Skip to main content
MemCyber
Fintech API Security Testing SEA 2 weeks

Case study

Southeast Asian Investment App

REST + WebSocket assessment of a retail investment platform. BOLA on portfolio endpoint exposed other users’ holdings; rate-limit bypass on OTP.

Endpoints mapped
~180
Critical / High
1 / 5
Triage time
48h
Regulator escalation
0

Findings summary

1 Critical 5 High 8 Medium 14 total findings

Problem

The brief.

A Series B SEA investment platform with regulator oversight needed a rapid API-only review ahead of a new product launch. Scope was the full REST surface plus the WebSocket feed powering real-time portfolio updates.

Approach

How we ran it.

Two-week API-focused assessment. Mapped every endpoint (~180), triaged each against BOLA / BFLA / mass-assignment / rate-limit bypass patterns. WebSocket auth and message-injection testing ran in parallel.

Result

What changed.

One Critical BOLA on portfolio endpoint exposed other users’ holdings with a single ID swap. Five High findings in OTP rate-limit bypass, JWT scope escalation, and mass assignment. Coordinated disclosure with regulator; zero escalation.

Methodology

What we did.

  • BOLA / BFLA per-endpoint matrix
  • WebSocket auth + injection
  • JWT scope + audience analysis
  • Regulator-coordinated disclosure

Outcome

Critical issues triaged within 48 hours. Public disclosure coordinated 90 days post-fix with zero regulator escalation.

← Previous
African Fintech Neobank
Next →
Move-based L1 Protocol

Similar stack?

We run targeted assessments against exactly these classes of problem. Named reference available on request.

Request Assessment