A business logic error bug worth 600$
Hey all,
Deep Patidar here, i hope all are doing good with good health. I am sharing my recent finding on hackerone private program, as terms and conditions i can not disclose the name of the program so call as target.com
lets say target.com has a functionality of refer a friend and if user will sign up and will activate paid plan, i will get 30$ as gift which referral code used by any other user while signup.
i was thinking like how can i use this functionality and abuse it. i thought lets check every request and try to manipulate price but there was server side validation so i didn’t get anything and like i can’t find
After sometime i thought that let me use referral code with new signup
Step to reproduce:
- logged in my account and went to billing tab there was option for refer a friend
- I used this URL for new signup with referral link but nothing got as if user will activate their paid plan then only i will receive 30$ for each new registration
- I used this referral link for signup with new account and i activated paid plan as i had to pay 15$ for a month.
Now i logged in again in my account and checked wallet balance there was 30$ as i received because i shared my referral link to user for new signup.
Now its time to ask for refund so logged in new signed up account and submit a request for refund on cancel the subscription and in few hour i have a response on my ticket “we have canceled your subscription and refund already generated ”
Again i logged in with my account as checked that 30$ what i received for referral signup is there or not and i was like
Repeated this steps 3 times and now i have 90$ in wallet without getting paid anything, On the program if i will manage to get 300$ using same techniques i can make for 12 month premium subscription
Thank you for reading and have a great day ahead
Report Submitted — 13 Nov 2021
Triaged — 16 Nov 2021
Bounty paid — 600$ (17 Nov 2021)
