CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
Fintech · Penetration Testing
India · Enterprise · 2025

Chained BOLA + JWT alg=none in a listed fintech — full PII access surfaced and remediated before the next regulator filing

A BSE-listed digital lending platform asked Macksofy for a full-scope pentest ahead of a SEBI CSCRF audit. Within four days the team chained an authorization-bypass with a forged JWT to reach every customer's KYC and balance — fixed pre-filing.

BFSIFintechMumbaiBOLAJWTAWSSEBI CSCRF
Talk to a senior consultantSee the Penetration Testing service
Engagement summary
Client
Listed Indian Fintech
Sector
Fintech
Region
India
Engagement
Penetration Testing
Year
2025
Duration
12 working days
5
Critical findings
all closed pre-filing
9d
Time to remediation
₹14L
Audit-rework saved
0
Follow-up audit observations
The challenge

What the client was up against.

A regulator clock and a sprawling estate

The client's product-engineering team had shipped four major web releases and two new public APIs in six months. With a SEBI Cyber Security & Cyber Resilience Framework (CSCRF) audit window opening in eight weeks, security needed an independent, manual pentest that mirrored what a real attacker would attempt — not a tool-only scan that would miss authorization logic.

Custom auth, custom risk

Authentication was a home-grown JWT layer wrapped around a third-party identity provider. Authorization checks lived inside individual GraphQL resolvers and REST controllers — exactly the surface where logic flaws hide and where automated scanners fail.

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · Threat-model the money flow

  • Mapped customer-money paths: onboarding → KYC → loan disbursal → repayment
  • Identified six tenant-isolation boundaries and three privilege tiers
  • Aligned scope to SEBI CSCRF + RBI Master Direction expectations
Phase 02

02 · Manual API + Web exploration

  • Captured 1,200+ endpoints across REST and GraphQL via authenticated proxying
  • Audited every authorization decision against the customer-id boundary
  • Targeted JWT validation, refresh-token replay, and signature-stripping scenarios
Phase 03

03 · Cloud + IAM review

  • AWS account walk: IAM, S3 bucket policies, KMS key grants
  • Lambda + ECS task-role permissions reviewed for blast-radius
  • VPC + security-group exposure mapped against the public surface
Phase 04

04 · Chain construction

  • Validated each finding's exploit path end-to-end against staging
  • Built a single chained PoC demonstrating worst-case impact
  • Confirmed the chain would have worked against production with read-only PoC
Phase 05

05 · Fix-mode handoff

  • Same-day Slack channel for engineers; live retest of every fix
  • CERT-In-format final report aligned to SEBI CSCRF control IDs
  • Free 30-day retest window to confirm closure of all critical findings
Findings

What we surfaced — severity, title, real-world impact.

Critical

BOLA on /api/v3/customers/{id}

Any authenticated customer could substitute another customer's id and read full KYC, PAN, Aadhaar masked digits, account balance and active loan ledger.

Critical

JWT alg=none accepted by the auth gateway

A forged token with header alg=none + arbitrary customer-id passed validation in two of seven services — combined with the BOLA, every customer record was reachable without credentials.

High

Refresh-token replay window of 14 days

Revoked refresh tokens remained valid for the cache TTL — long-window session hijack feasible after a single credential leak.

High

S3 KYC bucket: public-read on three legacy prefixes

Around 18,400 KYC documents (driving licence, PAN, address proof) were directly listable from the open internet via the bucket's REST endpoint.

Medium

Verbose error surface in the lending GraphQL API

Stack traces leaked internal service names, JVM versions and DB schema hints — useful reconnaissance for any follow-up attacker.

Outcome

What changed for the client.

All critical findings closed in nine working days

Engineering rolled out a hard-fail on alg=none, switched the BOLA-prone resolvers to ownership-anchored authorization, and revoked all legacy S3 prefixes within the same sprint. Macksofy retested every fix live and signed off in writing.

Used as evidence in the SEBI CSCRF filing

Our CERT-In-format report, mapped to SEBI CSCRF control IDs, was accepted by the client's external CSCRF auditor without rework — saving the client an estimated ₹14L of additional audit-cycle effort and a six-week delay.

Annual retainer engaged

The client moved to a four-engagement annual retainer covering the lending app, internal API, employee-facing console and quarterly cloud reviews.

Macksofy's pentest landed before our CSCRF auditor even arrived. The chained PoC video they recorded was unambiguous — engineering had no debate, just a fix list. We're on a four-engagement retainer now.
Head of Information Security · Listed Indian Fintech
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.