Security Assessment · Coastline Travel Group

CIPHER Security Platform

Website Security
Assessment

An independent evaluation of travelpro365.com covering infrastructure, application security, and regulatory compliance.

Coastline Travel Group

March 2026

Phase 1 - External Assessment

🔒 Confidential

Assessment Result

Your risk score

We scored your website across every dimension of security - infrastructure, application code, network exposure, and legal compliance.

A score of 57 out of 100 places travelpro365.com at the top of the HIGH RISK tier. The presence of 14 critical findings - including unpatched remote code execution vulnerabilities and an open ransomware entry point - means the practical exposure is higher than this composite score reflects.

57 / 100

HIGH RISK

Low Moderate High ◀ Critical Severe

14Critical

25High

17Medium

8Low

Plain Language Summary

What we found

🖥️

Your server is directly reachable by attackers

There is no firewall or protection layer in front of your website. Your server's real address is visible in DNS, a Windows remote access port used by ransomware gangs is open to the entire internet, and the software running your site has four unpatched vulnerabilities that allow remote takeover.

💳

Your payment system has a critical misconfiguration

The security settings on your payment subdomain are configured in a way that allows any website - including attacker-controlled sites - to make requests on behalf of your customers. Two SSL certificates have expired or are expiring today.

⚖️

You have significant legal exposure right now

There is no privacy policy on your site. A session-recording tool is capturing everything customers do on your booking pages - including sensitive information - without any disclosure. Five different tracking systems fire before customers can do anything. The California AG has explicitly targeted travel companies for exactly this pattern.

Critical Findings

Most urgent security issues

🖥️

Remote Desktop port open to the entire internet

TCP port 3389 - the primary ransomware entry point - is reachable from anywhere in the world. Automated scanners monitor for this continuously. This needs to be closed today.

Fix Today

🔓

Four unpatched remote code execution vulnerabilities

Your web server software has known vulnerabilities that allow an attacker to run any code they want on your machine without a password. One is on the U.S. government's active-exploits list.

Fix This Week

💳

Payment subdomain allows credential theft from any website

pay.travelpro365.com has a broken configuration that lets any website make authenticated requests on behalf of your customers - a direct path to account and card compromise.

Fix This Week

⚠️

Two SSL certificates expired or expiring today

brownell.travelpro365.com has had an expired certificate for 65+ days. mvt.travelpro365.com expires today - when it does, the site will be unreachable over secure connections.

Fix Today

Legal & Compliance

Privacy and regulatory exposure

📄

No privacy policy exists anywhere on the site

travelpro365.com collects personal data, processes payments, and operates five active tracking technologies - without a privacy policy on any page. Required under California law, GDPR, and the California AG's stated enforcement priorities for travel companies.

Legal Req.

👁️

Session recording capturing customer behavior without disclosure

HotJar is recording keystrokes, mouse movements, and form inputs on booking pages. No disclosure to users. This pattern has resulted in FTC enforcement actions with fines up to $51,744 per day.

FTC Risk

📡

Five trackers firing before any user consent

Google Analytics, Facebook Pixel, Google Ads (×2), and Google Tag Manager all activate on every page load before any user interaction. GDPR and California law require consent before this can happen.

CCPA/GDPR

✉️

Zero email authentication - anyone can spoof your domain

No SPF, DKIM, or DMARC records. Any attacker can send email that looks like it came from @travelpro365.com - including fake booking confirmations and payment receipts targeting your customers.

Spoofing Risk

Business Impact

What this could cost you

These are real fines issued to comparable businesses. Coastline Travel Group's CST registration places it directly within the California AG's travel sector enforcement focus.

California Privacy Law (CCPA)

No policy, no opt-out, no cookie consent · Sephora paid $1.2M for the same violations

$7,500/violation

Payment Card Security (PCI DSS)

No WAF, open RDP, unpatched vulnerabilities · Wyndham paid $10.9M after a breach

Up to $500K/month

FTC Act - Deceptive Practices

Session recording without disclosure · CafePress $500K, Meta $5B

$51,744/day

GDPR (if serving European visitors)

No consent, no privacy notice · British Airways paid £20M

4% of revenue

Total Estimated Exposure

Conservative estimate across all applicable regulations

$250K – $5M+

Action Plan

What to do - immediately

Do Today

01

Close RDP port 3389 in your AWS security group. 15 minutes. Eliminates your #1 ransomware risk.

