HackVitraSec - Cybersecurity Company India | VAPT, Ethical Hacking, Web App Security

Preventing a ₹10 Lakh Data Breach via API

Client: Fintech Startup | Service: API VAPT | Year: 2025

Background

A growing fintech startup approached HackVitraSec to assess their API security posture. With rising regulatory pressures and increasing API traffic, the client was concerned about data leakage and compliance gaps.

Challenge

During black-box testing, our team discovered a critical IDOR (Insecure Direct Object Reference) vulnerability in their /getUserDetails endpoint. By modifying the user_id parameter, attackers could retrieve any user's personal data — including PAN, Aadhaar, and mobile numbers — without authentication.

Discovery Process

  • Tools: Burp Suite, Postman
  • Method: Manual parameter tampering & fuzzing
  • Impact: Over 2 lakh records at direct risk

Remediation

We provided the client with:

  • A PoC video demonstrating the vulnerability in real-time
  • Auth middleware integrated into all critical endpoints
  • Recommendation to replace incremental IDs with UUIDs
  • Access logging for anomaly detection & future audits

Outcome

The vulnerability was patched within 48 hours. The fintech startup avoided potential damages worth ₹10 lakh including regulatory fines and reputational harm. Their stakeholders and investors praised the proactive approach.

Key Takeaways

  • Always implement role-based access checks for every API route
  • Never expose predictable IDs; use UUIDs or secure tokens
  • Test APIs from both authenticated and unauthenticated perspectives

Need an API Security Audit?

Contact HackVitraSec Today
Back to Case Studies