Public disclosures. Redacted where we have to.

Purchase price can be overridden arbitrarily and marked paid without funds, enabling full fund theft across merchant plugin ecosystem.

Live payout creation endpoint accepts unauthenticated requests producing unlimited real-money payouts to attacker-controlled accounts.

Mongo operator injection on userDetails dumps admin profile including plaintext withdrawal OTP and 2FA token.

Token endpoint issues valid 30-day bearer tokens for arbitrary user IDs without credentials, impacting 1.73M investors.

Profile API returns KTP, bank accounts and KYC identity_file URLs without auth for any user ID.

Signer service issues signed GCS URLs without auth, allowing arbitrary upload/download to KYC and SBN buckets.

Legacy JWT secret `shhhhh` used for session signing; attackers forge tokens for any user or admin.

Public bucket lists 1352 KYC documents and versioning allows recovery of supposedly deleted files.

Public ThroughBit bucket lists 1352 KYC docs spanning two pagination batches.

Fastjson $ref gadget chain on CardGoal API yields unauthenticated remote code execution.

SSRF chain sends arbitrary Redis commands enabling DB control.

Response timing differentiates reachable vs unreachable internal hosts, enabling network mapping.

60+ gadget classes instantiated via Fastjson body parsing enabling RCE and file write chains.

Cashia customerSearch query returns full PII and wallet balances for 60 customers without auth.

OAuth back-office allows registration with arbitrary domain leading to read access on 2.33M transactions.

Crypto platform Firestore has read/write/update/delete; plaintext passwords, PINs, 13,554 KYC images.

/smile-id/callback accepts forged POSTs without signature/IP check; attacker can KYC-verify ANY user.

Public endpoint returns 288 merchant API keys enabling attacker to act as any merchant on the platform.

Backend host reachable on eight internal ports directly from the internet, exposing databases and admin services without firewall.

Redis Commander UI exposed without auth allowing arbitrary read/write against production Redis.

Kafdrop UI accessible without credentials disclosing 29 topics with live payment messages and offsets.

Production EVM deposit webhook lacks signature validation enabling injection of forged confirmed deposits.

All eight inbound payment gateway webhooks accept forged payloads permitting arbitrary balance manipulation.

Chain of unauthenticated transaction creation plus webhook forgery and broken validation yields free settled funds.

All eight internal webhooks accept negative amounts and exhibit race conditions enabling arbitrary balance inflation.

RabbitMQ broker retains guest/guest default allowing full AMQP access including administrative actions.

POST https://[vendor]/kyc/sumsub_webhook/ Content-Type: application/json

Target: [vendor] Asset: AWS S3 Bucket [vendor] (us-west-2) Status: VERIFIED - Full R/W/D Access Proven

AWS Cognito Identity Pool us-east-1:b1cc32f2-117f-41c3-b797-e19d0e41b75e unauthenticated erisime acik. Elde edilen IAM role amplify-korapaykyc-dev-41238-unauthRole, [vendor] S3 bucket'ina s3:PutObject, s3:GetObject, s3:DeleteObject, s3:ListBucket dahil tam erisim sagliyor. Bucket versioning KAPALI. Bu, saldirganin KYC dokumentlarini okuyabil

> UPGRADED from original report: File count increased from 20,000 to 247,303+. WRITE and DELETE access confirmed

Target: [vendor] / [vendor] Classification: CRITICAL (CVSS 10.0) Attack Type: Full Account Takeover Chain (Password Reset OTP Brute-Force + No Email Change OTP + JWT Over-Expiry)

New evidence: - Source map-den elde edilen melumatla 3 hesab yaradildi - Butun endpoint-ler test edildi ve 8 yeni vulnerability tapildi

Total: 12 Critical + 6 High + 3 Medium = 21 unique findings

Researcher: Atilla Memmedli

Accounts list endpoint returns server-generated OTP tokens allowing attacker to set password and take over any account zero-click.

Anyone can signup and is auto-granted admin role with no email or KYC verification on production merchant panel.

Negative debt values accepted during purchase create, reducing total due to near-zero for paid transactions.

trade/userDetails endpoint returns withdrawal OTP without authentication, making full account takeover one-step.

Source map exposes encryptAlgo allowing client-side generation of any user's apiKey including admin.

withdraw_amount endpoint passes decryptAlgo but skips identity check allowing unauthorized withdrawals with forged apiKey.

50 sequential OTP attempts all return 404 with zero throttling allowing exhaustive OTP brute force.

Production payment gateway accepts JWTs from enumerable issuers without signature verification on 17 fund-transfer routes.

Public bucket lists 52 source maps and admin panel tarball with 407 source files including investor service code.

Live Cashfree secret key embedded in APK enables server-side payment creation on attacker's behalf.

Withdrawal endpoints skip JWT validation, allowing attacker-triggered BTC/ETH outflows.

Two Rancher K8s management APIs reachable from the internet, one at v2.11.1, allowing cluster-wide control.

Young Platform exchange JS bundle embeds HMAC secret used to sign all BFF and Identity API requests.

Cardify /api/user/tests/delete_user.php deletes arbitrary user accounts without auth.

Setting ?telegram=1 on 13 admin endpoints bypasses session check and triggers real bank payouts/KYC approval.

Gift card OCR callback accepts forged results crediting attacker cards.

Admin API reflects arbitrary origin with credentials enabling cross-origin admin ATO.

Temporal UI publicly reachable enabling workflow history viewing and namespace creation.

Same operator as payplus; Firestore and Storage both open with financial data.

446 virtual cards accessible via open Firestore enabling direct card abuse.

RTDB default rules allow anonymous writes; already exploited by external party.

production.embed accepts Monnify webhooks without verifying monnify-signature HMAC; fake payment injection.

metabase.dexpay.io leaks setup-token + 118 config keys unauth.

AirSign registers any caller producing Ed25519 key unlocking full platform access.

Any USER JWT can call createAdmin, assignUserRole, updateKycStatus, automateWithdrawal admin mutations.

forgotPassword emits unlimited simultaneous OTPs with differential error oracle; ~3 min per victim.

USER JWT can swap any user's funds at manipulated rate; $22.5M platform-wide exposure.

Same SmileID callback overwrites displayName, first/last name, and address for any user.

Phone 2250749994257 accepts any non-empty OTP; issues 90-day JWT with real production KYC data.

Monnify webhook endpoint accepts arbitrary payloads without HMAC signature or IP whitelist validation, allowing attacker to forge deposit/refund/disbursement events and credit arbitrary amounts.

Password reset endpoint allows 84 consecutive OTP attempts per window with unlimited OTP requests. 4-6 digit OTP keyspace exhaustible within hours enabling account takeover of any user.

Admin backoffice exposes open registration, enabling any actor to self-provision an administrator account.

Public accounts endpoint returns full user list with active OTP tokens permitting mass takeover pipeline.

NextAuth callback accepts attacker-controlled userId without proving social identity ownership, issuing session for arbitrary users.

Firebase Storage bucket permits anonymous read, write and delete across 3277 user/course files enabling supply-chain upload and destructive actions.

Registration flow lets attacker skip PIN verification and directly invoke activate-account, creating activated accounts without email control.

Authenticated user can change password of any other user via unprotected change-password endpoint.

Metabase session properties leak valid setup token usable to reconfigure admin when setup flow not finalized.

Kafka UI reachable without auth exposing 55 topics including KYC and payment message streams.

Metabase BI instance exposes unrotated setup token enabling admin provisioning.

Second Metabase BI tenant exposes active setup token with unauthenticated admin bootstrap path.

BI instance exposes active Metabase setup token enabling admin provisioning bypass.

> NEW FINDING — Not in original report

https://firebasestorage.googleapis.com/v0/b/[vendor].appspot.com/o

Finding: Metabase instance exposes setup-token in session properties, enabling FULL admin takeover

Target: admin-api.[vendor]:7443 ([vendor]-PRO-ADMIN-SERVICE) Base URL: https://admin-api.[vendor]:7443/AdminApi/actuator Stack: Spring Boot 3.x, Tomcat 10.1.4, Java 17.0.11+7-LTS-207, Oracle DB, Redis 7.0.15, SMTP2GO

Target: [vendor], hashcashconsultants.com, hcx.com Scope: Infrastructure, exposed services, misconfigurations

Target: [vendor] (White-Label Crypto Exchange Platform) Scope: API auth bypass, IDOR, BOLA/BFLA, privilege escalation

Tarih: 2026-04-10 Hedef: [vendor] ([vendor] - Nijerya Toplu Gida Alisveris Platformu) Platform: Firebase (farmcrowdy-727ba) + Medusa.js (Next.js) Toplam Bulgu: 3 (1 Critical + 1 High + 1 Medium)

[redacted].io / [redacted][target] - Critical Security Assessment Target: app.[redacted].io, secureapi.[redacted][target], admin.[redacted][target] Total Findings: 12 (7 Critical + 3 High + 2 Medium) FINDING 1: Arbitrary BTC Balance Manipulation via Unauthenticated-Like Endpoin

[redacted].io / [redacted][target] - Phase 3: CVSS 10 Findings Target: [redacted].io / [redacted][target] / [target] / [target] Tester: Atilla Memmedli (Authorized Bug Bounty) NEW CRITICAL FINDINGS: 8 Verified (5 Critical + 2 High + 1 Medium)

Finding 22 (NEW): Admin Account Takeover via Password Reset Chain + OTP Brute Force Severity: CRITICAL (CVSS 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) The admin password reset endpoint (`/api/v1/admin/auths/reset-password`) is fully accessible with only a device token (no user a

Signing algorithm runs client-side without server secret, enabling arbitrary request signing.

