Case Study

18 vulnerabilities.
3 critical.
One fintech platform.

How a full security assessment uncovered an attack chain that could have exposed 12,000+ user records and triggered regulatory penalties exceeding CHF 250,000.

18
Vulnerabilities Found
3
Critical Severity
12K+
Records at Risk
2
Weeks to Complete
Background

The client

A European fintech platform processing digital asset transactions for retail and institutional clients. The platform handled custody operations, payment processing, and regulatory reporting across multiple jurisdictions.

The client had never undergone an independent security assessment. Their internal team relied on automated scanning tools and periodic code reviews. They engaged QuantumSearch after a competitor suffered a public breach.

Industry
Fintech / Digital Assets
Engagement
Full Penetration Test
Duration
2 weeks
Scope
Web app, APIs, infrastructure
Findings

What we uncovered

The automated scanners the client relied on had found 2 low-severity issues. We found 18 — including 3 that were critical.

Critical

Cryptographic key management weakness

We discovered that the platform's key derivation process used a predictable seed value combined with insufficient entropy. An attacker with access to the API could reconstruct private keys used in custody operations.

Impact: Potential compromise of all custody operations and client assets.
Critical

Broken object-level authorization (IDOR)

The user API accepted sequential integer IDs without ownership verification. By incrementing the ID parameter, any authenticated user could access another user's transaction history, balances, and personal data.

Impact: Full access to all 12,400 user records. GDPR Article 33 notification obligation triggered.
Critical

Authentication bypass via JWT misconfiguration

The API accepted JWTs signed with the "none" algorithm. An attacker could forge authentication tokens for any user, including administrators, without knowing any credentials.

Impact: Complete authentication bypass. Full administrative access to the platform.
!

These 3 vulnerabilities were chainable. Combined, they allowed complete platform takeover: forge an admin token, access all user data, and compromise custody keys. From zero access to full compromise in under 4 minutes.

Attack Chain

From zero to full
compromise in 4 minutes

$ qsearch exploit --chain "jwt-bypass > idor > key-extract" [*] Step 1: Forge admin JWT (alg: none) Token forged. Admin session established. [00:00:12] [*] Step 2: Enumerate users via IDOR 12,418 user records extracted. [00:01:45] PII exposed: names, emails, balances, KYC docs. [*] Step 3: Access key management API Key derivation seed extracted. [00:02:58] Reconstructing private keys... 4 custody keys reconstructed. [00:03:41] [+] CHAIN COMPLETE [00:03:41] Access level: Full platform compromise Data exposed: 12,418 records + custody keys Estimated impact: CHF 250,000+ regulatory CHF 180,000+ operational Unquantifiable reputational [+] 3 PoC exploits generated. Report attached.
Outcome

Remediation and result

We delivered our findings within 48 hours of discovery. The 3 critical vulnerabilities were patched within 5 business days. The remaining 15 findings were addressed over the following 3 weeks.

Our remediation report included specific code-level fixes, architectural recommendations, and Sigma detection rules for ongoing monitoring. We conducted a full verification retest 30 days after remediation to confirm all issues were resolved.

Critical findings
Patched in 5 days
All findings
Resolved in 30 days
Verification retest
100% confirmed fixed
Client status
Ongoing subscription

Every organization has
vulnerabilities like these.

The automated tools this client relied on found 2 issues. We found 18. Start with a free assessment — see what we'd find in yours.

Get Your Free Assessment → Watch Live Demo