Public call for ON2IT to reassess its own information security practices

Security Starts at Home — But ON2IT Didn’t Get the Memo
As digital citizens, we rely on legal frameworks like the EU’s GDPR, the US’s CCPA, and other privacy laws to protect our personal data online. These frameworks are meant to ensure at least a baseline of digital privacy and safety. But laws are only as good as their enforcement — and even cybersecurity companies often fall short of practicing what they preach.

In this ongoing series of surface-level security analyses, I focus on how everyday users’ data is (mis)handled by companies — especially those claiming to specialize in cybersecurity. Today’s subject is ON2IT, a Dutch cybersecurity company that portrays itself as a major player in the industry.

U have just two options for choose: agree or full agree ;-)

Taken directly from ON2IT’s official website — as we can see, there’s really no choice here: either accept cookies, or… accept cookies. One has to wonder who the genius was that thought this was acceptable in the age of GDPR.
My review was conducted with standard tools accessible to anyone — using OWASP ZAP and Chrome DevTools. No advanced penetration testing or unauthorized access attempts were performed. Yet, even this limited inspection revealed disturbing results.

Legal Compliance: Not a Disaster, But Far From Safe
ON2IT’s website includes formal privacy policies, GDPR references, and public contact addresses. But form ≠ substance.

Based on a structured legal assessment framework that includes consent mechanisms, cookie behavior, and phishing protections, the results are mixed:
Overall Score: 4 out of 8.

The legal façade holds on the surface, but the lack of granular consent, technical safeguards, and proper cookie rejection behavior means users aren’t as protected as they should be.

Technical Posture: A Series of Failures

Here’s the real concern: the technical side is a mess.

ON2IT’s website is built on… WordPress. That alone isn’t a crime — even secure setups can use WordPress — but only when hardened, obscured, and properly maintained. ON2IT does none of this.

Key technical findings from https://on2it.net:
CMS: WordPress 6.8.1
Theme: GeneratePress (parent + child)
Plugins: GravityForms, GP Premium, SitePress Multilingual, Popup Maker
Exposed files: readme.html, license.txt
Public user list (name changes dut to ethical reasons): sXmh, jaXj, kaXXnm, lXk, arXXns, etc.

These are not hypothetical risks — they are publicly documented issues (MITRE, Wordfence) that expose both users and administrators to session hijacking, script injection, and content tampering.

Openly Exposed Services — A Reconnaissance Playground
Worse yet, several of ON2IT’s internal or demo services are fully exposed to the public with no authentication or access control. Their subdomains are even self-descriptive — making them easy targets for automated scanning and phishing setups:

https://filerdemo.on2it.net/login
https://social.on2it.net/explore
https://soc.on2it.net/
https://portal.on2it.net/login
https://sensorlogging.on2it.net/
These endpoints read more like a checklist for attackers than hardened assets. The use of obvious subdomain naming conventions is a gift to OSINT tools.

DNS, Hosting & Cookie Concerns
ON2IT’s infrastructure relies heavily on third-party services including Google (Gmail), Leaseweb, GCP, and WordPress-based hosting.

Cookies on on2it.recruitee.com are set without real opt-out, violating the spirit — if not the letter — of GDPR. Once again, form wins over substance.

Final Scorecard

Legal Layer:
✅ Privacy Policy — Pass
✅ Cookie Policy — Pass
❌ Cookie Implementation — Fail
✅ DPO Contact — Pass
❌ Opt-Out Mechanism — Fail
❌ Granular Consent — Fail
❌ Privacy-respecting A/B Testing — Fail
✅ Right to Erasure — Pass

Technical Layer:
❌ Anti-CSRF Protections — Fail
❌ CSP Header — Fail
❌ Subresource Integrity (SRI) — Fail
❌ DNS/OSINT Defense — Fail
✅ HTTPS + HSTS — Pass
❌ User Enumeration Prevention — Fail
❌ Admin Interface Obfuscation — Fail
✅ Legal Disclosures Present — Pass
❌ Default Cookie Behavior — Fail
Final Thoughts: Branding ≠ Security
ON2IT, like many others in the cybersecurity industry, seems to focus more on brand optics than infrastructure hygiene. For a company selling protection, they leave their own digital front door wide open.

This review isn’t a targeted attack — it’s a reminder: Security starts at home.
If cybersecurity firms don’t uphold the same standards they advocate, how can users or clients trust them?

I hope this article encourages more critical evaluations — and higher expectations — from vendors in the cybersecurity space.

For any questions: https://on2it.0trust0day.com

Disclaimer & User Rights Statement
I am a user of this website. I have identified that my personal data may be at risk.
A form on the website potentially allows actions to be forged in my name — without my consent.
I visited a website claiming to offer cybersecurity services, yet encountered unprotected resources, cookies without HSTS, and scripts without CSP. That directly affects me as a user.
This analysis is based solely on publicly accessible information, passive observation of website behavior, and freely available client-side tools. No unauthorized access, exploitation, or invasive techniques were used.
As a user of the examined web resource, I retain the right to assess potential security and privacy risks that may affect my personal data, browsing experience, or device safety.
The presented findings represent a good-faith effort to raise public awareness and encourage higher security standards. All legal and technical interpretations are personal opinions and do not constitute a legally binding statement.
No penetration testing was performed. To identify potential vulnerabilities that could compromise my information during the use of the referenced web resource, only publicly available, free website analysis services and the Chrome browser console were used.

0trust0day @0trust0day