Django debug reveals 240 settings including Redis/RabbitMQ/Admin bypass token.

Non-production PG2 endpoint exposed to internet with all 17 fund routes live, forming a safe-to-exploit staging replica.

FileOutputStream reachable via deserialization lets attackers write arbitrary files to server.

ServerSocket instantiation allows listener binding as foothold for post-exploit.

Public bucket lists 14121 objects including KRA PIN certificates and KYC attachments.

Finding 5 — CVSS 10.0 — JWT Forge → Tüm Merchant API Erişimi JWT Secret: `714a7ea9a0ef4d7886f41fd8b782fa7d` (HS256) Kaynak: GCE sunucu `/var/www/html/proxy/.env` + Cloud Run env var Etkilenen Merchant'lar (SUPER_ADMIN):

Staging Laravel log-viewer is accessible without auth and leaks database backup delivery metadata, admin email, SQL traces, forge paths and webhook payloads.

eramba subdomain exposes Kubernetes API server with version and verbose health responses.

STOMP broker accepts wildcard topic subscription exposing 2903 live messages including odds and user context.

Vulnerable Components: - https://payout.[vendor]/file_creator.php → writes to HOOK_xLmu... directory - https://payout.[vendor]/file_reloadly_creator.php → writes to ACTIVE HOOK_JXO3... directory - https://payout.[vendor]/redbiller/ → directory listing confirms file creation

1. API Token-Only Authentication (No IP Restriction) The API is protected only by an `X-Auth-Token` header. If the API token is leaked (via .env, git history, or brute force), ALL document templates, submissions, and submitter data become accessible. There is no IP allowlist or a

Finding 1: Odoo ERP Public Signup + Full Stack Trace Information Disclosure [CRITICAL] Summary: erp.[redacted].ng adresinde Odoo ERP sistemi public internet'e acik ve /web/signup sayfasi aktif. Herhangi biri hesap olusturabilir. Ayrica tum hata yanitlarinda full Python stack trace'l

1. Attacker fetches `https://merchant.[redacted].ai/app-config.js` 2. Extracts [target] WRITE key -- can send emails/push notifications to all [redacted] merchants 3. Extracts Rutter production key -- can access merchant e-commerce integrations 4. Extracts GetStream key -- can access re

Finding 1 — CVSS 10.0 — PROD PostgreSQL Direkt Erişim (12 Veritabanı) Endpoint: `[ip]:5432` (GCP Cloud SQL `[redacted]-prd`, europe-west2) — TCP AÇIK Credentials: `[redacted]-prd:idC4KeJkaaN!AoNp` Kaynak: `[redacted]-ccee8_cloudbuild/source/.tgz` → `prd.yml` CI/CD arşivi

| 13 | Password Reset OTP Brute Force (0 rate limit, 500+ attempts) | 8.5 | | 14 | Biometric Authentication Endpoint Discovered (/api/biometric) | 8.5 | | 15 | Nova Files Preview - Potential Arbitrary File Read | 8.5 | | 16 | Bearer Tokens Survive Password Change (persistent ATO)

Finding 3: Public Postman API Documentation with Production Data [CRITICAL] Vulnerable Endpoint: https://docs.[redacted].com/ [redacted]'nin Merchant API'si Postman Documenter ile herkese acik dokumante edilmistir. Dokumantasyon 21 endpoint, request body ornekleri, response ornekleri, me

Mid-Size Platform Targets - 10 Verified Targets with Initial Findings Tarama Tipi: Reconnaissance + Initial Vulnerability Discovery TARGET 1: [redacted] ([redacted].co) - Saudi BNPL Unicorn Company: [redacted], Saudi Arabia BNPL (Buy Now Pay Later)

Finding 1: CRITICAL - Admin Panel Source Map Exposure (6.1 MB) URL: `https://adminer.[redacted].site` Source Maps: ALL `.js.map` files accessible (200 OK) - `app.b9a4e86d.js.map` - 111 KB

Firebase Misconfiguration Mass Scan -- 2026-04-10 Scanned 100+ crypto/fintech platforms for Firebase security misconfigurations. Found 3 platforms with open Firebase Storage, 2 platforms with open Realtime Database, and 1 platform with open Firestore. The most critical finding is

Finding 2: Source Map Exposure - API Endpoints and Bank Account Validation Logic [CRITICAL] Summary: win.[redacted].ng ("[redacted] Accounts Validation") uygulamasinda source map dosyalari public erisime acik. Source map'ler, uygulamanin tam kaynak kodunu icerir ve icinden unauthentica

Finding 13: PIN Overwrite Without Old PIN Verification (CRITICAL - CVSS 8.8) Vulnerable Endpoint: `POST https://thor.[redacted].com/api/user/pin` Type: Broken Authentication (CWE-620) The `POST /api/user/pin` endpoint allows overwriting an existing transaction PIN without verifying

Finding 2: CRITICAL - 60+ Admin API Endpoints Exposed Via source map analysis, all admin API endpoints discovered:

Finding 1: CRITICAL - Internal Support App Full Source Code Exposure (12.8MB, 500 Files, 199 GraphQL Operations) The [redacted] internal support application at `supportapp-new.[redacted].com` exposes a 12.8MB source map containing 500 application source files and 199 GraphQL mutation/query d

Vulnerability D[redacted]s - Extracted API Endpoints Transaction Service (12+ endpoints): Extracted User Model / Permission System Extracted Third-Party Integrations

Yeni Platform Taramalari - Kritik Bulgular Toplam Hedef: 5 platform (3 CRITICAL + 2 HIGH attack surface) 1. [target] - CRITICAL (Stablecoin Payment Infrastructure) Sektor: Afrika stablecoin odeme altyapisi (Nigeria, Ghana, Kenya, South Africa)

Admin config endpoint accessible without auth exposes admin user IDs and platform secrets.

Wallet address endpoint dumps 600+ user addresses without auth, enabling targeted deanonymisation.

Public trade list dumps 3647 trades, counterparty emails, and amounts, exposing KYC-adjacent data.

Registration response returns the full Mongo user document including TOTP secret, bcrypt hash and email OTP.

Public TOTP OTP endpoint differentiates valid vs invalid clientIDs, enabling enumeration and SMS bomb across 44M accounts.

S3 config files readable without auth leak internal user IDs and service-to-service endpoints.

OAuth client id and secret embedded in JS allow forging tokens against backend API used by Bitcoin ATM network.

Admin dashboard API reflects any Origin with Allow-Credentials, enabling zero-click admin takeover via phishing.

Password reset token returned in response body and OTP verification endpoint permits brute force leading to full takeover.

Signature check compares hashes inversely so any mismatched signature passes validation.

SafeHaven callback endpoint accepts forged payloads without HMAC verification.

Deposit webhook checksum comparison inverted so forged payloads credit attacker wallets.

Shared payment callback endpoint accepts unsigned payloads enabling arbitrary deposit crediting.

Admin source map leaks AES-CBC key used to encrypt server responses; enables full decryption.

Admin Zendesk API token hardcoded in bundle, validated as active with billing_admin+moderator role.

Client auth service returns verified:true regardless of OTP value.

shop.drugstoc.com and staging Django apps expose full stack traces and URL route listings.

Admin panel, payment logic, auth flow, hardcoded credentials, merchant IDs exposed via production source maps.

All production and staging API endpoints return Access-Control-Allow-Origin wildcard with Authorization header permitted; malicious site can perform authenticated cross-origin requests.

DELETE endpoint on admin console reaches controller logic with a regular user token; any authenticated user can delete arbitrary accounts, including admins.

reCAPTCHA v3 secret key hardcoded in frontend allowing attacker to forge bot scores and bypass bot protection globally.

JWT access tokens persisted in localStorage are recoverable via any XSS enabling account takeover.

Wallet resource enumerable by incrementing numeric ID leaks 100K+ user wallet addresses and balances.

Password reset PIN verification endpoint returns success for arbitrary input enabling password change on any email.

Metabase Google SSO accepts any Google identity creating self-service admin accounts wired to production database.

OTP send and verify endpoints accept unlimited calls without rate limit enabling 6-digit OTP brute force phone takeover.

Infisical instance exposes open signup without email verification or captcha enabling tenant creation and lateral movement to secrets.

BVN agents admin Swagger UI reachable without auth exposing KYC agent workflows.

Unauthenticated Genesys chat token generation plus WACE bot API permits impersonating arbitrary customers in live chat.

Android APK embeds CRM client credentials enabling full read/write on marketing event system across members.

Token generation formula decompiled from APK allows reproducing valid auth tokens offline.

STOMP broker accepts CONNECT without credentials permitting unauthenticated subscription.

Injected STOMP frames propagate to all subscribers allowing attacker to alter live odds received by clients.

