Researchers discovered the vulnerability in an API already integrated into many bank systems, which could have defrauded millions of users by giving attackers access to their funds.