A threat actor claims to have found an IDOR (Insecure Direct Object Reference) vulnerability in Al Rajhi Bank’s APIs. The individual allegedly discovered the flaw through fuzzing, which allows unauthorized access to user shopping carts and possibly other sensitive data.
The threat actor is selling this alleged vulnerability for $69 in Bitcoin. They suggest that with some reconnaissance, further exploitation could reveal more critical flaws, such as a possible NoSQL injection.
Although the claim remains unverified, the sale raises concerns about the growing black market for banking exploits. It also underlines the need for financial institutions to strengthen their security measures in an increasingly digital world.
The bank is a major investor in Saudi Arabia’s business and is one of the largest joint stock companies in the Kingdom, with over SR 330.5 billion in AUM ($88 billion) and over 600 branches. Its head office is located in Riyadh, with six regional offices. Al Rajhi Bank also has branches in Kuwait and Jordan, and a subsidiary in Malaysia and Syria.
