Oct 28, 2022
How i was able to get free money via sending negative tokens
How i was able to get free money via sending negative tokens
Hello Awesome Hackers, I hope you all doing well!
My name is Mohamed Anani Or 0xM5awy.
In this Write-Up, we will talk about how I got free money by sending negative tokens
In the beginning, let’s explain how the website works. The site has two permission, the first is a user and the other is streamer. The site provides users to buy tokens in order to support streamers and streamers can also send tokens to anouther streamer, and this turns into money for streamers, so I tried to find a way to own tokens without buying them, and through this I will create a streamer account and send tokens for myself To infinity
I started to understand all the functions on the website until I found a function that allows the user to send private messages to streamroll. To do this, you must buy private messages for tokens. Unfortunately, I did not find any bug here. But what comes after this is the important thing :)
After I bought private messages in order to be able to message the streamer, it turned out that there are 3 functions inside the private chat
- Send a private message to the streamer ( I didn’t find anything )
- Upload an image or video file to the streamer ( I didn’t find anything )
- Send token tips to the streamer (bug)
Now my eyes are shining and the first thing I think of is what will happen if I send negative tips? Like ( -5 , -10 , etc. ) so I did and the request was like.
POST /endpoint HTTP/1.1
Host: 0xM5awy.com{"message":"negative tips","tokens":-100"}
ANDDDDDDDDDDDDDD BOOOOOOOOOOOOOOOOOOOOOOOOOM WE DID IT
100 negative token have been sent to streamer and I was have 150 token before now i have 250 :DDDDDD
Attack Workflow:
- The attacker will have two accounts, one is streamer and the other is user
- The attacker will buy private messages to talk to his streamer account
- The attacker will send negative tokens to his streamer account
- The attacker will send 100 negative tokens to the streamer, but his account will be increased by 100 free coins
- The attacker can do this more than 100 times, so he will win more than 10K dollars
Impact
The attacker can get free coins infinitely, and these coins will turn into money. Imagine how much money he will earn :)
