Access Control Failure · Critical

Guess Who’s Admin Now

How mobile application analysis led to the discovery of an exposed registration endpoint and unauthorized administrative access in a production system.

Scene: Romance + Series A

A shiny new dating app startup raised multi-million dollars and started trending. Love was in the air. So was their admin panel.

Recon Mode: On

Initial reconnaissance against the company’s primary domain did not reveal any exposed administrative interfaces or sensitive endpoints.

Expanding the Attack Surface

At this point, the focus shifted to the organization’s mobile application. Client-side inspection of the mobile app revealed an additional backend domain that was not publicly documented or referenced in the main web application.

Subdomain enumeration against this newly identified domain exposed an internal-facing environment hosting an authentication and administration interface. This environment was not protected by network-level restrictions and was accessible directly from the public internet.

Subdomain found: prod-internal-env.start.up
Redirects to: /app/login

Login page exposed on internal production subdomain — Internal login portal accessible on a production subdomain

Intercepted the login request:

POST /auth/sign_in

Intercepted sign-in request in proxy tool — Intercepted authentication request before modification

Changed it to:

POST /auth/sign_up

{
  "email": "[email protected]",
  "password": "Test12344",
  "role": "admin"
}

Response: 200 OK.

Dashboard Unlocked

Logged in with my new account — welcome to the moderation panel.

Administrative dashboard accessed using newly created account — Administrative dashboard accessed using a newly created account

Full user database
KYC ID documents
Private match history
Phone numbers

Responsible Disclosure

Reported privately. Demoed live. Fixed quickly.

Final Thoughts

I’m not here to name and shame. I’m here to make sure you don’t end up in the headlines.