.png)
1 year ago
104 BOOK THIS SPACE FOR AD
ARTICLE ADGreetings Guys! 🤙 Today I bring you a Bug I found at the beginning of the Year 🗓️ 2022 You know GetPocket app, a popular app for Saving Online Content. It is for iOS, Android, and other mobile devices as well as desktop. This app allows you to save content from the web so that it can be read later. You can save articles, videos, notes and more to view at any time.
I decided to browse the web and create my account, so I decide to use Mozilla Firefox OAuth authentication method to create my account for the first time on GetPocket.
Once I access my GetPocket account you will see that it is a normal Regular account with no privileges 😔.
I thought 🤔 How could I get a free premium account?
Then I remembered 💡 I had done some online shopping and had a Visa Gift Card 💳 No Funds and said why not use it to load GetPocket Premium account. I should give not accept it, as most of these web applications employ payment processing like Stripe, which uses a feature called https://stripe.com/radar radar that allows to detect this kind of abuse.
So I opened my Burpsuit https://portswigger.net/ my Favorite Tool 🔨🔥 to hunt bugs.
Once I got the Request I sent it to the Repeater and added the following line X-Forward-For: 127.0.0.1 and hit Send ️
Served Accepted the Request 🥳🎉200 OK
Stripe Payment Processor skipped (bypass) and gave me a purchase confirmation order to be reflected in email ********@gmail.com
I could see how the user account is no longer the same, it has other functions, as it is now a premium account 🙃
Apparently, Stripe’s Radar feature is not Enabled, which allowed this abuse. Knowing all this, I proceeded to inform GetPocket Security Team to report the security flaw to them, and thoroughly investigate the issue and take the necessary steps to correct it. The GetPocket Security Team responded very quickly and were very helpful.
The Bug Turned Out to be a Duplicate which put me 😔
Bengali (Bangladesh) · 
English (United States) ·