Skip to content

Araco: how we turned an image upload into a potential nightmare

In an industry where speed to market can make or break a company, they knew their approach carried risk. They just didn't expect us to find a path straight to their payment platform through a simple image upload.

Araco is riding the wave of Brazil’s explosive sports betting market, providing the technology that powers betting platforms across the country and beyond.

In an industry where speed to market can make or break a company, their team moved fast – building their platform from existing code fragments to capture the opportunity. They knew this approach carried risk. They just didn’t expect us to find a path straight to their payment platform through a simple image upload.

A row of people watching TV screens

The challenge

Operating at the leading edge of Brazil’s rapidly evolving betting industry, Araco needed to balance speed with security. Their platform was powering transactions for thousands of users, processing sensitive data, and handling millions in payments.

They proactively engaged with us to provide continuous testing to support their rapid development – understanding that in their fast-moving market, sporadic security checks simply wouldn’t be enough to identify real-world vulnerabilities. “We knew that because of the nature of development, we might have problems in some of our systems,” the client told us. “That’s why we engaged CovertSwarm – to have someone outside with the right skills looking into our code.”

The discovery

What started as routine enumeration quickly turned into something more interesting. Our Initial Access Broker team discovered an exposed directory leading to source code references. Initially, the response we were getting was clear – 404 Error – and at this point most attackers would’ve naturally stopped. We dug deeper, and it was in the subdirectories where the attack path was about to evolve. Think of it as finding not just the blueprints to their platform, but also the architect’s personal notes. Every commit, every code change, every development decision lay exposed.

The breach

The path to full administrative access started with a seemingly innocent discovery. Our Initial Access Broker team found an exposed directory – a small oversight that would prove critical. From that index file, we extracted information about 6,915 files inside their repository, piecing together their system’s architecture like a digital jigsaw puzzle.

But the real artistry came in what we did next. We identified a vulnerability in their image upload script. Most security teams would look for obvious file upload bypasses. Instead, we crafted a legitimate image file with our payload embedded within it – a trojan horse that sailed right through their defenses. Their system saw a harmless image. We saw our way in.
“That was impressive,” the client told us later. “Being able to find the git files, compile the code, and then find that upload vulnerability – that was really amazing.”

This gave us shell access to their system. From there, we discovered we could access the database as the ‘payments’ user. Game over. We reset the password of an administrator account, and suddenly had complete control over their payment platform.

All of this happened without triggering a single alert.

The impact

  • The implications were severe. With our level of access, a malicious actor could have:
  • Gained complete control of their payment system
  • Accessed thousands of users’ sensitive documents, including proof of ID and address
  • Forged deposits or transfers at will
  • Deleted their entire database
  • Erased all trace of their activities
  • The resolution

When presented with our findings through our visual reporting portal, the client moved with impressive speed. Their team was able to implement a comprehensive fix within two hours. We didn’t just identify the vulnerability – we provided detailed remediation guidance and worked alongside their team to ensure the fix was implemented correctly and verified as secure.
Through our continuous testing subscription, we were later able to identify a similar vulnerability in another part of their estate, demonstrating the value of ongoing security partnerships rather than point-in-time assessments.

The lesson

This breach demonstrates why sporadic testing isn’t enough. Araco thought they were dealing with technical debt from rapid development. Instead, they had multiple critical vulnerabilities that could have destroyed their business in an instant.
Their perceived level of cyber risk was dramatically different from their actual exposure.
In a fast-moving market like Brazil’s sports betting industry, speed is crucial.

But as Araco discovered, so is constant vigilance. Because in a world where attackers don’t play by the rules, neither do we.

Want to find your unknown unknowns before someone else does? Let’s talk about constant cyber attack.