A business logic error bug worth 600$

Hey all,

Deep Patidar here, i hope all are doing good with good health. I am sharing my recent finding on hackerone private program, as terms and conditions i can not disclose the name of the program so call as target.com

lets say target.com has a functionality of refer a friend and if user will sign up and will activate paid plan, i will get 30$ as gift which referral code used by any other user while signup.

i was thinking like how can i use this functionality and abuse it. i thought lets check every request and try to manipulate price but there was server side validation so i didn’t get anything and like i can’t find

Photo by Jason Strull on Unsplash

After sometime i thought that let me use referral code with new signup

Step to reproduce:

  1. logged in my account and went to billing tab there was option for refer a friend

Now i logged in again in my account and checked wallet balance there was 30$ as i received because i shared my referral link to user for new signup.

Now its time to ask for refund so logged in new signed up account and submit a request for refund on cancel the subscription and in few hour i have a response on my ticket “we have canceled your subscription and refund already generated ”

Again i logged in with my account as checked that 30$ what i received for referral signup is there or not and i was like

Photo by bruce mars on Unsplash

Repeated this steps 3 times and now i have 90$ in wallet without getting paid anything, On the program if i will manage to get 300$ using same techniques i can make for 12 month premium subscription

Thank you for reading and have a great day ahead

Report Submitted — 13 Nov 2021

Triaged — 16 Nov 2021

Bounty paid — 600$ (17 Nov 2021)

Network Security Engineer