Project

General

Profile

Actions
Copy link

SQA #3372

open

[SQA] Testing on API Critical Security Vulnerabilities Identified - OTP Abuse, Account Takeover, and Data Exposure

Added by Aman Bhuiyan 6 months ago. Updated 6 months ago.

Status:
Complete
Priority:
High
Assignee:
Aman Bhuiyan
Target version:
Revamp.v1.1: sprint 04
Start date:
10/06/2025
Due date:
% Done:

100%

Estimated time:
15:00 h
Spent time:
5:00 h

Description

Summary

  • OTP API Abuse: Missing rate limit allows for denial of service and account enumeration.
  • Account Takeover: The password change endpoint vulnerable to unauthorized password resets.
  • Data Exposure: Sensitive user data (personal, financial) exposed via account history endpoint.
  • Severity: All vulnerabilities are classified as critical, requiring immediate attention.

Pentest

Actions
Copy link
 #1

Updated by Aman Bhuiyan 6 months ago

  • % Done changed from 0 to 30
  • Estimated time set to 15:00 h
Actions
Copy link
 #2

Updated by Tasfia Zaima 6 months ago

  • Status changed from Pending to Complete
  • % Done changed from 30 to 100
Actions
Copy link

Also available in: Atom PDF