Fintech firm pays $12,000 bounty after trailing slash flaw exposes wire transfer vulnerability
A simple character difference in an API endpoint allowed unauthenticated access to account data and fund transfers, prompting a rapid infrastructure migration to AWS REST API.
A security researcher has disclosed a critical authentication bypass vulnerability in a fintech company’s mobile API, earning a $12,000 bug bounty for the discovery. The flaw, which stemmed from a single trailing slash in an API request path, allowed unauthenticated users to access sensitive account data and initiate wire transfers. The company has since patched the issue by migrating its infrastructure from AWS HTTP API to the more stringent AWS REST API.
The vulnerability was identified while the researcher was testing the fintech’s mobile API, which was hosted on AWS HTTP API. Standard requests to the endpoint /v1/accounts returned a 401 Unauthorized error, consistent with the expected security posture. However, appending a trailing slash to the path, resulting in /v1/accounts/, returned a 200 OK status with full account data accessible. This discrepancy highlighted a fundamental misalignment in how the API Gateway handled route matching versus authentication validation.
AWS HTTP API utilises a default greedy path matching configuration. Under this logic, a request to /v1/accounts/ was treated as a valid match for the /v1/accounts route prefix. The Lambda authorizer, which validates JSON Web Tokens against Amazon Cognito, processed the original path and returned an Allow policy. However, the subsequent integration step performed a path rewrite that stripped the trailing slash. This rewrite caused the authentication context, specifically the user ID generated by the authorizer, to be dropped before the request reached the backend Lambda function.
Because the backend integration did not validate the presence of the user ID, it defaulted to a system account when the value was undefined. This oversight allowed the researcher to bypass authorisation checks entirely. The flaw extended beyond data retrieval; the same mechanism applied to the POST /v1/transfers/ endpoint. By exploiting the undefined user ID, the researcher successfully initiated a $0.01 wire transfer without a valid JWT, confirming the severity of the bypass.
The fintech company resolved the vulnerability within 24 hours of disclosure. The remediation strategy involved switching from AWS HTTP API to AWS REST API, which enforces stricter path matching rules to prevent such greedy matches. Additionally, the company implemented explicit user ID validation across all backend Lambda functions, ensuring that the absence of authentication context is treated as a failure rather than a default to system access.
