Case Study: IDOR Vulnerability in Finance API

Background

A finance app serving thousands of users allowed customers to view transaction details via a mobile-friendly API. HackVitraSec was engaged to perform a full API pentest.

Vulnerability

The API endpoint /v1/user/transaction/{txn_id} was accessible to any logged-in user. By modifying the txn_id parameter, it was possible to view transactions belonging to other users – a classic IDOR (Insecure Direct Object Reference).

Impact

• Exposure of other users' transaction data
• Risk of financial record leaks and GDPR penalties
• Legal and brand reputation damage potential

Exploitation

Using Burp Suite, our team fuzzed the txn_id field with sequential values and confirmed successful data leaks. No user role validation or object ownership checks were in place.

Remediation

• Backend checks were added to verify user ownership of each transaction
• Randomized UUIDs replaced predictable numeric IDs
• Audit logging was enabled for suspicious access patterns

Outcome

The issue was fixed in 72 hours. No actual breaches were observed. The client integrated IDOR checks into their future development pipeline.