Redde Online โ€” Security Assessment

๐ŸŒ reddeonline.com / api.reddeonline.com ๐Ÿ“… June 2026 ๐ŸŽฏ Black-box external
5
Critical
12
High
14
Medium
10
Low / Info
41
Total

Critical Findings Summary

VULN-38Plaintext Password TransmissionCRITICAL

Password reset emails the actual password in cleartext โ€” confirming reversible password storage. Attacker with email access = immediate account takeover.

VULN-36Privilege Escalation via Account UpdateCRITICAL

PUT /users/{userid} allows any authenticated merchant to set iscustomer:false, changing their own account type to staff. Confirmed live.

VULN-37Account Verification Bypass (Self-Unlock)CRITICAL

Same PUT endpoint accepts islocked:false, bypassing email + phone verification entirely.

VULN-01Complete API Authentication BypassCRITICAL ยท CVSS 10.0

POST /v1/receive accepts payment collection requests with no API key. Any caller can initiate payment flows on behalf of any merchant.

Report Sections

๐Ÿ“‹
All Vulnerabilities
VULN-01 through VULN-41
๐Ÿ“Š
Audit Report
Full technical findings
โ›“๏ธ
Kill Chain
Full attacker scenario
โšก
API Exploits
PoC scripts & evidence
๐Ÿ”“
Exposed Accounts
27 merchant appids