Vulnerable Endpoint: https://payout.[vendor]/

Any unauthenticated attacker can read ANY user's bank account information (full legal name, bank name, masked account number, internal IDs) by simply changing the X-User-ID header. No authentication token, session cookie, or API key is required

The OKR platform at okrs.[vendor] exposes a Supabase backend with anon key that grants unauthenticated read access to the entire profiles table containing 413 employee records with full names, job titles, teams, managers, HiBob IDs, and corporate email addresses, including C-level executives (CEO, CTO, CFO)

Finding 1: CORS Wildcard with Credentials on Admin Panel and API (CRITICAL) Severity: Critical (CVSS 9.1 - AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) Summary: Both admin panels (hiftigh.[redacted].com and [target]) return `Access-Control-Allow-Origin: ` combined with `Access-

Finding 6: Whitelabel Partner Data and MongoDB ObjectIDs Exposed (CRITICAL) Affected Component: [target] source map Summary: MongoDB ObjectIDs for all whitelabel integration partners (including Worldcoin across 8+ countries) are exposed in client-side source code, along w

Finding 2: Production API Authentication Bypass via Encryption Key Exposure The API gateway validation uses an AES-256-CBC encrypted `X-Request-ID` header. The encryption key, IV, API key, and subscription key are all exposed in client-side JavaScript, allowing anyone to forge va

Finding 3: Shopify Payment Test Environment API Key Exposure (CRITICAL) The `sfy-payment-test.[redacted].ai` subdomain exposes a [redacted] API key in its Next.js `__NEXT_DATA__` runtime configuration, accessible without authentication. This is a Shopify payment integration test environmen

Client-side AES-GCM key for production payload encryption exposed in JS, reducing encryption to obfuscation.

APK ships with static AES-CBC key and IV used for request protection enabling MITM decryption on all installs.

Virtual card issuance callbacks skip HMAC validation enabling forged card event injection.

Server-side fetch endpoint permits requests to internal Kubernetes cluster services facilitating metadata exfiltration.

[redacted].com - Staging Environment Deep Security Assessment Target: stage.[redacted].com (staging) vs [redacted].com (production) Discovered: dev.[redacted].com (development), casino.[redacted].com, admin.[redacted].com, sportsbook.[redacted].com, crypto.[redacted].com, api.[redacted].com, sb

Trade chat endpoint serves private buyer/seller messages and shared KYC attachments without auth.

Coolify deployment platform accessible over internet without hardening enabling deployment and container control plane attacks.

Multiple backend services reflect arbitrary Origin with credentials enabling cross-origin authenticated operations.

STOMP broker accepts SEND to arbitrary topics enabling attacker to inject odds and score events.

Production source maps reveal 243 files including API encryption helpers, internal endpoints and admin routes.

DevDashboard JS leaks NUXT_ENV_VERCEL_ARTIFACTS_TOKEN, ORG_ID, PROJECT_ID enabling Vercel supply-chain.

WalletPro API gateway /health reveals node IPs, pod names, service account, microservice names, Datadog labels.

NGenius and Checkout.com API keys embedded in SPA bundle; NGenius keys only base64-encoded.

x-secret-token used by all authenticated endpoints is hard-coded in browser bundle.

Develop bundle exposes REACT_APP_SECRET used as encryption key for client-side session storage.

Firebase Auth allows open email/password registration without email verification enabling unbounded account creation.

User app exposes 9.6MB source map with 502 TypeScript files including exchange logic.

Static KYC API key enables direct invocation of KYC provider endpoints and enumeration of document flows.

Internal Sentry DSN accepts unauth events enabling log pollution and developer alert fatigue.

Production source maps expose complete exchange logic including private modules.

AstroAfrica admin ships Vue source maps disclosing 96 API endpoints and internal flows.

Production dexpay.io runs vite dev exposing 19+ source files directly.

Login API reflects Origin with credentials allowing a hostile page to capture 44M-user broker login session.

ASP.NET Core API accepts all requests without validating Authorization header; every endpoint accessible unauth.

Fraud Decision API concatenates verification_id into SQL enabling full extraction of 11 databases.

Attacker-created MySQL user with full privileges across all databases via stacked-query SQLi.

Endpoint: https://46.101.230.90:55000

Tarih: 2026-03-20 (Guncellenmis -- Aktif Test Sonuclari) Aciliyet: KRITIK -- Aktif tehdit, 200K+ kullanici risk altinda Durum: 30K hesaba zaten erisilmis. BIRISI AKTIF OLARAK BRUTE FORCE YAPIYOR

BitValve accepts http:// origin with credentials on all 40+ endpoints letting in-path attacker drain wallets on HTTP downgrade.

Production Vault instance reachable publicly, exposing sys/metrics and AppRole endpoints.

Admin gRPC service reachable without auth exposing 44 methods including user management.

Eight CNAMEs point to deleted DigitalOcean apps, takeable to intercept dashboard/admin/staging traffic.

Widget bundle ships '/auth/dev-login' call and commented access-key reveals production backdoor pattern.

Bitbns table-name parameter is SQL-injectable and three WAF bypass payloads succeed on production.

Mongo operator injection succeeds on three auth endpoints enabling admin enumeration and auth bypass.

obiex minio-api reflects arbitrary origin with credentials and KYC/KYB buckets confirmed via 403 responses.

kyb-api.sigma.obiex.finance publicly reachable without WAF, 42-day uptime.

sigma.obiex.finance hosts Coolify deployment console with wildcard CORS controlling all services.

la3eb Jenkins exposes Base64-encoded admin credential and build trigger token publicly.

enjoygm admin panel reachable publicly with 30 privileged API routes and wildcard CORS.

GET /User/GetAdmins returns 4 admin accounts with ASP.NET Identity password hashes.

Unauth POST /CryptoWallet/AddCryptoWallet redirects all customer BTC/USDT deposits to attacker address.

/verification-details and /data endpoints expose complete KYC records unauth (5.8M BVN + 2.75M verifications).

Checkout.com Apple Pay integration allows 303 redirect chain for OOB SSRF exfiltrating origin IP + metadata.

Altenar game integration accepts XML with external entities; K8s service account JWT + pod hostname exfiltrated.

256-bit HMAC key in JS enables subscribing private-global_private channel monitoring all trades.

Password reset API returns the reset code and token in response body enabling mass account takeover via email enumeration.

Device runs 2018 firmware vulnerable to known authentication bypass and RCE CVEs without vendor patch path.

Admin wallet transaction endpoint returns platform-wide financial history without authentication.

Admin wallet balance endpoint accepts arbitrary customer IDs without auth revealing holdings.

OTP verification endpoint accepts unlimited attempts with no lockout enabling account takeover.

Primary payment callback endpoint accepts arbitrary payloads without signature validation enabling deposit forgery.

Eleven different provider callback endpoints accept forged payloads across all zones enabling payment manipulation.

Social login endpoint accepts any provided token without validating with Facebook/Apple enabling full account takeover by email.

Staging Vault instance is unsealed, public, with UI enabled exposing secret management plane.

Endpoint: https://guards.[vendor] (via kibanaserver:kibanaserver)

Through the Wazuh API, an attacker can achieve Remote Code Execution on production by: 1. Creating a new agent group 2. Uploading a configuration with localfile commands 3. Assigning the production agent to that group 4. Restarting the agent to apply the configuration

Vulnerable Endpoint: https://analytics.[vendor]/api/session/properties

This is the core vulnerability that makes fund theft possible. When a user withdraws crypto through the website, they must enter a 6-digit code sent to their email (email OTP). However, when using an API token (generated via /auth-http/auth/business/generate-token), this email OTP check is completely skipped. The server accepts an empty security

The internal Xbox order fulfillment API at redeem-cards.com is accessible from the public internet without any authentication. The UserType: [vendor]Bot HTTP header bypasses all authentication, granting direct access to order creation logic that reaches the DecideXboxPreOrder() function -- one step from triggering real monetary transactions on Mi

Any user's password can be reset without authentication, CAPTCHA, or rate limiting. The password reset code brute force endpoint has zero rate limiting -- 300+ consecutive requests were tested with 0 blocked. Combined with X-Forwarded-For bypass, the attack is completely unlimited

curl -s -X POST "https://grpc-global-service-web-envoy.use[vendor]/business_banking.backend.protos.global.proto.KycManagementService/FetchAllKycLevels" \ -H "Content-Type: application/grpc-web-text" \ -H "Accept: application/grpc-web-text" \ -H "X-Grpc-Web: 1" \ -d 'AAAAAAA='

POST /api/auth/register endpointi basarili kayit sonrasinda kullanicinin bcrypt password hash'ini hem JWT token payload'inda hem de response body'sinde dondurur. Ayrica GET /api/auth/me endpointi de authenticated kullanicinin password hash'ini response'da dondurur. Bu bir fintech platformunda felaket seviyesinde bir guvenlik acigi

[redacted] Infrastructure Security Assessment — Full Report Researcher: Atilla Mammadli (atillamemmedli@[target]) Target: [redacted].io and associated infrastructure Critical: 10 | High: 6 | Medium: 16 | Low/Info: 28+

Finding 27: VPN Superuser Account Compromise via Weak Credentials (CRITICAL) Status: PROVEN - TOKEN OBTAINED The VPN admin account `candra@[redacted].com` uses a [redacted]ially guessable password `[redacted]123!` which grants `superuser` role access to the VPN management API. Combined

[redacted] SSH 2012.55 - CVE ve Exploit Arastirmasi Hedef Versiyon: [redacted] sshd 2012.55 Amac: Authorized internal network security audit Kaynak: NVD (NIST), [redacted] CHANGES log, ExploitDB, GitHub

[redacted] (my.[redacted].com) — Default Admin Credentials on Magento REST API Target: my.[redacted].com ([redacted] / Azerconnect) Report To: informationsecurity@[target] Severity: CRITICAL (CVSS 9.8 — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Finding K-3: Transaction Automation API with Broken Authentication (CRITICAL) Endpoint: `http://[ip]/` (port 80, same server as [redacted]) Summary: A Transaction Automation API running on the same server as [redacted] accepts ANY Bearer token value for authentication. The

[redacted] Finance - Zero-Click Wallet Drain Exploit Analysis Target: [redacted].finance (mobilelab.[redacted].africa + [redacted]bridge.[redacted].finance) Type: Authorized Bug Bounty - Maximum Impact Chain Analysis Status: CHAIN PROVEN - Multiple 0-click and 1-click wallet drain vectors identified

Finding 3: [redacted] SSH 2012.55 - Multiple Critical CVEs (14+ Years Old) CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H SSH daemon'u [redacted] 2012.55, 14+ yillik ve en az 8 bilinen CVE'ye karsi savunmasiz. Bunlar arasinda remote code execution (CVE-2016-7406) ve authenticated R

Finding 2: Translation Write + CDN Publish (Supply Chain Attack) Type: CWE-94 (Supply Chain Compromise) Step 4 — Confirmed on live site: GCS file modification timestamp updated to `2026-03-23T10:14:49.721Z` during our test. All values were restored immediately after verification.

