all firms all over the industry
SaaS Platform VAPT & Data Security Review for TaskHive CRM Pvt. Ltd.
TaskHive CRM Pvt. Ltd. is a cloud-based customer management platform used by over 300 small businesses to track sales, store customer information, and manage daily operations. As TaskHive scaled, the company began seeing suspicious login attempts across multiple accounts, unexpected errors while exporting customer records, and heavy API load during peak hours. Their management suspected that attackers might be probing the system for weaknesses, leading them to approach ZDShield for a complete security assessment.
ZDShield conducted an in-depth Web Application VAPT and data security review of the TaskHive platform. The assessment included testing user authentication flows, access control modules, export features, role permissions, and customer data storage methods. Using Burp Suite Pro, OWASP ZAP, Nmap, SQLMap, and custom automation scripts, ZDShield performed both manual and automated tests to uncover vulnerabilities that could impact data confidentiality, integrity, and platform stability.
During the evaluation, 11 vulnerabilities were discovered. The most critical issue involved broken access control, where a normal user could manipulate their account ID in API requests and gain access to other businesses’ customer data. Another major deficiency was found in the export functionality, which allowed unauthorized users to retrieve sensitive records through predictable URL patterns. The team also identified SQL Injection in a reporting filter, weak session handling, outdated libraries with known CVEs, and missing HTTP security headers — all of which increased the risk of data theft and account takeover.
At ZeroDay our culture comes to life through three core values:
If exploited, these vulnerabilities could have resulted in large-scale data exposure affecting hundreds of businesses. Attackers could have downloaded complete customer lists, modified CRM entries, or even hijacked accounts belonging to organization administrators. A breach of this magnitude would have severely damaged TaskHive’s credibility, possibly leading to legal consequences under Indian data protection guidelines.
ZDShield collaborated with TaskHive’s engineering team to implement strong countermeasures. Strict server-side access control checks were added for all tenant-based API requests, ensuring that users remained isolated within their own organizational boundaries. The export module was completely redesigned with tokenized URLs and strong authorization checks. SQL Injection was remediated using parameterized queries, and session management was upgraded with secure cookies and shorter token lifetimes. All outdated libraries were patched, and the platform was hardened with recommended security headers.
Following remediation, ZDShield conducted a full retest confirming that all critical and high-risk issues had been eliminated. TaskHive experienced immediate improvements in platform stability and security. Unauthorized access attempts dropped sharply, and customer confidence increased after the company announced the successful completion of an external security audit. As a result, TaskHive CRM signed a 12-month recurring security partnership with ZDShield for quarterly VAPT and continuous data security monitoring.