Client assessment summary: Pentesting for an emerging fintech company in Africa - 6000+ user's password reset.
The client is a fintech startup in Africa, we performed a 5-day pentest on their internet-facing assets(web, mobile apps), Our consultants first performed reconnaissance on the assets and discovered several vulnerabilities with low impact.
The client had already performed a pentest before hiring us, we knew our methodology could still surface more vulnerabilities with most business impact.
We found several API endpoints disclosing data without authorization such as transaction details, etc. Our team was successful in finding a critical password reset flaw in the API which allowed us to reset passwords and gain access to 6000+ users’ accounts in a single exploitation attempt.
The team was also able to identify an old asset which had misconfiguration to the PUT method which allowed us to perform server-side operations on the server.
Overall after the assessment, we rated the client’s risk rating as Critical, due to the overall business impact.
Feedback from the client’s ISO: