Cyvocate identified and reported a critical payment logic flaw in a leading fintech platform. The vulnerability allowed attackers to purchase $100 worth of credits while paying only $1. If exploited at scale, this loophole could have caused substantial financial losses and severe reputational damage.
By promptly detecting and validating the issue, Cyvocate helped the client secure its transaction pipeline, protecting both its revenue and customer trust.
Digital payment platforms face constant threats where small validation errors can lead to catastrophic financial exposure. During a routine security assessment, Cyvocate uncovered a flaw in how the application processed recharge requests with its Internet Payment Gateway (IPG).
The system failed to enforce consistency checks between the payment amount deducted from the customer and the recharge amount credited to the account
Through controlled testing, our team demonstrated the vulnerability:
By repeating this manipulation, attackers could have scaled the exploit to credit $50,000 worth of funds for just $500 in real payments.
The application under review provided a recharge feature, where users could enter an amount and proceed to payment through an IPG. During traffic inspection with Burp Suite, our team observed that the application sent multiple requests before finalizing the transaction with the gateway.
Two critical parameters were identified: