Infinite Money Glitch: How I Discovered a Digital Gold Mine in a Fintech App

Tes Sal
4 min readAug 7, 2024

--

Screenshot from CoFred

Greetings! I’m Tes Sal. With over seven years of experience as a Cybersecurity Specialist, Blockchain Engineer, and Bot Expert, I’ve navigated some of the most thrilling and unexpected corners of the digital world. Welcome to my fintech hack series, where I unravel fascinating tales from my cybersecurity adventures.

The Discovery

It was during my routine security audit of various platforms — a habit I’ve developed over the years. One particular day, I decided to take a closer look at CoFred’s Fintech Application. Little did I know, I was about to uncover a flaw that could have had catastrophic financial implications.

The Setup: Funding My Account

I logged into my CoFred account and initiated a card payment to fund my account with ₦10. Everything seemed normal until I decided to intercept the outgoing request to the server. Using an interception tool — let’s call it “Sniffer” — I paused the transaction after making payment, right before it left my device.

Request Sent to the Server after making payment

The Twist: Manipulating the Request

As I examined the intercepted data, I noticed the transaction amount was specified in a parameter that I could easily modify. With a mix of curiosity and cautious excitement, I changed the value from ₦10 naira to ₦3,000,000 naira and let the request proceed.

The Result: Instant Riches

Moments later, my CoFred account was credited with ₦3,000,000. I was stunned. I double-checked the account balance, and there it was — ₦3,000,000, all from a transaction that should have only added ₦10.

Account Balance After Exploit

The Gold Rush

I tested the process several times with different amounts, and each time, the server credited my account with the altered figures. It was clear: CoFred’s system was not verifying the transaction amount on the server side, relying solely on the client-side data.

Understanding the Bug

The root cause of this flaw was a lack of proper server-side validation. When handling financial transactions, it is crucial to ensure that all critical data — like transaction amounts — are verified by the server, not just the client. Relying on client-side data opens up the system to manipulation and exploitation, as I had just demonstrated.

The Fix

To address this vulnerability, developers need to implement stringent server-side validation. Here’s a simplified breakdown of what should be done:

  1. Server-Side Verification: Ensure that all transaction details, especially the amount, are validated on the server side before processing the transaction. Do not trust any data coming from the client.
  2. Transaction ID Verification: Use the transaction ID received from the payment gateway to validate how much was paid. The backend should query the payment gateway to confirm the transaction amount and use that verified amount to credit the user’s account, not the client-side amount.
  3. Logging and Monitoring: Implement thorough logging and real-time monitoring of transaction activities to detect and respond to any anomalies quickly.
  4. Rate Limiting and Alerts: Set up rate limits and alerts for unusual transaction patterns to flag potential abuse early.

The Responsible Disclosure

Recognizing the severity of this flaw, I immediately documented my findings and reached out to CoFred’s security team. I detailed the vulnerability, explained how I found it, and provided recommendations for fixing it.

Message sent to Cofred’s Team

The Aftermath

CoFred’s response was prompt and professional. They acknowledged the issue and moved quickly to patch the vulnerability.

Conclusion

This experience reinforced the importance of robust security practices in financial applications. It also highlighted the value of ethical hacking and responsible disclosure. By turning a potential disaster into a learning opportunity, we can help create a safer digital world.

So, to all the developers and security enthusiasts out there, remember: always validate on the server side, never trust client-side data, and stay vigilant. You never know what hidden flaws might be lurking, waiting to be uncovered.

#SecurityIsAnIllusion

--

--