CRITICAL: Unauthenticated STS Token Generation → Full OSS Bucket Read/Write Access Target: [redacted].store (Nigerian gift card P2P trading platform, ~1.3M users) Status: Authorized Penetration Test Unauthenticated Alibaba Cloud STS Token Generation via getOssToken API Leads to Full Re

[redacted] ([redacted].az) - Full Account Takeover Chain Verification Target: https://api.[redacted].az (Production API) Classification: CRITICAL - Full Account Takeover (CVSS 9.8) Status: FULLY VERIFIED on production

BitValve OAuth flow omits state parameter enabling CSRF-based account takeover via attacker-supplied code.

Apple OAuth always sets state=apple allowing reliable CSRF account linkage on victim sessions.

la3eb OAuth client secret leak allows forging Sign-in-with-Google assertions.

7 invoice manipulation endpoints accept requests without any auth token; any UUID enables cancel/refund/mark-paid actions.

Guest endpoint issues 0 EUR Primer production tokens with full card tokenization.

byGuestAccessId endpoint skips auth returning 10 credential field types.

globalPrivateChannelKey returns rotating OTP; HMAC computed locally to sign channel auth.

The [vendor] Vue.js SPA stores the user's authentication Bearer token in localStorage under the key accessToken. Combined with the CORS wildcard () on sls.[vendor] that allows Authorization header in cross-origin requests, and the DELETE method enabled on /user/account, this creates a full account takeover and destruction chain exploitable

blix.gg MinIO images bucket allows anonymous object upload to 38,219 public assets (1.3GB).

la3eb.com OAuth 1.0a flow allows X account session takeover with 119K-follower brand handle.

Single JS bundle leaks 20+ service API keys including Checkout.com sandbox, Lokalise, Firebase anonymous.

Fonbnk callback accepts empty or arbitrary payloads with unvalidated signature enabling ATEN system abuse.

DownloadTransactions gRPC method returns CSV transaction data without a token after progressive field disclosure.

wageon.io white-label brand resolves to AWS origin bypassing CF.

Every REST route reflects arbitrary Origin with credentials enabling cross-origin session hijack across the storefront.

Integrator dashboard runs Vite dev server in production exposing full React source, routes and env config.

Staging API base URL points to an unregistered .dev domain; claiming it hijacks staging frontend traffic.

Payment OTP verification endpoints have no effective rate limiting. Zain allows 185 requests per IP without any block, Simpaisa allows 50+ requests. Combined with XFF bypass, the entire OTP keyspace can be brute-forced

1. Hardcoded API Signature (auth.crud.js) - Internal IP: `[ip]` (Alibaba Cloud, staging/dev backend) - Hardcoded Signature: `X-TCDX-SIGNATURE: salamtothemoon` - used for admin authentication - Endpoint: `POST /admin/auth` with email/password

1. Refund Chain: Public API creds ([redacted]) -> Token -> invoice_id enum -> Unauthorized refund execution 2. Account Takeover Chain: Email enum (login differential) -> Reset flood (no rate limit) -> Token brute-force -> IMT operator account takeover -> Cross-border payment data 3.

SSRF Azure Infrastructure Deep Exploitation - [redacted].money Hedef: [redacted].money ([redacted] Money (Pty) Ltd) Zafiyet: SSRF via `validateApplePayMerchant` GraphQL Mutation Severity: CRITICAL (Infrastructure Mapping + Database Discovery + Key Vault Discovery)

Finding 1: Reverse Authentication Logic on Notification/EscrowPayout [CRITICAL] Endpoint: POST /api/Notification/EscrowPayout Notification/EscrowPayout endpoint'inde authentication logic'i TERS calisiyor. `ApiKey` header gonderilMEdiginde endpoint "Success!" donuyor. ApiKey heade

- Existing email: "Password reset link has been sent to your e-mail address." - Non-existing email: "Active user could not be found." No authentication is required. No rate limiting observed (beyond the global IP-based rate limit). reCAPTCHA is not enforced. | support@[redacted].com

African Crypto/Fintech Platform Mass Scan Results Scope: 20 African crypto/fintech platforms Method: Passive reconnaissance, subdomain enumeration, configuration exposure, API discovery 1. [target] / [target] -- MULTI-VECTOR COMPROMISE

Crypto Exchange Mass Scan - 2026-03-22 20+ Platform Vulnerability Assessment VERIFIED FINDINGS (3 Platforms) 1. [redacted] -- VERIFIED CRITICAL (Vietnamese Crypto Exchange, ~1.39M users)

Finding 1: Firebase Realtime Database PUBLIC READ Access [CRITICAL] - URL: `https://[target]/.json` - Impact: Full database readable without authentication (562KB) - 80 production bank configurations (codes, logos, names)

mDNS/Bonjour ve UPnP Servis Kesfi Raporu Test Makinasi: [ip] (MacBook Pro, Mac16,8, macOS Darwin 25.2.0) Yetkilendirme: Authorized pentest [ip]/24 yerel aginda mDNS/Bonjour ve UPnP/SSDP protokolleri kullanilarak servis ve cihaz kesfesi yapildi. Toplamda 8 benz

Finding 5: Subdomain Information Disclosure (LOW) Kesfedilen subdomain'ler ve durumlar: - `api.blix.gg` - 502 (backend down) - `api-dev.blix.gg` - timeout (DNS var, service yok)

[redacted] Code Billing/Auth Security Assessment — PROVEN FINDINGS [redacted] VDP — Authorized Security Research Hedef: [redacted] Code CLI v2.1.74, [redacted] API Kapsam: Billing bypass, auth bypass, client-side manipulation

- [UpdateAccountPermission Exploit](https://[target]/blog/[redacted]-wallet-exploit-updateaccountpermission) - [14,500 Wallets at Risk](https://[target]/news/[redacted]-addresses-risk-silent-hijacking) - [$500M Multisig Vulnerability](https://[target]/news/[redacted]-multis

Mass Scanner Prompt v2 — COPY BELOW INTO NEW SESSION You are conducting authorized bug bounty security research on digital game/gift card marketplace platforms. You have ONE job: find LETHAL vulnerabilities and PROVE they exist with real HTTP responses. WHAT I CARE ABOUT (NOTHING

Finding 2: CRITICAL - Full Stack Trace Disclosure with GoCD CI/CD Path Exposure Summary: IMT backend API'leri, kimlik dogrulama hatalarinda tam .NET stack trace ifsa etmektedir. Stack trace'ler GoCD CI/CD pipeline yollarini, kaynak kod dosya adlarini ve satir numaralarini icerir.

Finding 3 [CRITICAL]: OIDC Discovery Exposes Internal Architecture + Admin Impersonation Grant Type `secure.[redacted].money` ve `secure-staging.[redacted].money` OIDC discovery endpoint'leri production'da 26, staging'de 85 OAuth scope ifsa ediyor. Staging'de `admin-oidc-impersonation` g

[redacted].com - FINAL Penetration Test Report Authorized Bug Bounty Security Assessment - 2026-03-16 Target: [redacted].com ([redacted] - Gift Card E-Commerce) Stack: WordPress 6.x + WooCommerce + PHP 7.4.33 (EOL) + Apache + cPanel (CloudLinux/StableServer)

The following critical credentials are hardcoded in the JS bundle: Security Config File (Publicly Accessible) These values are used as custom headers in login requests: | JWT Secret | `YOUR_VERY_CONFIDENTIAL_SECRET_FOR_SIGNING_JWT_TOKENS!!!` | Mock auth (Fuse framework) |

Finding 0: 5x [redacted] Database Instances FULLY ACCESSIBLE [CRITICAL - MEGA] - Severity: CRITICAL (CVSS 9.8) - Impact: 5 separate [redacted] PostgreSQL databases for internal operations dashboards are publicly accessible with anon JWT keys hardcoded in publicly-hosted JS files. Com

KYC & Database Exposure Scan — 2026-03-17 Objective: Find HTTP 200 with ACTUAL real data (user records, KYC documents, DB contents) Result: NO verified data access found across 100+ platforms scanned Regions: Nigeria, Turkey, Southeast Asia, Latin America, Eastern Europe, Global

