An IDOR that could have led to stealing money from a Fintech company

About the company:

Lobster whose shortcode is “LS” is a fintech company in Nigeria that provides banking solution to Nigerians and some of their core operations involve: sending and receiving money, paying utility bills like “Nepa” bills, Cable TV, etc, saving and many more without having to go to a bank.

Testing Process:

After logging into my Lobster account and funding my account, I navigated to the functionality to send money, entered the amount I wanted to send, and the lobster account number.

Exploitation:

Having all this information, I decided to first test the lowest functionality that could lead to loss of money which was the functionality to buy airtime by changing the sender ID to a victim ID to see if I will be able to steal money from the victim’s account.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store