02

Renew the SSL cert on mvt.travelpro365.com - it expires today.

03

Renew or take offline brownell.travelpro365.com - cert expired 65+ days ago.

This Week

04

Patch your server software to .NET 8.0.21+. Fixes four RCE vulnerabilities in one update.

05

Fix CORS on pay.travelpro365.com - one config change, closes the credential theft vector.

06

Enable Cloudflare in front of your site. Free tier adds WAF + DDoS protection + hides your server IP.

07

Contact a privacy attorney to draft a CCPA-compliant privacy policy and opt-out link.

08

Pause HotJar session recording until a disclosure is in place.

Action Plan (continued)

What to do - this month and beyond

This Month

09

Add cookie consent (OneTrust, Cookiebot, etc.) to gate all trackers until users accept.

10

Add SPF, DKIM, and DMARC records so attackers can't spoof your email domain. Free, takes 30 minutes.

11

Rotate the Google Maps API key - it's visible in public page source. Restrict to your domain in Google Cloud Console.

12

Update jQuery from 3.5.1 to current version. Takes minutes. Removes a CISA-listed vulnerability.

Next 90 Days

13

Active penetration test - test your actual login and booking flows for exploitable vulnerabilities.

14

PCI DSS gap assessment - required by your payment processor. Maps every requirement to your current state.

The good news

Items 1–3 (the highest-risk) can be resolved in a single afternoon. Items 4–8 take a few days. The privacy work is mostly documentation. None of this requires rebuilding your application.

Report Integrity

Independently validated

A second independent assessment was conducted on March 15, 2026 - eleven days after the original audit. Every testable finding was reproduced using identical passive techniques with a 100% confirmation rate.

✅

25 of 25 testable findings independently confirmed

🔍

3 new High findings added: no DKIM, no script integrity checks, no HTTP method filtering

📊

Risk score adjusted to 57/100 (from 60) - new positive controls found

⚠️

mvt certificate expiry confirmed: expires March 16, 2026

✅

New positive: sensitive config files (.env, .git, web.config) all return 404

🔬

Open redirect, rate limiting, and cipher suite checks deferred to Phase 2 (require active testing)

All tests conducted using passive, non-intrusive techniques. No credentials used. No data modified. No payloads injected.

Scope & Methodology

What this assessment didn't cover

This was a passive, external-only assessment. No credentials were used, no payloads were injected, and no systems were touched. Everything in this report was observable from the public internet.

Not tested in Phase 1

Login and authentication flows (requires credentials)

SQL injection and input validation in booking forms

Session management and token security

Internal network exposure and lateral movement paths

Whether the affiliate token weakness is exploitable

Whether the login page open redirect can be weaponized

PCI DSS compliance status

At least 9 of 12 PCI DSS v4.0 requirements appear unmet based on external observation alone

Full PCI gap assessment requires authenticated access and documentation review

Payment processor may require a formal Qualified Security Assessor (QSA) report

Active testing typically costs $15,000 - $20,000 for a site of this complexity and is recommended after Phase 1 remediations are complete.

Summary

Where things stand

Confirmed issues

14 Critical - including open RDP port, unpatched RCE vulnerabilities, broken CORS on payment subdomain

25 High - including no WAF, expired SSL certificates, exposed server IP, no email authentication

Zero privacy infrastructure - no policy, no cookie consent, active session recording without disclosure

9+ PCI DSS requirements unmet - payment card security non-compliance

Assessment details

Phase 1 audit: March 4, 2026

Supplemental validation: March 15, 2026

Validation rate: 25/25 findings confirmed (100%)

Risk score: 57/100 - HIGH RISK

Methodology: passive external observation only - no credentials, no payloads

Prepared for Coastline Travel Group
travelpro365.com - CIPHER - Confidential