[redacted] Billing/Usage Bypass Research Responsible Disclosure — [redacted] VDP Araştırmacı: Atilla (atilla0283@hackerone) Amaç: Billing/usage enforcement bypass zafiyetleri tespit etmek

Finding 1: CRITICAL - 367-Endpoint API Specification Exposure (4x [redacted] UI Public) Summary: [redacted]'in cross-border para transferi (IMT) altyapisi 4 adet [redacted] UI/JSON spec dosyasini kimlik dogrulama olmadan internete acik birakmistir. Toplam 367 API endpoint'i (240 Accounting

Finding 1 [CRITICAL]: CORS Origin Reflection + Credentials on GraphQL API Production (`api.[redacted].money`) ve staging (`api-staging.[redacted].money`) GraphQL API endpoint'leri, `Access-Control-Allow-Origin` header'ında gönderilen herhangi bir `Origin` değerini yansıtıyor ve `Access-C

Finding 5: ThirdParty App Key Renewal Without Authentication [CRITICAL] Endpoint: POST /api/ThirdParty/App/RenewKeys ThirdParty App key renewal endpoint'i JWT auth gerektirmiyor. "User Not Found" hatasi donuyor (401 degil) - bu, auth katmaninin bypass edildigini ve business logic

[redacted] Kamera RTSP Guvenlik Denetimi Raporu Hedef: [ip] ([redacted] NVR/IP Kamera) Kapsam: Yetkili lokal ag pentest | Cihaz Turu | [redacted] NVR veya IP Kamera |

The Tolgee XLIFF import endpoint does not disable external entity processing: After import + apply, the file content is stored as a translation value and readable via API. | File | Content | Criticality | |------|---------|-------------|

validUntil/validAfter are appended to userOp.signature but never hashed, so any relayer can alter the validity window without invalidating the signer's ECDSA signature.

Wallet stores owner in both custom and OZ Ownable slots, and owner() switches source based on isClaimed, leaving the wallet ownerless after the two-step claim.

Bucket lists and serves KYC front_image, liveness video and selfie images for registered users.

Eight internal services reachable publicly including analytics, admin portal and staging env.

Busha 7 hosts reflect arbitrary origin with credentials, enabling cross-origin authenticated reads of 41 endpoints including PII.

Bitmama production JS bundle exposes DigitalOcean Spaces key and secret valid for account-level actions.

Staging admin panel ships 26MB source map and embedded DO Spaces key.

Public Postman collection hosts enterprise bearer tokens tied to live Heroku backends.

Self-hosted n8n v2.7.2 reachable publicly with API endpoints exposed.

globaladmin.bitbns.com/test.php returns raw DB dump without auth.

admin.bitbns.com/bitbns/crm/test.php exposes DB dump unauthenticated.

Two Freshdesk-pointing subdomains show dangling CNAMEs allowing takeover.

Changera/Payborda JS exposes Flutterwave secret and AES encryption key used for payments.

Cloudinary preset allows unsigned uploads to KYC folder enabling attacker-uploaded proofs.

Cardtonic API reflects origin including null with credentials across all endpoints.

ChatHub issues 1-hour JWTs unauthenticated enabling session identity forging.

usenosh.com reflects origin including null enabling iframe-sandbox ATO chain.

gcbuying buckets deny listing but permit direct-object read enabling object enumeration via key guessing.

api.buffbuff.top ACAO * + credentials enables zero-click ATO.

kefu89757 admin panel accepts brute-force logins over Akamai without WAF rules.

PayPal, Airwallex, Antom, PayerMax, Asiabill credentials in JS bundles.

REACT_APP_API_KEY + CLIENT_ID bundled in merchant panel allowing unauth access to production services.

Origin IP 188.245.49.12 reachable bypassing CF WAF allowing unrestricted backend access.

Passbolt CE 5.9.0 self-registration + admin GPG key + email exfiltrated via SSRF.

KYC webhook accepts forged POSTs without X-Payload-Digest enabling AML bypass for any account.

Full PII exposure + wallet hijack via refund-claim endpoint; 3.6M UUID/hr brute force with no rate limit.

Callback handler has no token/HMAC validation; CSRF explicitly disabled. Attacker can forge order status updates without any auth.

Angular fallback XSRF token hardcoded; full CSRF bypass enabling guest-token chain.

stream.flitpay.com exposes 175 production settings including DB hostname/username.

Publicly accessible debug.log of 21.6 GB leaks payment gateway credentials, server file paths and broken S2S webhook details.

Production HTML embeds an RSA private key usable to decrypt or forge server-side operations.

Google OAuth client secret hard-coded in HTML permits SSO flow takeover or spoofed server exchange.

Multiple payment webhooks lack signature validation enabling forged deposit notifications for seven different payment rails.

Laravel Horizon reachable without auth permitting queue inspection and job manipulation.

Customer endpoint enumerable by sequential ID discloses 60K+ user PII including KYC and wallet data.

Production API reflects any Origin header with credentials allowing cross-origin account takeover chain.

Provider enable/disable admin endpoint reachable without admin check allowing attacker to disable all 11 payment providers causing platform-wide DoS.

Manipulating Content-Type on Tanda webhook leaks internal BullMQ/Redis error details exposing infrastructure.

Admin dashboard ships a 17MB source map revealing 180 internal admin endpoints and business flows.

P2P trading API reflects arbitrary Origin with credentials enabling ATO of users visiting attacker site.

GraphQL endpoint returns enumerable customer PII including addresses and loyalty data without authentication.

Premium content HLS master and segment URLs directly accessible without auth bypassing paid subscription.

Production phone verification service configured to mock mode allowing any code to pass during registration.

Auth0 tenant allows public signups with email enumeration and arbitrary password reset.

Monad RPC exposes debug_traceCall/debug_traceBlockByNumber without authentication enabling MEV sandwich attacks and pre-image extraction on DEX swaps.

Frontend bundle embeds API authorization keys usable against admin endpoints.

Vulnerable Endpoint: https://kntlvmafkdfzneiugdck.supabase.co/rest/v1/admin_settings

Vulnerable Endpoints: - https://api.[vendor] (Production API) - https://business-banking.[vendor] (Business Banking API)

POST /api/auth/verify-email endpointi 6 karakterlik verification token kabul eder. Bu endpoint'te HICBIR rate limiting uygulanmamis. Saldirgan, herhangi bir kullanicinin email verification token'ini brute force ederek hesabini verify edebilir ve bu fintech platformunda islem yapabilir

currency-api.[vendor] endpointi Access-Control-Allow-Origin: ile birlikte Access-Control-Allow-Credentials: true set ediyor. Bu, tarayici tarafindan her zaman uygulanmasa da (spec'e gore bu kombinasyon engellenmelidir), bazi eski tarayicilar veya yanlis yapilandirilmis proxy'ler bunu izin verebilir. Daha onemlisi, bu yapilandirma guvenlik bi

Beyond the user profile endpoints (Finding 13), the SLS API also exposes financial and checkout endpoints with CORS wildcard (), including checkout/buyNow/buy, store-credit/get-balance, userBar/getCustomerScWor (store credit/wallet), and site/getAIChatSessionToken. Combined with the localStorage token storage (Finding 17), an attacker with a sto

The self-hosted Sentry instance at apm.[vendor] leaks its DSN (Data Source Name) key in the login page's __initialData JavaScript object. This DSN allows any unauthenticated attacker to inject arbitrary error events, including crafted XSS payloads, into the Sentry dashboard. When an administrator views these injected events, the XSS

Endpoint: https://sandbox.[vendor]/horizon

POST endpoints on Horizon require CSRF token, but the token is freely obtainable from the Horizon page itself (which is unauthenticated). By first fetching the page to get session cookies + XSRF-TOKEN, then including the decoded XSRF-TOKEN in the X-XSRF-TOKEN header, all POST operations succeed. This enables

[vendor]' Predictive Audience API is deployed on Azure App Service (pa-api-prod.azurewebsites.net) completely outside of Cloudflare WAF protection. The API has NO authentication whatsoever, exposes full Swagger/OpenAPI documentation, allows unauthenticated IDOR across all client IDs (user segmentation data, churn predictions, LTV data), an

Vulnerable Endpoint: https://[vendor] (HTML source, __NUXT__ config)

Finding K-1: [redacted] Setup-Token Exposed (CRITICAL) Endpoint: `https://[redacted] com/api/session/properties` Additionally accessible on direct IP (bypassing any WAF):

Finding 0B — LSLB API Unauthenticated Business Data Exposure (78 Production Records) CVSS: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) The LSLB (Lagos State Lotteries Board) permit management API at `api-prod.lslb.[redacted].co` returns 78 production business records (Niger

SEA / MENA / Turkey Crypto-Fintech-Betting Platform Scan Scope: Southeast Asia, Middle East, Turkey — crypto exchanges, fintech, betting platforms Method: Automated reconnaissance (subdomain enum, .env, [redacted], Actuator, GraphQL, CORS, source maps, S3, [redacted], KYC dirs) | | Plat

Finding 2: 512-bit RSA Key for Login Encryption ([redacted]ially Factorable) CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Login islemi icin kullanilan RSA anahtari sadece 512-bit uzunlugunda. 512-bit RSA 1999 yilinda faktorize edildi (RSA-155). Modern donanim ile dakikalar icinde k

Finding 7: Unauthenticated Mass User Data Leak via Chat Messages Endpoint Severity: Critical (CVSS 9.1 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) The `/api/messages/` endpoint returns 1,000 chat messages from 492 unique users without ANY authentication. Each message includes the user

