March 2026 High

Cross-Tenant Account Enumeration on a Banking Platform

How a missing tenant validation on an account lookup endpoint exposed customer data across organizational boundaries.

The Target

A Banking-as-a-Service (BaaS) platform that provides banking infrastructure to fintech companies. Each fintech (tenant) gets its own environment to manage bank accounts, transfers, and customer data through the platform's API. Tenant isolation is critical — Company A should never see Company B's customers.

The Discovery

While testing the API as an authenticated user of one tenant, I noticed that the account lookup endpoint accepted an account identifier as a parameter:

GET /api/v1/accounts/{account_id}

My own account returned my details as expected. But when I changed the account_id to a different value — one belonging to another tenant — the API returned a successful response with that account's information instead of returning a 403 or 404.

The Exploit

1

Identify the ID Pattern: Account IDs were UUIDs, but certain related endpoints used sequential or predictable identifiers. I found that the person and entity endpoints used incrementing IDs that could be enumerated.

2

Cross-Tenant Data Access: By iterating through IDs, I could retrieve account details belonging to customers of other fintech tenants on the platform. The response included: full name, account number, routing number, account status, balance information, and creation date.

3

Scale of Exposure: The platform serves multiple fintech companies, each with thousands of end customers. A single API key from any tenant could be used to enumerate account data across every other tenant on the platform.

4

Root Cause: The API validated that the requester was authenticated and had a valid API key, but it did not check whether the requested resource belonged to the same tenant as the API key. The tenant isolation was enforced at the application layer for write operations but was missing on read endpoints.

Impact

  • Cross-tenant access to customer PII (names, account numbers, routing numbers)
  • Balance and transaction metadata exposure across organizational boundaries
  • Violation of banking data isolation requirements
  • Potential for targeted fraud using leaked account details
  • Regulatory risk — banking data must be strictly tenant-isolated

Timeline

Reported with clear reproduction steps and multiple cross-tenant examples. The team implemented tenant-scoped queries across all API endpoints within 72 hours and conducted a full audit of their authorization middleware.

Takeaway

In multi-tenant platforms, always test cross-tenant access. Create two accounts in different tenants and try to access one tenant's resources using the other tenant's credentials. Many platforms enforce authorization for write operations (create, update, delete) but forget to validate reads. The most common pattern: the API checks "is this user authenticated?" but not "does this resource belong to this user's organization?" Always test both dimensions.

← Back to Blog