Hi everyone, this write-up is about a vulnerability I discovered in a private bug bounty program. Due to privacy & legal concerns, I will be providing sample requests and screenshots to illustrate the vulnerability.
If you are interested in my previous write-ups, you can find them below:
In this write-up, I will discuss a critical bug that I discovered within a payment system, which allowed me to exploit a payment of $1 and receive $100 in return. This vulnerability exposed a significant flaw in the system’s payment processing logic, enabling me to leverage it for personal gain. Through meticulous testing and analysis, I successfully identified and verified the bug, highlighting the potential risks involved and providing recommendations for remediation.
The application I was testing had a payment option where, to recharge my account, I needed to enter the desired amount and click on the recharge button. This action would redirect me to an IPG (Internet Payment Gateway). However, when I intercepted the traffic using Burp Suite, I observed that the web application made additional requests and verifications before directly sending the request to the IPG. The vulnerable request is depicted in the image below.
As seen in the image above, there are two endpoints where the amount is specified. Based on my analysis, the “payment_amount” endpoint is responsible for deducting $100 from my credit card, while the “recharge_amount” endpoint determines the amount to be recharged into my account.
The vulnerability lies in the fact that the “payment_amount” endpoint lacks proper data validation. This allowed me to manipulate the payment amount and deduct only $1 from my credit card while simultaneously recharging $100 into my account. I attempted to enter $0, but it failed at the IPG stage due to an invalid amount.
So, the vulnerable request would be similar to the image shown below, where the “payment_amount” is set to $1 and the “recharge_amount” is set to $100.
After the above request is sent, the IPG accepts the payment and updates it as a credit card payment of $1, as shown in the image below.
Finally, when I entered my card details and paid $1, my account was recharged by $100. And similarly, I tested the vulnerability up to $50,000 without raising any suspicion until I responsibly reported to them.
The impact of this bug is significant, as it allows any user to manipulate the payment system for personal gain. This not only exposes the organization to financial losses but also undermines the integrity of the payment infrastructure. The potential risks associated with this vulnerability include fraudulent activities, financial exploitation, and severe reputational damage to the affected organization.
In light of this discovery, it is crucial for the organization to address this vulnerability promptly. To remediate the bug, I recommend the following actions:
This write-up discusses a critical vulnerability discovered within a payment system during a private bug bounty program. The vulnerability allowed the author to exploit a payment of $1 and receive $100 in return. By analyzing the system’s payment processing logic, the author identified a flaw in the validation of payment amounts, enabling them to manipulate the payment request. Through sample requests and screenshots, the author demonstrated how they set the payment amount to $1 and the recharge amount to $100, successfully recharging their account without deducting the appropriate payment from their credit card. The author also highlighted that they tested the vulnerability up to $50,000 without detection. The potential impact and risks of the vulnerability were discussed, including financial losses, fraudulent activities, and reputational damage. Recommendations were provided to fix the vulnerability.
Please remember to use this knowledge responsibly and comply with legal and ethical guidelines when conducting security assessments and disclosing vulnerabilities.