Mohamed Anani
2 min readOct 28, 2022

--

How i was able to get free money via sending negative tokens

How i was able to get free money via sending negative tokens

Hello Awesome Hackers, I hope you all doing well!
My name is Mohamed Anani Or 0xM5awy.

In this Write-Up, we will talk about how I got free money by sending negative tokens

In the beginning, let’s explain how the website works. The site has two permission, the first is a user and the other is streamer. The site provides users to buy tokens in order to support streamers and streamers can also send tokens to anouther streamer, and this turns into money for streamers, so I tried to find a way to own tokens without buying them, and through this I will create a streamer account and send tokens for myself To infinity

I started to understand all the functions on the website until I found a function that allows the user to send private messages to streamroll. To do this, you must buy private messages for tokens. Unfortunately, I did not find any bug here. But what comes after this is the important thing :)

After I bought private messages in order to be able to message the streamer, it turned out that there are 3 functions inside the private chat

  • Send a private message to the streamer ( I didn’t find anything )
  • Upload an image or video file to the streamer ( I didn’t find anything )
  • Send token tips to the streamer (bug)

Now my eyes are shining and the first thing I think of is what will happen if I send negative tips? Like ( -5 , -10 , etc. ) so I did and the request was like.

POST /endpoint HTTP/1.1
Host: 0xM5awy.com{"message":"negative tips","tokens":-100"}

ANDDDDDDDDDDDDDD BOOOOOOOOOOOOOOOOOOOOOOOOOM WE DID IT

100 negative token have been sent to streamer and I was have 150 token before now i have 250 :DDDDDD

Attack Workflow:

  • The attacker will have two accounts, one is streamer and the other is user
  • The attacker will buy private messages to talk to his streamer account
  • The attacker will send negative tokens to his streamer account
  • The attacker will send 100 negative tokens to the streamer, but his account will be increased by 100 free coins
  • The attacker can do this more than 100 times, so he will win more than 10K dollars

Impact

The attacker can get free coins infinitely, and these coins will turn into money. Imagine how much money he will earn :)

Bug Bounty
Bug Bounty Tips
Bug Fixes
Bug Tracking
Hackerone

--

--

Mohamed Anani

Written by Mohamed Anani

850 Followers

Someone who will be one of the best Egyptians in this field

More from Mohamed Anani

Recommended from Medium

Lists

Medium Publications Accepting Story Submissions

154 stories1155 saves

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams