Behind the Scenes: How I Discovered Flaws in a Rewards and Recognition Portal

Hello Researchers,

Welcome back to my Medium blog! I’m thrilled to have you here and excited to share more engaging content with you.

About the Product/Application : Most companies use software platforms to manage rewards and recognition, making the process easier and improving the overall experience for employees.

Story Behind the Vulnerability : It all started when one of the developers at the company was casually exploring the rewards points section of a portal we use at work. He opened the developer mode in his browser, went to the Network tab, and saw the API call for the rewards points, noticing that the customer ID was exposed in the request payload. Curious, he copied the request as cURL, put it into Postman, and changed his customer ID to someone else’s. To his surprise, he could see that other person’s reward points details.

Realizing the seriousness of the issue, he immediately informed his manager, who escalated it to the HR department since the portal handled rewards and recognition. After that, the issue was handed over to me to check for vulnerabilities.

After looking into the issue, I quickly followed the steps and confirmed the vulnerability. I wrote a detailed internal VAPT report and sent it to the vendor. However, I strongly suspected that the portal might have other vulnerabilities beyond this one.

I started to look more closely at the application, gathering all its APIs, including those for buying coupon codes with reward points. I realized there were bigger issues with the API security, which could allow unauthorized people to access sensitive data.

About the Vulnerability: There were no proper authorization checks, so anyone can view a user's reward points, past orders, and items in their cart. An attacker can also place an order to redeem a coupon code from someone else's account by simply changing the "customerID."

This vulnerability falls under the category of Insecure Direct Object References (IDOR). It is a type of access control vulnerability where users can access or manipulate data they shouldn’t be able to by changing input values, such as customer IDs, in API requests. Other related categories include:

To start the process for the initial API calls, I used my own reward points to redeem the coupon code. After doing this, I no longer have any reward points available in my account. I understood the process of API calls for redeeming coupons and collected all the APIs necessary to redeem a coupon code, so I can redeem another person’s reward points.

How I Exploit the Vulnerability:

Step 1 (API 1): In this API, which is used to check coupon details, each different “product_id” includes a coupon name and amount. In the API below, I used an Amazon e-Gift Card coupon worth Rs 100 for testing, and you can see the “customerID,” which is my own customer ID.

Step 2 (API 2): In this API, which is used to add products to the cart, I can add products (coupons) to anyone's cart simply by changing the "customerID." I replaced my "customerID" with a different one, and since that user had already added a Rs 500 Amazon e-Gift Card coupon to their cart, when I hit this API, two coupons appeared in the response body.

Step 3 (API 3 ): In this API, which is used to check the balance of reward points, if a user has enough points, it provides a success response and allows them to redeem the points. This user has 1,000 reward points, and I redeemed 600 points for two Amazon e-Gift Card coupons.

Step 4 (API 4): In this API, which is used to place an order, I was able to change the email address, allowing me to receive the coupon codes at my own email address.

Step 5: I received an order confirmation email immediately. It will take about 5 to 6 hours to get the coupon codes in my email.

How Vendor Fixed the Issue: They implemented proper authorization checks to ensure that the customer ID matches the authenticated user. The vendor took immediate action on this vulnerability and fixed the issue within one day of reporting it. I really appreciate their quick response.

The next day, I received an email from the vendor asking me to validate the vulnerability, and I found that it was no longer reproducible.

Tip for Bugbounty Hunters: Always look deeper than the obvious issues. In this case, a small mistake in authorization checks caused a serious problem, allowing users to change data and access other people’s rewards. Don’t only look for common vulnerabilities — focus on access control, API security, and how the system works.

I hope you have learned something new in this writeup.

If you need any help or want to connect, you can connect with me via LinkedIn and Twitter .

I hope it will help you in your Bug Hunting !!

Thanks for Reading !!😊

./Keep_Hacking