Crypto Exchange Security Scan - 2026-03-23 Authorized Penetration Testing Report Targets: 10 cryptocurrency exchanges with public bug bounty/responsible disclosure programs Method: Subdomain enumeration (crt.sh), API/endpoint discovery, source map analysis, credential extraction,

[redacted].store Final Deep Dive -- All Findings Target: [redacted].store / [target] Bu final deep dive fazinda onceki tapdiqlar uzerine 7 yeni kritik ve yuksek severity bulgu ortaya cixarildi. Toplam etkile 1.44M istifadeci, 197K fatura kaydi, 69K email adresi, 851K degerlendirme ve

Finding 3: Full [redacted] API Documentation Publicly Exposed (CRITICAL) Endpoint: `https://api.[redacted].az/[redacted]/index.html` The complete [redacted]/OpenAPI documentation for the OneXTwo CRM API is publicly accessible, exposing all 135 API endpoints with full request/response schema

Finding 0C — PEP/AML Service OpenAPI Spec & Endpoint Disclosure (Production) CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) `pep-dom.svc.[redacted].co` (Domestic PEP Service) exposes its complete OpenAPI specification publicly, revealing 6+ PEP screening, conviction chec

Finding 1: Login Rate Limit Bypass via X-Forwarded-For Header Spoofing Severity: CRITICAL (CVSS 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Summary: Django backend'i rate limiting icin client IP adresini `X-Forwarded-For` header'indan aliyor. Cloudflare arkasinda oldugu i

Finding 5: Wildcard CORS Policy on Financial API The production API at `api.[redacted].ng` returns `Access-Control-Allow-Origin: ` on all endpoints, including admin and financial transaction APIs. The application uses Bearer token authentication stored in `localStorage`, which is

Finding 0 — Unauthenticated ML Anomaly Detection Engine + [redacted] UI on Production CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) The KYC/AML risk scoring service (FastAPI/Python) exposes [redacted] UI and full OpenAPI specification on BOTH development AND production. On t

Finding 1: CORS Misconfiguration — Arbitrary Origin Reflection with Credentials (CRITICAL) `api.[redacted].com` reflects ANY `Origin` header value in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`. This allows any malicious website to make authenticated

[redacted].[target] - Deep Penetration Test Report Target: [redacted].[target] (International Money Transfer Platform) Type: Authorized Penetration Testing Engagement [redacted]'in International Money Transfer (IMT) altyapisinda 10 guvenlik bulgusu tespit edildi: 1 Critical, 3 High, 4 Medium, 2 Low

`testClientCreateDirectDeposit` mutation'i, normalde test ortami icin tasarlanmis olmasina ragmen, PRODUCTION GraphQL API'sinde aktif ve herhangi bir ek yetki kontrolu olmadan calistirilabiyor. Mutation basarili response dondurdu (`TestClientCreateDirectDepositPayload`). Ek test

OAuth client lacks server-side hosted_domain check, attacker can craft token with arbitrary hd claim.

CRM exposes 17+ admin actions (wallet credit, KYC approve) without authentication.

Static AES-256-CTR key found in JS bundle decrypts all encrypted API traffic.

Several user endpoints accept arbitrary userId enabling cross-tenant reads.

CoinCola hashes passwords client-side with exposed salt and weak 1000-iteration PBKDF2 enabling rapid cracking.

nosh.ng JWT secret discovered in public artifact allowing arbitrary user session forging.

Finding 4: SSRF to Internal GKE Services HashiCorp Vault — Unsealed, Full Info Disclosure Vault `/v1/sys/internal/ui/mounts`: | Service | Port | Protocol | Status |

Registration response echoes server bcrypt password hash which attacker can crack offline.

Reconstructed source reveals complete admin API surface including merchant, settlement and payout operations.

Origin IP 43.199.67.100 reachable bypassing Cloudflare/Akamai protection.

Admin GraphQL endpoint introspection reveals 18 admin types and financial mutation signatures.

RBAC role/permission endpoint unauthenticated reveals complete privilege taxonomy across 11 admin roles.

Customer and admin bundles expose .map files revealing complete TypeScript source of 126 files across services.

Production admin ships source maps revealing complete admin business logic.

4735-line Prometheus dump reveals datasources, dashboards and admin identities.

1492 source files (165 app files, 6.8MB) exposed via source maps including encryption logic.

gamejus.com dev API leaks MSSQL column names and H:\Projects\ paths via stack trace.

gcbuying admin JS enumerates 120+ admin routes including KYC mgmt and Bybit integration.

Passkey credential IDs returned enumerably enabling fingerprinting and replay scenarios across 2FA system.

Withdrawal OTP stored unhashed and returned by admin/viewDetail enabling withdrawal replay.

admin/viewDetail authenticates on twoFAToken alone which is recoverable via NoSQL injection, exposing admin profile.

Invalid apiKey triggers full stack trace leaking framework versions, internal file paths and DB model names.

Verify endpoint permits ~5 tries before soft lockout; chained with OTP generate enables realistic OTP guessing.

Authenticated user can retrieve their TOTP secret seed in plaintext, allowing attackers with session hijack to clone 2FA indefinitely.

Keycloak admin UI reachable without IP restriction and with insecure grant types enabled.

Vulnerable Endpoint: POST https://app.[vendor]/api/register

The endpoint accepts a JSON body with `email` and `phone` fields, and returns a signed JWT token containing those exact values. No validation is performed: - Any email/phone combination accepted - Token expiry is approximately 24 hours 3. Generate token for arbitrary user:

Authenticated user can modify arbitrary client bank details through an unrestricted endpoint, redirecting payouts to attacker accounts.

Partner callback endpoint has no signature check so attackers can inject arbitrary payment events for any merchant.

S3 bucket exposes signed Private Placement Memorandum contracts with investor signatures.

takephlight subdomain runs vite dev server exposing /@vite/client, /@fs/ paths.

Kafka topics stream real-time KYC submissions unencrypted to anonymous Kafka UI readers.

Vulnerable Endpoints: - https://xchangeapi.[vendor]/api - https://instbtc.[vendor]/api - https://awstron.[vendor]/api

Vulnerable Endpoint: https://test.[vendor]/kyc/sumsub_webhook/

The Expo EAS Update staging channel is publicly accessible, exposing the development/test server configuration and allowing download of staging JavaScript bundles

A second Supabase instance at hawkvibes.[vendor] exposes 48 database tables including compensations, salary_ranges, salary_ranges_private, employee_feedback, performance_commentaries, employee_scores, penalties, and audit_logs. While currently empty (possibly new deployment), the schema is fully accessible via anon key with CORS wildcard

Total: 12 Critical + 6 High + 3 Medium = 21 unique findings

Authenticated user can overwrite live webhook URL for all events, redirecting all merchant notifications to attacker-controlled endpoint.

Admin pages rely exclusively on client-side redirects allowing direct URL access.

Alibaba Druid SQL monitoring UI exposed publicly on 13 endpoints.

Production ArgoCD v3.0.11 exposes settings including execEnabled:true and Lua health checks.

All production financial APIs return ACAO: * enabling cross-origin credentialed requests and account takeover chains.

API reflects arbitrary Origin with Allow-Credentials: true, allowing full cross-origin session theft.

After password login the user reaches the merchant dashboard without completing the 2FA challenge, bypassing the second factor.

Cancelled purchase can be re-transitioned to paid via mark_as_paid without validation, causing goods release without payment.

All origins accepted with credentials and Authorization reflected, enabling credentialed cross-origin attacks.

Static salt reuse across users allows rainbow-table style precomputation and common-password cracking.

Order submit and accounts endpoints accept requests without valid JWT enabling trade parameter discovery.

Four API subdomains return ACAO * and Allow-Credentials true, bypassing same-origin policy.

lenda-app Firestore readable unauth exposing lending user records.

POST /trade/disputes/approve/{id} on admin-api reachable with weak/bypassable auth.

Admin PATCH /rate accessible via predictable token enabling rate manipulation.

2FA endpoint accepts unlimited attempts enabling brute force.

/files endpoint returns all platform KYC documents metadata with pagination.

Zero rate limit on DO direct origin OTP endpoint enables mass account creation/takeover.

Auth endpoints accept any or missing Turnstile token because server-side validation is absent.

PIN and login endpoints accept unlimited attempts allowing brute force for account compromise.

Tarih: 2026-03-23 Hedef: [vendor] (Vietnam merkezli kripto borsasi) User ID: 1925403 (eagle8265934 / resadsabir5@gmail.com) Yetkilendirme: Authorized Bug Bounty Stack: Next.js + Node.js/Express + MongoDB + Socket.IO + Cloudflare

The API returns Access-Control-Allow-Origin: on ALL responses, including those containing PII bank data. Combined with the IDOR (Finding 1), this means any website can read any user's bank information via JavaScript cross-origin requests

> NEW FINDING

Decoded twoFAToken JWT payload embeds admin plaintext password, bypassing hashing protections.

Undocumented admin route discoverable via source map reaches authenticated admin UI.

Multiple third-party API keys exposed in JS including analytics, push and object-store with verified active status.

All 392 PHP API endpoints return ACAO * enabling cross-origin reads of authenticated data.

Spring Boot actuator endpoints allow env dump and heap snapshots on 8 domains.

OTP endpoint has no throttle enabling SMS bomb and brute force.

