Stealing money from one account to another account

While my recon on one of the bug bounty website, i found a subdomain which consists of sensitive information as well as others too but here i am going to share the most interesting bug i found when further testing.

While i was digging and digging i found a end point to send the money from one account to another account. I was not going to test :P, trying to send money from one account to another account. I thought it will be impossible but still let’s give a damn try and tried idor and other methods and failed :) .

So what ?

Let’s think out of the box

Now i tried to send money to another account by adding (-) sign in the amount and the request was like below



Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Content-Length: 96
content-type: application/json
Request Body

“addressTo”: “evilboyajay”,
“amount”: “-100”,
“userFromId”: 1925

And guess what happen?

It loaded balance to my account(i.e id1925) but in account (evilboyajay) balance got deducted with the amount i supplied. Little, tricky but it was awesome finding this bug.

In this way, i was able to steal balance from other’s account to mine.

Head of Security at NASSec

Head of Security at NASSec