While my recon on one of the bug bounty website, i found a subdomain which consists of sensitive information as well as others too but here i am going to share the most interesting bug i found when further testing.
While i was digging and digging i found a end point to send the money from one account to another account. I was not going to test :P, trying to send money from one account to another account. I thought it will be impossible but still let’s give a damn try and tried idor and other methods and failed :) .
So what ?
Let’s think out of the box
Now i tried to send money to another account by adding (-) sign in the amount and the request was like below
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
And guess what happen?
It loaded balance to my account(i.e id1925) but in account (evilboyajay) balance got deducted with the amount i supplied. Little, tricky but it was awesome finding this bug.
In this way, i was able to steal balance from other’s account to mine.