// case studies

Real findings. Real impact.

A sample of the kind of issues we surface in real engagements. Every case below is fully anonymized — no client name, domain, or sensitive detail is disclosed. Sanitized full reports are shared on request under NDA.

CriticalE-commerce platform · US

IDOR exposing every customer's order data

A single authenticated user could request any other user's order ID and receive the full order — PII, shipping address and payment metadata.

Impact

  • Full PII exposure across user base
  • Regulatory exposure (GDPR / CCPA)
  • Trivial to exploit — no chained flaw needed
HighPayment processor · EU

JWT algorithm confusion in fintech API

The API accepted JWTs signed with HS256 even when configured for RS256 — allowing an attacker who knew the public key to mint valid admin tokens.

Impact

  • Full administrative API access
  • Bypass of MFA and IP allowlists
  • Detected only via manual JWT cryptanalysis
HighMobile SaaS · US

Hardcoded AWS keys in Android APK

Decompiling the production APK revealed long-lived AWS access keys with S3 write permissions on the customer-uploads bucket.

Impact

  • Bucket-wide read / write / delete
  • Brand impersonation risk
  • Recommended rotation + IAM scope reduction

Want a sample full report?

We share a sanitized Stage 1 report during scoping calls.

Request sample