Expected Findings
- Any account ID can be queried directly.
- Withdraw endpoint accepts negative or nonsensical values.
- Frontend validation does not constrain the backend at all.
Wallet UI
Fintech App
The balance widget loads another user account by ID and the withdraw form performs only cosmetic amount validation before sending the request.
Primary Flows
- Victim account IDOR balance lookup
- Withdraw endpoint POST amount with weak validation
Signals
Validation
if (amount.length > 0) submitWithdrawal(amount)