Tagged articles

financial API

1 articles · Page 1 of 1
Black & White Path
Black & White Path
Jun 22, 2026 · Information Security

How an Overlooked Request Header Exposed All My Transaction Records

The author discovered a silent IDOR vulnerability in a financial system where the X-Account-Id request header was trusted by the backend, allowing any user ID to retrieve full transaction, rewards, and billing data without authentication, and reported it responsibly for a rapid fix and reward.

IDORfinancial APIrequest header
0 likes · 7 min read
How an Overlooked Request Header Exposed All My Transaction Records