Severity
Critical · CVSS 9.3
Target
Enterprise Consumer Brand
Date
2026-04
Category
Credential Exposure / CORS / API Security

Unauthenticated Production Credential Exposure on Financial API

A publicly exposed endpoint returned production Basic Auth credentials (base64-encoded) without any authentication. These credentials granted full access to a financial API handling applications with sensitive PII including tax identifiers, corporate addresses, and personal contact details.

Attack Chain

    Step 1: Credential endpoint found during recon

    A GET request to the token endpoint returned production credentials with no authentication required.

    Step 2: Decoded production credentials

    Base64 decoding revealed a production username and password.

    Step 3: Authenticated access to financial API

    Using the leaked credentials, the API accepted requests and returned field validation errors: confirming write access to sensitive operations.

    Step 4: Recaptcha bypass confirmed

    Supplying a garbage value for the captcha field passed validation: the server never verified it.

    Step 5: Wildcard CORS enables browser-based theft

    The API returned Access-Control-Allow-Origin: *: any website could exfiltrate the credentials via JavaScript.

What Scanners Would Miss

Scanners find open ports and known CVEs. They don't chain a credential leak → CORS wildcard → recaptcha bypass → writable financial endpoint into a single attack path.

By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.