How I accessed Paid functionality in Dating Application

As usual, I was looking for some responsible disclosure programs on google and came across a project, which was a dating application and has iOS and Android application in Scope I started with the Android application, installed it and started using the application, it was from another country and was according to city, I can just select one of the city to get profiles from that city

For better understanding I extracted Source Code(.Java) of the application and started reviewing the application code with following steps

  • Rename .apk to .zip, and extract all files inside this
  • Converting the .dex file to .jar with the help of d2j-dex2jar
  • Deobfuscate code as it was obfuscated
  • Extract source code with help of jd-gui, from deobfuscated jar

I found a function named likeCount(), which was sending request to a URL and extracting a number from the request which was later used when I like any profile

I started to search for this request in burp suite history and found only a single request, where the number for me was 30

Request

POST /api/v1/count HTTP/1.1
Host: likes.example.com
HEADERS-HERE
COOKIES

Response

HTTP/1.1 200

{"count":"30"}

Intially I didn’t understood what is this, but when I was checking the application documentation and website, I saw that in a free version I can like 30 profiles a day, and in paid account it is unlimited

After this I send many request from the app but cannot find the request I got previously, I remembered that previously I got only one request, so may be it is calculated on app startup

I closed the app and restarted it and got the request in my Proxy, so I manipulated the response and changed the number to 100 and after that I was able to like 100 profiles

As I was curious so I searched for like function, which is executed when I like a profile, in the source code, at last of the like function they are deducing the value of likecount by 1

I reported this to the application security team, it was patched in 1 day and fix was issued, as the company does not offer bounties outside of that country and also does not allow disclosures too so I didn’t got any bounty or HOF that I knew previously, I just did it for learning purpose

I am confused, should I write I blog on the source code extraction part, if you want me to, please ping me on my twitter or linkedin account

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *