- Severity
- High · CVSS 8.6
- Target
- Global E-Commerce Conglomerate
- Date
- 2026-03
- Category
- Configuration Disclosure / Credential Exposure
Unauthenticated Commerce Platform API: Payment Credentials & Multi-Brand Infrastructure
A commerce platform API exposed sensitive configuration data, payment gateway credentials, and internal infrastructure details without authentication. A single request returned hundreds of configuration keys including payment processor API keys, internal hostnames for multiple subsidiary brands, and development environment details.
Attack Chain
Step 1: Configuration endpoint accessible without auth
Hundreds of configuration keys returned to an anonymous request: no token, API key, or session required.
Step 2: Payment gateway credentials exposed
Production payment API keys for multiple providers found in the configuration response.
Step 3: Internal hostnames for multiple subsidiary brands
Platform tenant ID and internal hostnames revealed the complete e-commerce infrastructure of the parent conglomerate.
Step 4: Development environment leaking in production
Dev configuration exposed localhost URLs and weaker business logic controls.
What Scanners Would Miss
API scanners probe known endpoints. They don't understand that a commerce platform configuration response can contain the keys to an entire conglomerate's e-commerce infrastructure.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.