- Severity
- Critical · CVSS 9.3
- Target
- Enterprise Consumer Brand
- Date
- 2026-04
- Category
- Credential Exposure / CORS / API Security
Unauthenticated Production Credential Exposure on Financial API
A publicly exposed endpoint returned production Basic Auth credentials (base64-encoded) without any authentication. These credentials granted full access to a financial API handling applications with sensitive PII including tax identifiers, corporate addresses, and personal contact details.
Attack Chain
Step 1: Credential endpoint found during recon
A GET request to the token endpoint returned production credentials with no authentication required.
Step 2: Decoded production credentials
Base64 decoding revealed a production username and password.
Step 3: Authenticated access to financial API
Using the leaked credentials, the API accepted requests and returned field validation errors: confirming write access to sensitive operations.
Step 4: Recaptcha bypass confirmed
Supplying a garbage value for the captcha field passed validation: the server never verified it.
Step 5: Wildcard CORS enables browser-based theft
The API returned Access-Control-Allow-Origin: *: any website could exfiltrate the credentials via JavaScript.
What Scanners Would Miss
Scanners find open ports and known CVEs. They don't chain a credential leak → CORS wildcard → recaptcha bypass → writable financial endpoint into a single attack path.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.