How I was able to takeover account’s of an Earning App

Hey Everyone, I intend to write this one down to express my methodology for this bug that I found in one of the the best Earning app.

Wafa Abbas❤
Oct 1, 2018 · 2 min read

With that being said, let’s start 😃

I was searching on Google playstore “ Real Money Earning apps” and I selected the first one..I create a account and start earning money.. when I earned upto a 1.08 dollar in 1 week :( now I have decided to cashout this money . so I clicked on cashout button in app.. It’s redirect me to account on their web page .

While redirecting I notice their is no session token I was wow:)

now I changed mymail@ to test@ and the webpage result was “Please correct your Client-id and user-key

Now It’s time to get dig into more..Their was feature in app chatting. I decided to dig.I open myaccount in Firefox which is configure with burp and testaccount on my phone I meassage to myacc from testacc .I recieved a notification and Intercept the notification message by clicking on it will show all the info relted to message and also its show me user id and user Burp Repeater Response


Now I put this id&key in

able to login victime account successfully…Simple

Hope you guys like this…Thanks for reading and sorry for poor engish:/


Report on 27–09–2018

patched 28–09–2018

#Nobounty Fu****

Fixed They added session token’s for unique user per session ..

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store