The blog post describes how I was able to bypass subscription plans to get access to paid services for free.
Hope you guys are doing good, I haven’t published a blog in a while so I decided to make use of the blog and share some of my new findings with you guys, So this blog post is about how I was able to Bypass Subscription Plans & PayWall to use Paid Services for free.
The bug is really simple to exploit but it took a while to figure out and make it happen. Basically, I was looking for a way to use the service for free, The application had multiple subscription plans and used stripe for payments. I’ll try to keep it as simple as possible.
The target application is an entertainment platform that has both paid and free videos & requires users to buy a subscription before they can continue watching the paid content on their platform.
And also the Application only allowed users to Signup/Register with the Mobile number of a specific country, users can signup/sign-in using social media accounts as well but needed phone verification.
So the real challenge was I didn’t have any account on that platform due to the reason that I didn’t have the Mobile number of that country and didn’t use social media as login/signup you also need to verify the mobile number.
When you signup with a mobile number you have to verify the number with a 6 digit code sent to it, The first part of the exploit building starts here we need the verification code to access/verify the newly created account
Adding a random number with a 6-digit random code and clicking Verify will send a request as below and we can easily bypass the mobile number verification by manipulating the response code to the verify request, see below as an example.
By doing this we no longer need to provide a phone verifications code and can move on to the next request in a sequence that was as below without bypassing this OTP verification we couldn’t have gotten far in testing.
In the above request you can see that the verification code is no longer needed thus we can use any number to create an account, and even add an email to our account which was interesting, as there wasn’t an option to just signup using an email address or add an email address to your account.
Anyways after logging in to your new account you’re greeted with a popup,
I tried bypassing the subscription plans to watch content for free but as stripe was being used as a payment gateway bypassing that was quite hard so the only option I had left was to hack this platform API to somehow activate the Subscription on my account.
I tried playing around and scraping the API endpoints to find out more details on subscription plans and found the endpoint, which basically gave me all information I needed to learn about subscription plans in API.
After giving enough time to the API to understand subscription plans information, I tried adding a subscription to my existing account which wasn’t possible due to the payment gateway and the unavailability of the option to add a subscription in the edit/account-update request, but if you see carefully the account signup request had one such option that was “cunsumerSubscription”: null which was interesting, so I decided to create a new account and add a subscription package information from the package info API request, the new Signup request would look something like this.
Sending the above request carefully, we can create an account that bypasses the paywall and create a new account with a subscription already attached to it, and the fun thing was we could extend the duration of our subscription by modifying the values under “durationDays”, “subscriptionStartDateTime”, & “subscriptionEndDateTime”
So basically we not only bypass the subscription but are also able to create an account with an unlimited subscription.
That’s all, That’s how I was able to bypass the Paywall and was able to Hack Subscription Packages it’s always good to look into things that seem to be pointless. Hope you guys learned something new reading this blog and some key takeaways for Hackers & Developers.
- Look at the target from aspects
- Try to find API endpoints that can give you Information
- Learn to build a request without API documentation
- Never get discouraged with errors 😉
- Try not to leave critical information via API such as secrets or subscription information etc.
- Don’t let customers update Information via API requests that shouldn’t be necessary
- Properly validate OTPs
“Sometimes, HACKING is Just someone spending more time on something than anyone else might reasonably expect”