Finding 5: SigNoz Enterprise Monitoring Platform Public Exposure [HIGH] Summary: signoz.[redacted].ng adresinde SigNoz v0.115.0 Enterprise Edition monitoring platformu public internet'e acik. Version bilgisi ve setup durumu unauthenticated olarak ogrenilebiliyor. Platform traces, lo

Finding 16: Stored XSS via Feedback Form (HIGH - CVSS 7.3) Vulnerable Endpoint: `POST https://thor.[redacted].com/api/feedback` Type: Stored Cross-Site Scripting (CWE-79) Admin reviews feedback in Nova -> XSS fires -> admin session compromise.

Finding 3: HIGH - Unauthenticated Currency Data Exposure URL: `GET https://api.[redacted].site/v1/misc/fiat-currencies`

Mass Database/Admin Panel Scan Results Objective: Find platforms with exposed [redacted], phpMyAdmin, Adminer, or Firebase RTDB with real user data Regions: Southeast Asia, Middle East, Eastern Europe, Africa | [redacted] instances found | 6 |

Finding 4: Spring Boot Actuator + [redacted] UI Exposure (bydatawelive.[redacted].ng) [HIGH] Summary: bydatawelive.[redacted].ng adresinde "Topupbox" (Zeedlabs) airtime/data vending servisi calisiyor. Spring Boot Actuator endpoint'leri ve [redacted] UI public erisime acik. Actuator health/in

Only the `Ocp-Apim-Subscription-Key` header is required - no authentication token needed. - PROD: `[target]` - PROD: `[target]` - DEV: `c

Finding 15: Stored XSS via Bank Account Fields (HIGH - CVSS 7.6) Vulnerable Endpoint: `POST https://thor.[redacted].com/api/banks` Type: Stored Cross-Site Scripting (CWE-79) Same as Finding 14 - when admin views user's bank account d[redacted]s in Nova panel, XSS executes. Can be combine

Finding 3: HIGH - Agent Portal Source Maps Exposed Across Country Instances The [redacted] Agent Portal at `agents.[redacted].com` and country-specific instances (`bf.agents.[redacted].com`, `ci.agents.[redacted].com`, etc.) serve source maps for all JavaScript bundles. - Multi-country deployment (bf, c

Critical Discovery: Device tokens pass BOTH web AND admin auth middleware | Auth Method | web/transactions | admin/users | web/configs | admin/teams | |---------------------|-----------------|-------------|-------------|-------------| | No auth | 401 | 401 | 401 | 401 |

Finding 3: WSO2 API Manager Publisher Console + DevPortal Public Access [HIGH] Summary: apiconsole.[redacted].ng adresinde WSO2 API Manager Publisher Console ve DevPortal public internet'e acik. Publisher API 401 donuyor (auth gerekli) ancak Publisher UI, DevPortal UI, settings dosy

Password change does not terminate existing sessions, allowing stolen-token reuse indefinitely.

Auth and profile apps expose 18.5MB source maps (2227 files) disclosing full auth flow, KYC logic, OAuth config and 50+ API endpoints.

Financing order endpoints accessible without auth, exposing order data and enabling potential abuse of BNPL flow.

Product name field is rendered in receipt HTML emails without encoding allowing arbitrary phishing payloads from merchant-branded sender.

Authenticated session can mint new live API keys without re-auth, enabling persistent access after session hijack.

Zero-amount preauth then marked paid completes an order without a real payment capture.

/api/keys endpoint returns secret keys in plaintext on listing, violating key-display-once policy.

Merchant can create invoices and mark them paid internally to inflate revenue figures or trigger delivery without payment.

Socket.IO endpoint broadcasts real-time trade notifications and user presence without requiring auth.

Invoice creation endpoint skips userId ownership check, allowing arbitrary invoices against any target.

ReKYC module ships with deterministic encryption key in APK, allowing decryption of any intercepted ReKYC payload.

Ledger balance API reachable via Kong without proper identity propagation allowing partial data retrieval.

Discovery config endpoint returns zlib-compressed map of 287 keys and 89 internal production hostnames.

SmartAPI developer portal ships source maps disclosing 47 internal API endpoints and auth flow.

UAT trade host reachable on direct EC2 IP with 384 internal URLs and exposed robots.txt.

Static AES key in SmartAPI portal decrypts all API calls, combined with source map leaks.

Production and UAT HyperVerge appId+secret in APK allow direct KYC workflow invocation and analytics ingestion.

Exported push-notification intent accepts attacker-controlled URL and forwards into authenticated TWA/WebView.

Allowed wrapper domain forwards nested link= param into TWA context skipping origin validation.

Stock trading JNLP/JAR downloadable anonymously, exposing outdated libs vulnerable to deserialization CVEs.

Backup admin panel source maps leak investor management flows and session logic.

Production OTC bundle ships source map with 856 files and Razorpay public key.

Exchange UI source map includes developer admin JWT and credentials in code comments.

Public exchange API reflects ACAO with credentials enabling cross-origin trade APIs.

All API endpoints reflect ACAO * allowing cross-origin reads of authenticated user data.

Admin SPA reachable without IP allowlist and ships route map to all admin modules.

Multiple dev/staging hosts serve identical codebase to prod, usable as test lab for exploits.

Admin panel reachable publicly and ships 753KB of frontend source revealing admin routes.

Rancher UI publicly reachable, disclosing K8s/Rancher versions and cluster inventory.

Bitdenex CRM admin reachable without IP allowlist, exposing internal dashboard.

bitexlive.com ships .map files exposing full JS application.

coinome.com exposes legacy Sidekiq v5.0.4 dashboard without auth revealing job queues.

koinpark.com exposes 18+ internal microservices directly to the internet.

OTP verify endpoint permits enough attempts to brute force 6-digit code in minutes.

Production Next.js build ships source maps totaling 48.6MB exposing internal modules.

Production JS reveals multiple API secrets used in critical flows.

Zoho OAuth client secret present in bundle with full scope enabling potential mailbox access.

Mono Connect live keys leaked allowing widget impersonation and social-engineering tied to customer bank accounts.

Upload endpoints validate via allowlist matching but handle case/extension parsing unsafely.

Production Swagger UI exposed revealing full API contract.

Billions.network admin panel ships source map revealing 96 API endpoints.

PocketBits production ships ngrok dev URL with CORS wildcard leak.

Production JS embeds client registration credentials accepted by server (500 ISE, not 401).

Admin panel and Swagger for KYC microservice reachable publicly.

Laravel Ignition endpoint live with Swagger docs exposed in production environment.

Multiple payment and CDN keys bundled in frontend.

Public widget source map leaks integration patterns.

flipex-app bucket allows unauthenticated listing of UAT/KYC_DOCUMENTS/ folder.

admin.dtunes.ng exposes 1.4MB source map revealing 60+ admin API endpoints.

splitpay-app Firebase Storage allows anonymous reads.

pricepally Metabase exposes setup-token + AWS EC2 IP via unauthenticated endpoint.

Firestore collections readable without auth due to default rules.

ISO Document Management System accepts Google OAuth signup from any gmail account.

Password reset token brute-forceable with no throttle.

pk_live Paystack key embedded in production bundle.

/api/telimedicine/patient endpoint discoverable through debug route list.

otc.cryptal.com points to Bubble.io without valid app; takeover feasible.

config.ts exposes Shyft mainnet RPC key used for both RPC and sender URL.

Helius RPC and DAS enhanced API key bundled in frontend; usable for 3 endpoints.

aux00 internal Django dashboard reachable publicly with login form.

stg.notbank.exchange and stg.apidoc public with full staging schema.

api-test2 dev API and dev S3 bucket referenced in production bundle and reachable without auth.

Login, registration and 2FA endpoints have no rate limit enabling parallel brute force.

User search API returns full 544-user list with PII including phone numbers without authorization.

Event registration endpoint allows unauthenticated pagination through 659 attendee records with emails and phone numbers.

540 application source files recoverable from production source maps revealing HMAC keys and flows.

Payment token generation endpoint accessible without auth enabling unauthorized checkout session creation.

Admin panel ships 364KB source map leaking 22 source files and admin flows.

Third LATAM Metabase tenant exposes live setup token.

Public config JS reveals internal service map and API keys.

The staging authentication portal at auth-staging.[vendor] serves source maps containing complete TypeScript source code for the authentication system, including Cognito configuration, MFA flows, card security code validation, password reset logic, and embedded staging credentials

> NEW FINDING

Target: [vendor] (HashCash Consultants LLC) Scope: Cross-broker tenant isolation across 1,928 white-label broker instances

Vulnerable Endpoint: https://radar.[vendor]/static/js/main.ce51035c.js.map Size: 8,657,100 bytes (8.6 MB) / 1,268 source files / 173 application source files

Finding 3: WordPress Directory Listing Exposes 3,567+ Upload Files (HIGH) Severity: High (CVSS 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Summary: The WordPress blog at blog.[redacted].com has Apache directory listing enabled for the entire `/wp-content/uploads/` directory tree. Thi

Finding 3: OData Metadata & Internal Architecture Exposure (HIGH) The OData v4 metadata endpoints on both production and development API gateways are publicly accessible with only the subscription key (no bearer token required). These endpoints expose the complete database schema

Finding 4: Unauthenticated API Endpoints Expose Business Data (HIGH) Severity: High (CVSS 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Summary: Multiple API v2 endpoints on both hiftigh.[redacted].com and [target] return business-critical data without any authentication,

Finding 11 (NEW): Complete Admin Console Architecture Leak via JavaScript Source Maps Severity: HIGH (CVSS 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) The admin console at `console.[redacted].ng` exposes unobfuscated JavaScript bundles containing the complete admin API endpoint map

Finding 1: Massive Source Map Exposure Across 3 Applications (HIGH) - `https://app.[redacted].com/main.2ef2e977bb5dc9ba.js.map` (9.6 MB, 502 sources, 33 app files) - `https://admin.[redacted].com/main-P7MYWRXZ.js.map` (364 KB, 22 sources, 10 app files) - `https://ramp.manteca

Finding 2: Admin Login Approval Status IDOR -- Unauthenticated Monitoring (HIGH) Severity: High (CVSS 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Summary: The endpoint `GET /login/check-approval/{id}` on hiftigh.[redacted].com returns the status of admin login approval requests witho

v2-api.dtunes.ng returns ACAO:* which combined with AES key enables cross-origin session hijack.

