How I Registered Multiple Accounts in PrivateInternetAccess VPN Service for FREE

Ace Candelario
Feb 20, 2019 · 3 min read

Summary

PIA ( Private Internet Access ) is a personal virtual private network service. It supports multiple VPN technologies PPTP, L2Tp/ IPsec, SOCKS5 and OpenVPN. PIA’s service is not free but I found a way to register multiple accounts without crushing your bank savings — — you read it right, you can have it for FREE!

Here’s how

Tuesday morning someone whispered to my ear telling me to find a vulnerability in PIA service. It’s like the Hacker’s Spirit summoned into my body so I take a look in their Android Application. I geared myself with my hacking weapons and opened Genymotion and Burp Suite right away to tamper some vulnerable endpoints on their Android Application which is available in Google Playstore. After 2 minutes of battling in their application, I found nothing and got bored, but the hacking spirit is still pushing me to try again. I have to sacrifice my last penny in my savings — 362.00 PHP or USD 6.95 and get a registered account to PIA’s VPN service. While monitoring all the tampered data in Burp Suite, I noticed this endpoint.

POST /api/client/signup HTTP/1.1
User-Agent: privateinternetaccess.com Android Client/1.7.3.1(451)
Content-Type: application/json; charset=utf-8
Content-Length: 365
Host: www.privateinternetaccess.com
Connection: close
Accept-Encoding: gzip, deflate
{“store”:”google_play”,”client_version”:”v1.7.3.1(451)”,”receipt”:{“order_id”:”GPA.XXXX-XXXX-XXXX-XXXXX”,”token”:”<some token>”,”product_id”:”monthly_pia_2"},”email”:”<here goes the email>”,”marketing”:{}}

This request is responsible for creating accounts and the HTTP response should be your username and also your password. I sent it to Burp Repeater for further experimentation. I tried to change the email to my other dummy email and what I noticed is the password became null.

and I was like

Image for post
Image for post

I have guts that there’s something here. If you notice the order_id is a random number. what I did is I tried to increment the last digit number and guess what’s the response? — ***insert drum rolls!

me reaction :)

I successfully register for free and I received an invoice to my dummy email from PIA for purchasing a monthly subscription. I tried another dummy email and it registered again for free with another invoice from PIA. The subscription is just for one month. Submitted the issue to PIA security team and they reply fast within the day. Two days later, they issue a $1000 bounty for this finding with a great fix implementation.

mind blown :D

Just found this wonderful bug within 10 minutes and my USD 6.95 turns to USD 1000 within two days. Amazing isn’t? What I learned is sometimes, you need to spent your last money and expect that it will be transformed into precious gems — — worthy bug.

Steps to Reproduce

  • Download and Install the PrivateInternetAccess from Google Play
  • Register and buy Subscription then tamper the request using Burp Suite
  • You should encounter the vulnerable request I mentioned above
  • To make another account just change the email parameter and decrease the order_id or increment it. As long as it’s not existing on PIA’s database.

TIMELINE

02–12 -2019: Report Submitted

02–12 -2019: Security Team acknowledged my report

02–13 -2019: Replied to their response if they have a further question

02–14 -2019: $1000 bounty rewarded and fixed the issue.

02–16 -2019: Reward received via PayPal

02–19 -2019: Request for disclosure via blog

02–19 -2019: Confirm disclosure

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade