Last month, while testing a “secure” fintech app, I discovered an unprotected Firebase database leaking OAuth tokens, bank account links, and transaction histories — all because of one misconfigured API endpoint. The company paid me $300 after I demonstrated how an attacker could drain thousands of accounts. Here’s the full technical breakdown, with actual cURL commands and Python scripts I used.
“If you don’t get a ‘403 Forbidden’, you’re probably onto something.”
Most API breaches happen due to:
- Missing access controls (No auth checks)
- Excessive data exposure (Returning entire user objects)
- Debug endpoints left open (like
/api/v1/test/admin)
Step 1: Intercepted Mobile App Traffic
- Used Burp Suite to proxy the app’s requests
- Found a call to:
GET https://fintech-app.firebaseio.com/users.json?auth=null