Uncovering Critical Financial Bugs in a High-Profile Target - [A Pentester’s Diary]

In a recent pentest, I found multiple bugs that, if exploited by threat actors, could have caused significant financial damage to the client’s business.

For the sake of keeping the client’s identity private, all names, endpoints, and technologies are redacted and only approximate the specifics of the pentest.

What I can tell you is that the client is a very hot name right now, one you’ve likely heard of and used their services. A big component of their business is AI.

It all started from the fact that this pentest was unusual as the client was using an uncommon way to talk to the API. And they told me to use the command line to send API calls. Did I?

Unfamiliar with their method of API communication, I prompted ChatGPT-4o to help me, and after some trial and error, it gave me a nice web-based GUI for fast and efficient API testing. Without this, it would have taken me much more time to thoroughly test all endpoints.

I was very pleased when I was able to test using the GUI because there currently is no tool on the internet for this purpose, which made the whole pentest even more interesting.

After testing a couple dozen endpoints and finding nothing noteworthy, I stumbled upon a collection of endpoints that piqued my interest.

So, here’s where the story actually really begins:

1. The product has multiple tiers: free, premium, and enterprise (not the actual names).
2. Users on the enterprise plan can create groups (with group managers and members), while users on the two other plans cannot.
3. I found an endpoint /AddGroupFree which is used to create groups. The issue was that it didn’t verify the identity or the plan of the user who sent the request to the endpoint. It basically didn’t verify who was sending the request.
4. Sending a POST request to this endpoint with the name of the group was something like: POST /AddGroupFree ... {“groupName":”<name>” and would create a group in the current user’s account and automatically upgrade the account to enterprise. Wait, what?

What’s even weirder is that I had paid for the premium plan for one of the testing accounts so that I could test across tiers. And when I created the group using my premium account, I was immediately upgraded to enterprise and I have received a refund for my actual payment. Whoah!

I couldn’t believe my eyes when I saw that on my internet banking and when I saw that I was upgraded to enterprise.

Want to hear something even weirder?

The billing details of my now-enterprise account, including my payment details (card, etc.), were gone/deleted. I entered these details when I paid for premium, and now they were gone. So, upgraded to enterprise with no payment details on file. All I could see under billing was ”Add Payment Details” . It’s clear that there are some heavy logic flaws or flows (lol) here.

Thus, the number one flaw with critical financial impact was a free upgrade to enterprise. And if the upgrade was made from a paid premium account, it came with a nice refund for the previous payment.

All I did here was discover that hidden endpoint, which was probably meant to be used by admins. If that was the actual case, they should have protected it with some secret backend-use-only token.

The big financial impact is that you could create as many free accounts as you want and upgrade them to enterprise using this method. And since they are also paying for some of the services in the enterprise plan and they are not getting any money from you, you are basically buffing their monthly bills in-extremis.

Anyhow, let’s move on.

With the upgraded account, I looked for what I could further abuse and found out that I could max out the number of group members (each group member adds an extra charge to the plan) as well as other multiple extra-charge features.

I was able to set all of them to the maximum allowed number without having a valid payment method associated with the account. You are basically maxing-out on everything at their own expense. What a mess!

Next, I found a Group Takeover vulnerability (I’ve seen this in other pentests), where a low-permissions member of the group could invite others to the group with the role of manager assigned to them (by adding a role parameter to the API request).

The issue here is that they didn't check the permissions of the user who was sending the invite. If the user sending the invite was a low-permissions user, they shouldn't have been able to select the role of the invitee through the API (and they couldn't select the role of the invitee in the dashboard — it’s never a good idea to rely on frontend restrictions only). The request was something like:

POST /invite ... {"email_address":"<email">, "role":"manager"} .

Thus, a low-permissions member invites a manager => new manager removes the old manager from the group and takes over the group. Simple, yet powerfully damaging. And all because of those pesky uncontrolled API calls.

Next, there were a series of AI flaws, including the leak of the system prompt, alongside multiple prompt injection attacks of varying impact. Serious enough by themselves, it took me about 2–3 days of prompting until I was able to successfully get to the bottom of them.

The final serious issue was a weak JWT secret that I was able to brute force, allowing me to forge session tokens. There is a caveat though: this was partially mitigated because the payload of the JWT contained a random factor that was unique to each token, so I couldn’t figure out how to exploit it further within the time allotted for this pentest.

All in all, starting from the fact that I was very pleased I got to pentest this big name, I entered the pentest with modest expectations, thinking they were bulletproof in terms of their security posture (they had other pentests done before), only to discover these issues with crippling financial impact, and not only.

After this pentest, I was left with a reinforced belief that I should never be intimidated by a target just because of its name and reputation. If you look deep enough, you will find good stuff.

Finally, with so little time on hand for writing, I hope that my rushed explanations here have left you with some motivation for your upcoming cyber assessments, at the very least.

Until next time!