Since there is no mention of trusted boundaries or any assumptions in your README regarding SSL, this can be considered an exploited vulnerability.
Since the application is not SSL protected, uses HTTP, and sensitive information is not encrypted, all passwords and the user balance can be eavesdropped by a man in the middle. Allowing this attacker to use that information to access the user's account and withdraw money. In order to do this, the attacker can use a proxy/packet analyzer application like Wireshark to eavesdrop when a user sends a POST request to the endpoint with URL "/login" with the password, which is not encrypted, in the request body.
Here is the JSON response from the request that was intercepted:
Valid. A man-in-the-middle attack can happen if (1) the channel is unencrypted or (2) the data is unencrypted and the client is compromised (e.g., with a keylogger or trojan)
Since there is no mention of trusted boundaries or any assumptions in your README regarding SSL, this can be considered an exploited vulnerability.
Since the application is not SSL protected, uses HTTP, and sensitive information is not encrypted, all passwords and the user balance can be eavesdropped by a man in the middle. Allowing this attacker to use that information to access the user's account and withdraw money. In order to do this, the attacker can use a proxy/packet analyzer application like Wireshark to eavesdrop when a user sends a POST request to the endpoint with URL "/login" with the password, which is not encrypted, in the request body.
Here is the JSON response from the request that was intercepted:
This issue is better described in the OWASP page: https://owasp.org/www-community/vulnerabilities/Insecure_Transport