With all respect, I don't disagree with your assumption about a silly cache somewhere, but that is sort of my point, if such a severe privacy and security vulnerability can be introduced by a single toggle box somewhere then the architecture of their platform is hugely lacking IMHO. This is not a cat photo sharing platform but a fin-tech business and there should be more layers to security than a single toggle box.
The session layer should confirm and only accept that the other SSL-endpoint is an authenticated app. The app should do this as well.
If a toggle box exists that can cause this, I'd wonder how much of else of the implementation is worth saving.