Char49 offers a wide range of information security services with total confidentiality and reliability.

Our experienced professionals have helped organizations to secure their assets, improving trustworthy

We are specialists in Web Applications security testing (e.g. websites, portals, applications, etc.) but with a well-established and solid partners network we can easily cover any scope. We aim to protect our clients assets, mitigating the impact of compromised systems and information leaking. We partner with our clients, sharing the responsibility to protect their assets.

Training

Recent Talks

Research featured on:

Auditing

Independent security auditing is the best way to identify weaknesses. We offer penetration testing services (one-time-only or persistent) with required support to mitigate any security risks.

Consulting

Every organisation needs a strong information security posture. We provide the necessary tools and services in establishing a channel to reduce the risk of data losses.

Training

The human factor is still considered to be the primary risk in security. Our trainings empower organizations with the best information to defend itself against ever-evolving threats.

Clients

Char49 does real hands-on security

and not simply talk around security.

Learn about us

Recent articles

We don’t have a Ferrari, but we had their database credentials

Have you ever wondered what it feels like to own a Ferrari? We did. Not the car itself, but access to their database credentials.

Following Ferrari Responsible Disclosure Program1 Char49 discovered a vulnerability on the media.ferrari.com subdomain. The vulnerability affected a popular Wordpres...

Misconfiguration in a bottle: Symfony Profiler exposed

Char49 recently discovered a security misconfiguration on a subdomain of an American multinational corporation (Top50 on the Fortune500) website: an exposed Symfony web framework debug endpoint leaking sensitive information.

In a nutshell, exposing Symfony Profile or any other web framework debug...

Segway Subdomain Takeover

During our research on the Segways’ domain space, we found a subdomain pointing to a third-party domain “pending for deletion” by its owner. Using a domain monitoring and backorder service, as soon as the third-party domain became available we got control over Segway’s subdomain.

According to responsible disclosure best practices, we provided Segway a detailed security advisory. This article is published after the security issue has been (silently) fixed by Segway.

Malicious Apps Could Take Over Samsung Devices

Samsung devices, including flagship S7, S8 and S9, were all vulnerable to a severe flaw that allowed any application to factory reset the phone, steal sms messages and call logs, lock the phone with a custom pin and message, locate the user, in short, any action that Find My Mobile supports.