resolved
Broken Access Control leads to disclosure of transaction history via /v2/rechargeTransactionHistory endpoint
Bug reported by Hafiz Abdulaziz was disclosed at March 2, 2025, 2:56 pm |
The /v2/rechargeTransactionHistory endpoint in the MyMTN NG mobile app was vulnerable to unauthorized access, allowing an attacker to retrieve transaction details of other users, including recharge dates, amounts before and after the transaction, and transaction IDs.
resolved
Admin Dashboard Access Leads to Updating Merchant Info
Bug reported by Clement 'Tino was disclosed at March 2, 2025, 1:53 pm | Improper Access Control - Generic
The hidden registration endpoint allowed an unauthorized user to sign up for the admin portal, granting access to the registered merchant information. The administrative functionalities permitted the modification of merchant financial account details, disabling and deleting of client accounts.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
