InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

A Quick Price Manipulation

On July 13, 2023, I stumbled upon a security vulnerability in the popular online travel booking platform, Redacted.com. This website is widely used for booking hotels, flights, trains, and more. I would like to share my experience in discovering and reporting this security flaw, which ultimately led to me being rewarded for my efforts.

During my exploration of Redacted.com, I decided to test the platform’s security by attempting to manipulate the prices of the services offered. My initial attempt was to change the price of a hotel room, but to my surprise, the system had robust security measures in place that prevented such manipulations.

The Exploitation:

Not to be discouraged, I continued my exploration and quickly noticed a subscription offer on the website with a price tag of 999 Rs. I decided to dig deeper. Armed with a tool called Burp Suite, I intercepted the payment request by selecting the payment option linked to my UPI ID.

With Burp Suite in action, I altered the subscription price from 999 Rs to a mere 1 Rs. To my astonishment, the system accepted this change and proceeded with the payment process. Within moments, I received a payment notification on my Google Pay account, prompting me to pay just 1 Rs. Without hesitation, I completed the transaction.

Once the payment was made, I received a confirmation email indicating that I had successfully subscribed to the service at the modified price. Realizing the gravity of this security vulnerability, I acted promptly.

On the same day, July 13, 2023, I reported the vulnerability to Redacted.com’s security team, providing them with a detailed account of the issue I had uncovered.

Response and Recognition:

Redacted.com took my report seriously and responded to me on August 21, 2023, acknowledging the validity of my submission. They stated that they were in discussions with their internal team to address the security flaw and promised to keep me informed.

Later, on October 9, 2023, I received another email from Redacted.com, which brought fantastic news. They expressed their delight in awarding me a bounty of Good Digit for my exceptional contribution to improving their platform’s security.

This recognition highlighted the value of my dedication and hard work in identifying and reporting the security vulnerability.

Conclusion:

My experience with Redacted.com serves as a reminder of the importance of responsible disclosure of security vulnerabilities. By reporting this price manipulation vulnerability, I not only helped enhance the security of a widely-used online platform but also received recognition and a bounty for my efforts. This experience underscores the significance of ethical hacking and responsible reporting in making the internet a safer place for all users.

Instagram: https://www.instagram.com/rootx_narayanan/
Twitter:
https://twitter.com/itsnarayananm

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Responses (1)

Write a response

Thanks for sharing. For future write ups, I would appreciate more details, screenshots, more info, honestly this could be a made up story.

--