VITE_GOOGLE_RECAPTCHA_SECRET_KEY hardcoded in production SPA; bot-protection bypass.

OAuth authorization/token endpoints served over plain HTTP exposing tokens to network observers.

Amplitude API key with write permissions leaked permits injection of arbitrary analytics events to poison user profiles.

n8n workflow platform reachable without auth allowing workflow inspection and webhook trigger abuse.

Finding 2: Admin Panel Publicly Accessible with Dev Tools Enabled (HIGH) Affected Component: `https://admin.[redacted].com` Summary: The Manteca admin panel (admin.[redacted].com) is publicly accessible without any network-level restriction. The admin panel includes developme

Backend microservices intended for internal VPC are reachable publicly with minimal auth, expanding attack surface.

Demo ourSpell instance allows open registration with full ecommerce/banking admin, leaking product architecture.

TWA JS bridge exposes openUrl method without allowlist, usable by embedded ads or nested iframes.

Vulnerable Endpoint: https://api.[vendor]/admin/login/ Server: CPython/3.10.20, WSGIServer/0.2, Django (latest dark_mode CSS)

Login, reset, and verification endpoints have no throttle enabling password/OTP brute force and credential stuffing.

Staging host is publicly reachable exposing pre-release vulnerabilities to attackers.

Static privateKey identifier leaked enables signature replay against SmartAPI trading endpoints.

Network security config allows cleartext HTTP to market-data hosts enabling MITM on hostile networks.

flows.json and env configs bundled in APK enumerate 50+ KYC and payment endpoints per environment.

Multiple WebView fragments accept arg-supplied URL without origin check, enabling phishing inside authenticated app.

Session JWT cookie lacks HttpOnly, Secure, SameSite, allowing XSS-based theft and replay.

Hardcoded dev origin allowed with credentials lets attackers host malicious page on attacker-controlled localhost binding.

EOL CodeIgniter backend exposes default pages and user guide identifying CVE-vulnerable version.

Public API origin reachable directly with Apache/Ubuntu banner and no rate limiting.

Self-hosted Sentry DSN accepts unauth events enabling log pollution.

Braze and other analytics keys in JS allow impersonating the app to push notifications and read analytics.

Differential responses on username lookup expose account existence feeding password spraying.

Debug flag leaks verbose SQL errors and stack traces in production.

Official WooCommerce payment plugin skips callback signature validation and ships with SSL verification disabled.

metabase.eversend.co exposes Google OAuth client ID and version enabling targeted attacks.

auth subdomain exposes Keycloak realms and internal configuration.

Sentry DSN hardcoded and accepts forged events into production project.

Finding 6: Admin Account Takeover via OTP Brute Force The OTP verification endpoints accept unlimited attempts without rate limiting or account lockout. Combined with Finding 3 (unauthenticated device token) and Finding 7 (email enumeration), an attacker can complete a full admin

Finding 1: CORS Origin Reflection + Credentials on Server Management Panel (CRITICAL) CRITICAL (CVSS 8.8) — AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H platform.[redacted].com üzerindeki Tenantos server management paneli, gelen HER Origin header'ını `Access-Control-Allow-Origin` response h

business-banking.[vendor] API'si tum endpointlerinde Access-Control-Allow-Origin: ve Access-Control-Allow-Credentials: true header'larini birlikte dondurmektedir

When a user enables Google Authenticator 2FA, their TOTP secret key is stored on the server. The problem is that this secret is returned in the API response when fetching the user's profile. Anyone with access to the user's token can read this secret, generate valid 2FA codes, and disable 2FA entirely

Swap Limit Order No OTP -- Funds Locked Without Verification

Trade endpoint appends user-controlled LIMIT clause parameter allowing time-based SQLi.

No SSRF filter exists; IP format variations all bypass.

curl -s -o phone_number.jpg "https://firebasestorage.googleapis.com/v0/b/business-banking-93cc1.appspot.com/o/account-details%2F1749634011035.png?alt=media"

ASP.NET Core DeveloperExceptionPageMiddleware is enabled in production. Every unhandled exception returns complete .NET stack traces with source file paths, line numbers, method signatures, the entire middleware pipeline, all HTTP request headers (including real IPs), and internal application architecture

The debug endpoint returns the complete request/response object of a server-side HTTP call to redeem-cards.com, exposing internal service credentials (UserType: [vendor]Bot), admin names (emre), the internal API URL, and server-to-server communication patterns -- all without authentication

=== Subdomains (21 via crt.sh) === www.[vendor] - 200 - Laravel + Livewire + Alpine.js (PRODUCTION) api.[vendor] - 403 - API Gateway (Cloudflare protected, IP restricted) sandbox.[vendor] - 200 - Laravel (DEBUG ON, HORIZON OPEN) document.[vendor] - 200 - Postman Documenter (API docs) cdn.[vendor] - 403 - CDN (Cloudf

Endpoint: https://sandbox.[vendor]/api/v2/publishers

/v2/auth/password-reset/start endpoint'i, verilen e-posta adresinin sistemde kayitli olup olmadigini acikca belirten hata mesajlari dondurmektedir. Rate limit sadece 5 request/window oldugu icin sinirli, ancak birden fazla IP kullanilarak veya X-Forwarded-For manipulasyonu ile bypass edilebilir

The ReadMe-hosted API documentation at documentation.[vendor] exposes the complete Partner API architecture including 42+ endpoints, internal test URLs ([vendor].test:8010), a Postman workspace ID, and internal subdomain (kdhyuobbnv.[vendor].com). Combined with Finding 1, this provides a complete attack map

/ajax/get-order-status endpoint'i herhangi bir authentication veya authorization kontrolu olmadan, herhangi bir order_id icin siparis durumunu (status, refund_status) dondurur. ~6,210,000+ siparis numarasi enumerate edilebilir. 5 farkli status tipi ifsa edilmektedir: completed, expired, in_cart, sent, apply_refund. Real-time in_cart status izlem

Deep analysis of the Game Tools Backend API (app-gametools-api-proc.azurewebsites.net) reveals that 5 distinct data endpoints are completely unauthenticated and IDOR-vulnerable, exposing a total of 724+ business records including [vendor]' complete pricing algorithm parameters (value multipliers per game feature), monthly Average Order Val

Vulnerable Endpoint: https://strapi.[vendor]/api/auth/local/register

Moonbase Internal Admin Panel (4.5MB JavaScript) Exposed Without Authentication via [vendor] — Full Backoffice Architecture, 8 Admin Emails, 9 Internal API URLs, 200+ Admin Routes, Gorra Fraud System Config

Finding K-2: Vite Development Server Exposed in Production (CRITICAL) Endpoint: `https://integrator.[redacted].com/` Summary: A Vite development server is running in production, exposing the complete application source code including TypeScript files, configuration, package.json,

Public Docker registry lists 29 repositories including google/cloud-sdk and golang with all tags.

Public NPM package documents partner API including signing scheme and endpoints.

Abandoned Railway deployment leaves CNAME dangling, permitting takeover to serve attacker content under bitafrika brand.

71MB of production source code served publicly including AWS credentials and payment keys.

Vault unauthenticated endpoints leak OIDC role names, Google OAuth client and root generation status.

Production Vault instance is unsealed and reachable over internet exposing secret management surface.

Production services accept any *.brankas.com origin with credentials, enabling subdomain-takeover to ATO chain.

Page parameter allows stored-procedure enumeration via injection.

Wildcard DNS resolves every subdomain to single IP, combined with permissive CORS chains into ATO.

Parallel Wallet/Withdraw requests processed concurrently without mutex enabling double-spend.

/send-webhook triggers customer webhooks for arbitrary verifications including completed ones.

Hardcoded client credentials on CNPS production API enable authenticated API access.

Hetzner metadata endpoint accessible; Vault direct IP with misconfigured listener.

16 guest endpoints enable order takeover, credential theft, dispute fraud.

10/10 parallel Primer production tokens issued in <1s; discountPercent:100 accepted.

Firebase Cloud Messaging endpoint blocked only by missing credential file; otherwise sends to all users.

86 public trade channels subscribable unauthenticated enabling front-running.

Vulnerable Endpoint: https://strapi.[vendor]/ (all endpoints)

The currency-api.[vendor] endpoint returns Access-Control-Allow-Origin: combined with Access-Control-Allow-Credentials: true. While browsers technically ignore credentials with wildcard origin, the misconfiguration signals a deeper CORS issue. The preflight response also allows Authorization header, meaning authenticated API calls from any o