How I accessed Paid functionality in Dating Application
As usual, I was looking for some responsible disclosure programs on google and came across a project, which was a dating application and has iOS and Android application in Scope I started with the Android application, installed it and started using the application, it was from another country and was according to city, I can just select one of the city to get profiles from that city
For better understanding I extracted Source Code(.Java) of the application and started reviewing the application code with following steps
-
Rename .apk to .zip, and extract all files inside this
-
Converting the .dex file to .jar with the help of d2j-dex2jar
-
Deobfuscate code as it was obfuscated
-
Extract source code with help of jd-gui, from deobfuscated jar
I found a function named likeCount()
, which was sending request to a URL and extracting a number from the request which was later used when I like any profile
I started to search for this request in burp suite history and found only a single request, where the number for me was 30
Request
POST /api/v1/count HTTP/1.1
Host: likes.example.com
HEADERS-HERE
COOKIES
Response
HTTP/1.1 200
{"count":"30"}
Intially I didn’t understood what is this, but when I was checking the application documentation and website, I saw that in a free version I can like 30 profiles a day, and in paid account it is unlimited
After this I send many request from the app but cannot find the request I got previously, I remembered that previously I got only one request, so may be it is calculated on app startup
I closed the app and restarted it and got the request in my Proxy, so I manipulated the response and changed the number to 100 and after that I was able to like 100 profiles
As I was curious so I searched for like function, which is executed when I like a profile, in the source code, at last of the like function they are deducing the value of likecount by 1
I reported this to the application security team, it was patched in 1 day and fix was issued, as the company does not offer bounties outside of that country and also does not allow disclosures too so I didn’t got any bounty or HOF that I knew previously, I just did it for learning purpose
I am confused, should I write I blog on the source code extraction part, if you want me to, please ping me on my twitter or linkedin account