BOOK THIS SPACE FOR AD
ARTICLE ADHello hackers,
I’m a bounty hunter from China, and I’m excited to share with you an interesting vulnerability I encountered while hunting for bugs. I hope we can exchange and learn together.
This vulnerability is quite simple but genuinely intriguing. All it requires is an understanding of the business logic to spot the issue.
Let’s get started.
First, I registered and logged into the target website, which is a new business venture developed by the target company (I particularly like to focus on new businesses as they often have many vulnerabilities). To attract more customers, they have a feature where you earn gold coins for inviting a new person to register on the site. These coins can be exchanged for a membership on the website.
Let’s outline the current business logic: Register an account — Invite a newcomer — Receive rewards.
It’s a straightforward logic, right?
However, the interesting part emerged when I noticed that the site also has an account cancellation feature.
Typically, if you cancel your current account, there should be a cooling-off period, like being unable to register the same account again within seven days (verifying the email or phone…