← Back to Blog
Bug Bounty

How I Found a $10K IDOR in a Fintech Platform

8 min readK4L1 Security

A deep dive into discovering and exploiting an Insecure Direct Object Reference vulnerability that exposed sensitive financial data.

The Discovery

While testing a major fintech platform, I noticed that API endpoints used sequential integer IDs for user accounts. Changing the ID parameter in requests returned other users' financial data — account balances, transaction histories, and even linked bank account details. This is a classic Insecure Direct Object Reference (IDOR) vulnerability, but its impact was anything but typical.

Technical Analysis

The vulnerability existed across multiple API endpoints: /api/v2/accounts/{id}/balance, /api/v2/transactions/{id}/history, and /api/v2/users/{id}/profile. None of these endpoints verified that the authenticated user owned the requested resource. By simply incrementing the ID parameter, I could access any user's financial data. The platform had over 2 million active users, making this a critical finding.

Impact Assessment

The IDOR exposed: full names and email addresses, account balances and transaction histories, linked bank account details (partial routing numbers), and investment portfolio data. This violated PCI-DSS compliance and could have led to account takeover, financial fraud, and identity theft at scale.

Responsible Disclosure

I reported the vulnerability through the platform's bug bounty program with a detailed proof of concept. The team responded within 4 hours and deployed a fix within 48 hours. They implemented proper authorization checks on all affected endpoints and added rate limiting to prevent enumeration attacks. The bounty? $10,000 — one of my highest single findings.

Key Takeaways

Always test for IDOR on all API endpoints, not just the obvious ones. Use UUIDs instead of sequential IDs where possible. Implement proper authorization middleware at the API gateway level. Never assume that authentication equals authorization — just because a user is logged in doesn't mean they should access every resource.

K4L1

K4L1 Security

Bug Bounty Hunter & Security Researcher

Need a Security Assessment?

I help organizations find and fix vulnerabilities before attackers exploit them.

Get in Touch