文章描述了一位用户发现某食品配送服务Android应用中的漏洞:用户可通过手动请求将生日设置为未来日期,并多次获取生日活动奖励。后端未对生日数据进行验证,导致该漏洞存在。 2025-7-1 12:0:34 Author: infosecwriteups.com(查看原文) 阅读量:16 收藏
Everyone wishes they could celebrate their birthday more than once a year… especially if it comes with free rewards, right?
While poking around the Android app of a popular food delivery service, I stumbled across a surprising oversight: you can actually change your birthday to any future date via a simple request — and claim the birthday campaign rewards again and again. 🎉
Here’s what I found, how I tested it, and why this seemingly harmless bug can have a bigger impact than you’d think.
Inside the app, there’s a feature that lets users set their birthday — but only once, during registration. Normally, the date picker prevents you from choosing a date too far in the future… as you’d expect.
But when I looked at the network traffic using tools like Burp Suite and Frida, I noticed something odd: the app sends the birthday to an API endpoint, and that backend doesn’t actually validate it. So, I crafted a manual request with a birthday like "1 January 2030"... and it worked.
The backend happily accepted it. ✅
This app has a birthday campaign — you set your birthday, and when that day arrives, bam! 🎁 You get special offers: discounts, promos, maybe even free food (depending on how generous they’re…
如有侵权请联系:admin#unsafe.sh