Security Warning: 1xSlots Payment Gateway Exposes Player Invoices and Bank Data

[findit11]

Dear Security and Compliance Team,

I am writing to report a severe security vulnerability discovered within the paymentpulse.online payment gateway architecture, resulting in unauthorized exposure of Personally Identifiable Information (PII) and internal transactional infrastructure.

1. The Vulnerability & Session Bypass: The platform’s endpoint responsible for generating and displaying invoice states (/api/v1/getOrderStatus / public billing page) entirely lacks session validation and token authorization constraints. Anyone can query raw transaction logs without active user session cookies.

Crucially, as shown in the extracted logs, even when a transaction lifecycle is completely terminated or has expired—indicated by a negative timeout state ("timeout": -2365202, "status": "FAIL")—the backend continues to expose complete internal transaction objects to the public internet.

Live Vulnerable Invoice Example: An unauthenticated third party can directly access live transaction payloads by visiting endpoints such as: [https://transfer.paymentpulse.online/payment/mpf/h2h#d64a2588-a3b2-b6e4-8e94-241c2f424a75](https://transfer.paymentpulse.online/payment/mpf/h2h#d64a2588-a3b2-b6e4-8e94-241c2f424a75)

2. Leakage of Player Identifiers (PII): The API returns raw text inside the "description" object containing direct references to the user’s database entry linked to the invoice above:

• "description": "Account+deposit+1660417699"

This parameter openly links a public financial transaction directly to a specific player’s Account ID (1660417699) on the partner platform. Because the partner's account allocation relies on sequential, predictable linear metrics, this architecture transforms a simple info leak into a high-severity IDOR (Insecure Direct Object Reference) flaw. It permits malicious third parties to de-anonymize players, track specific platform deposit volumes, and map out active user databases.

3. Gateway Architecture and Method Leakage: The unauthenticated payload also exposes critical backend configurations, including tracking parameters and automotive communication channels:

• "trans_id": "100706407103", "number": "21525799293"

• "payment_method": "P2PALFAPAY" (confirming unmonitored P2P payment routing).

Exposing active infrastructure endpoints, routing methods, and direct client database IDs to unauthenticated clients violates strict financial compliance standards, including data minimization guidelines under GDPR and security baselines required for handling peer-to-peer card transactions.

Bug Bounty and Collaboration: I conduct independent security analysis across modern payment processing solutions. Given that this architectural leak undermines the transactional privacy of thousands of user accounts and partner merchants, I believe it warrants rapid intervention.

I am available for structured cooperation and ask that your engineering team reviews this report for a reward allocation under a standard Bug Bounty model for providing the data parameters and vulnerable endpoints.

Screenshots:

1)https://postimg.cc/k6tmGZkh

2)https://postimg.cc/gw7pYdBR

I have attached the unedited network logs and screenshots validating the session-less data extraction. I look forward to your acknowledgment and your planned remediation schedule.

Best regards,

Virginia

[Afi4wins]

@findit11 Hi there and welcome to the forum.

I'm wondering if you should be writing this comments and report to 1xSlots casino themselves because it involves their platform and payment gateway. 

It has nothing to do with Askgamblers, except to take note and be informed, so thank you for that. 

[findit11]

44 minutes ago, Afi4wins said:

@findit11 Hi there and welcome to the forum.

I'm wondering if you should be writing this comments and report to 1xSlots casino themselves because it involves their platform and payment gateway. 

It has nothing to do with Askgamblers, except to take note and be informed, so thank you for that. 

I previously reported a vulnerability exposing their customers' data through the payment gateway, but I was ignored. For the sake of public awareness, I am posting this here, and a formal complaint will be submitted to their Curacao license issuer.