A Quick Price Manipulation

On July 13, 2023, I stumbled upon a security vulnerability in the popular online travel booking platform, Redacted.com. This website is widely used for booking hotels, flights, trains, and more. I would like to share my experience in discovering and reporting this security flaw, which ultimately led to me being rewarded for my efforts.

During my exploration of Redacted.com, I decided to test the platform’s security by attempting to manipulate the prices of the services offered. My initial attempt was to change the price of a hotel room, but to my surprise, the system had robust security measures in place that prevented such manipulations.

The Exploitation:

Not to be discouraged, I continued my exploration and quickly noticed a subscription offer on the website with a price tag of 999 Rs. I decided to dig deeper. Armed with a tool called Burp Suite, I intercepted the payment request by selecting the payment option linked to my UPI ID.

With Burp Suite in action, I altered the subscription price from 999 Rs to a mere 1 Rs. To my astonishment, the system accepted this change and proceeded with the payment process. Within moments, I received a payment notification on my Google Pay account, prompting me to pay just 1 Rs. Without hesitation, I completed the transaction.

Once the payment was made, I received a confirmation email indicating that I had successfully subscribed to the service at the modified price. Realizing the gravity of this security vulnerability, I acted promptly.

On the same day, July 13, 2023, I reported the vulnerability to Redacted.com’s security team, providing them with a detailed account of the issue I had uncovered.

Response and Recognition:

Redacted.com took my report seriously and responded to me on August 21, 2023, acknowledging the validity of my submission. They stated that they were in discussions with their internal team to address the security flaw and promised to keep me informed.

Later, on October 9, 2023, I received another email from Redacted.com, which brought fantastic news. They expressed their delight in awarding me a bounty of Good Digit for my exceptional contribution to improving their platform’s security.

This recognition highlighted the value of my dedication and hard work in identifying and reporting the security vulnerability.

Conclusion:

My experience with Redacted.com serves as a reminder of the importance of responsible disclosure of security vulnerabilities. By reporting this price manipulation vulnerability, I not only helped enhance the security of a widely-used online platform but also received recognition and a bounty for my efforts. This experience underscores the significance of ethical hacking and responsible reporting in making the internet a safer place for all users.

Instagram: https://www.instagram.com/rootx_narayanan/
Twitter: https://twitter.com/itsnarayananm