← Back to all reports

Public Executive Dashboard Exposes Reserves, Business Metrics, and User Data

Reported Feb 21, 2026
Severity Critical
Platform Web
Vulnerability Class Broken Access Control (CWE-284)
Target Type P2P Trading Platform
Impact ~$30M reserves and live business metrics exposed

The Risk

A boardroom-style internal dashboard, normally only seen by company executives, was openly readable on the internet by anyone who knew the URL. It revealed the company's real-time crypto holdings of around thirty million dollars, every operational metric the leadership team tracks, and personal details of top customers. There was no login, no token, and no protection at all on that one page, while every neighbouring page on the same dashboard properly required a login. This is the level of detail a competitor or extortionist would pay for.

The Vulnerability

An aggregation endpoint that served the company's executive dashboard returned HTTP 200 to fully unauthenticated requests. Sibling endpoints under the same route group correctly returned HTTP 401 when called without credentials, which confirmed that the missing protection on this single endpoint was an authentication middleware gap rather than an intended public surface.

The response was a single large JSON document combining financial state, operational telemetry, and user-related fields, refreshed on a roughly thirty minute cycle.

The Attack

No exploitation was needed beyond a clean HTTP request without cookies or tokens.

curl -i 'https://[redacted-host]/internal/dashboard'

The response included a dt_produced_next timestamp. Re-requesting after that timestamp returned an updated dataset, confirming this was live production data and not a cached export.

Confirming the Sibling Endpoints Were Protected

for p in stats users volume reserves disputes history metrics; do
  curl -s -o /dev/null -w "%s -> %{http_code}\n" \
    "https://[redacted-host]/rest/v3/internal-dashboard/$p" "$p"
done

Every sibling returned 401. Only the data endpoint returned 200. That contrast is what made this a route-protection bug rather than an intended public feed.

The Impact

  • Cryptocurrency reserves across multiple assets totalling approximately thirty million US dollars
  • Marketplace and wallet financial metrics including daily volumes, deposits, sendouts, and liquidity
  • User growth and funnel metrics including registrations, visitor counts, and conversion trends
  • KYC and enforcement metrics including approval counts, hold durations, and freeze rates
  • Dispute operations data including queue sizes, wait times, and resolution ratios
  • Top referrers list with usernames, internal user identifiers, country codes, avatar URLs, and earnings

Beyond the obvious privacy and competitive intelligence concerns, the publication of platform reserves at this granularity raises the risk of targeted attack and extortion. Operational metrics such as dispute queue depth and KYC processing times can also be exploited to time scams against customers.

Remediation

  • Require authentication and admin or executive level authorization on the data endpoint, matching its sibling endpoints.
  • Audit middleware coverage across the entire dashboard route group to ensure no other endpoints have the same gap.
  • Apply least privilege to the dataset itself. Split it by role so that only operators who need user-level fields receive them.
  • Add monitoring and alerting on access to this endpoint from unauthenticated or unexpected sources.
  • Add automated tests that hit every endpoint in this route group without credentials and assert a 401 response.

All findings anonymized per responsible disclosure policies. No target names, endpoints, or identifiable details are included.