Upbeat Security
Case Studies
FintechPenetration TestingCritical

Broken API auth in a payments integration

Fixed before first enterprise customer onboarded
Engagement: 2 weeks

Background

A seed-stage fintech startup had just closed their first institutional round and was onboarding their first paying business customers. Their core product let small merchants accept ACH transfers. Before signing their first enterprise contract — which required a security review — they brought us in to test the payments API.

The finding

Six days into the engagement we found a Broken Object Level Authorization (BOLA) vulnerability in the payments API. The /api/v2/transactions endpoint accepted an account_id parameter that was never validated against the authenticated user's session.

By modifying the account_id in any API request, a logged-in user could retrieve the full transaction history of any other account on the platform — including balances, counterparty bank details, and transfer amounts.

GET /api/v2/transactions?account_id=ANY_ACCOUNT_ID
Authorization: Bearer <valid_user_token>

Three related endpoints were affected. Any authenticated user on the platform could exploit this without any special privileges.

CVSS score: 8.1 (High)

How we fixed it

We joined the engineering team's standup the day we confirmed the finding and walked through the exploit path live. Our report included:

  • A working proof-of-concept
  • The specific middleware layer where the authorization check was missing
  • A recommended fix: server-side validation that the requested account_id belongs to the session principal before returning any data

The fix landed in two days. We retested all three endpoints and confirmed the check was applied consistently.

We also flagged two adjacent endpoints with similar patterns at lower severity — these were triaged and closed in the following sprint.

Outcome

All findings were remediated before the enterprise contract was signed. The client passed their customer security review with no open issues in the access control category. Their engineering lead added authorization testing to the PR review checklist going forward.

All client details are anonymized. Sector and finding type are accurate.

Have a similar problem?

Tell us about your scope. We'll respond within two business days.

Request a quote