Toggle Dark Mode

{ title: "Unlimited Money Glitch - My First Bug", date: "2025-Jan-13" }

This is the story of the first bug that I found, and lucky me, I also got rewarded for it. It was the February of 2024 and I had recently started developing some keen interest in web security and had read some writeups of other researchers who hunted on Facebook/Meta.

I had recently learned how to use Burp Suite watching a video of Saugat Pokharel and wanted to find my first bug.

I don't know how stupid it sounds, but I didn't have the slightest idea that someone could get in trouble for just testing on a website without permission, I thought, as long as I let the developers know about the issue, and wouldn't abuse it, I wouldn't get in trouble, so I started testing on random websites and didn't care if they had a bug bounty program or not.

After just a few days of tinkering and testing, I found my first bug. The feeling of making a product do something it’s not supposed to—or at least something the developers didn’t anticipate—was incredibly satisfying to say the least.

Here's the technical breakdown of the bug, the bug was present in a food delivery platform which issued some cashback on completed orders, and it would be stored in the platform's internal wallet, which could then be used in another order to get some discount. Although the cashback couldn't be withdrawn, it could however be transferred to another user on the same platform. The bug was present in this exact feature. Let's understand it with an example:

User A had $5.32 in their account, while User B had $0.00. User A could transfer any amount of their choice to User B's account, with the same amount being deducted from User A's account. I started thinking what I could do here, and an idea struck my mind.

The form for entering the transfer amount only accepted 4 digits with a floating point (e.g., XX.XX). Any more digits simply couldn't be entered because of a client side javascript restriction. That’s when burp suite came in handy.

I captured the request for transferring $0.01 from User A to User B using Burp Suite and sent it to the repeater. When I sent the request, $0.01 was deducted from User A's account, as expected. My idea all along was to see what would happen if I added extra zeros. So, I modified the request in the repeater to send $0.001 (with an extra zero) and resent it.

The response came back with a "Transfer Successful" message, but User A's balance remained the same. Curious, I kept resending the modified request repeatedly. After a while, I noticed User B's wallet balance increasing, while User A's balance stayed unchanged.

The impact was pretty darn good—this allowed someone to transfer an unlimited balance (which they didn’t actually possess) to another account. This could easily be automated using Burp Suite’s Intruder feature, enabling a user to create unlimited money in their wallet. They could then use it to order food for free, or better, to avoid suspicion from the company, just keep getting discounts on every order by applying only some amount of wallet money to be used in next orders.

I'd like to say here, that you should never test on a site that you don't have permissions to test on. As a stupid beginner, I didn't know this at the time, but as my intention was always to just report if I found something, I immediately sent a detailed report explaining everything, by also attaching a video PoC (Proof of Concept) to the company's email. They were quick to respond, and they said that their team is looking into it, I asked for an update after a few days, and they said the bug was fixed, and asked me to test again, I tested, and, the bug was fixed now. They, after sharing the retest status, asked for my details for receiving payment, and sent a good enough amount, and as it was my first bug and also the first bounty, I couldn't be more happier.

I think I was incredibly lucky to get a bounty so quickly, with just a few days of testing after learning how to use burp suite. This was a massive push for me to dive deeper into the bug bounty space. Since then, I’ve found over 20 vulnerabilities across various websites and mobile apps. These have earned me multiple minor bounties, along with two four-digit bounties ($XXXX) and two three-digit bounties ($XXX) as of writing this report. I'll also try to publish writeups of those issues, but I can't right now, as some of them still haven't been fixed yet.

Thanks for reading, have a good one!