Introduction
WT:Social, also known as WikiTribune Social, is an American micro-blogging and social networking service on which users contribute to “subwikis.” It was founded in October 2019 by Wikipedia co-founder Jimmy Wales as an alternative to Facebook and Twitter.The service contains no advertisements, and runs off of donations. As of mid-November 2019, it claimed over 200,000 users, for more details see https://en.wikipedia.org/wiki/WT_Social.
The finding
While conducting testing on Wt.Social, I identified a feature labeled ‘subscription’ that allows users to contribute to the platform’s ongoing efforts through monthly or yearly plans (12.99$/Month and 100.00$/Year). During my examination, I discovered a potential vulnerability – the ability to manipulate the subscription price to any amount, including as low as 0.01$ cent. This could pose a concern for the platform’s revenue model and financial integrity, warranting further investigation and remediation.
Reproduction Steps
- Navigate to https://wt.social/myaccount.
- Choose a subscription period (12.99$/Month or 100.00$/Year) – either option works.
- Intercept the process using BurpSuite and click on ‘Pay by PayPal.’
- Observe the ‘GET’ request generated, resembling the following:
GET /api/dopaypalactions?data={"action":"pay","payment":{"id":28,"name":"Monthly_1","amount":"100.00","currency":"USD","country":"USA","email":"xxxxxxxxxxxxxxxxx@amail1.com","fname":"","lname":""}} HTTP/1.1
Host: wt.social- Modify the ‘amount’ value to your desired amount, e.g., 0.01, and forward the request to the server.
- You will be redirected to the PayPal page, where you can successfully complete the payment for the adjusted amount of 0.01$.
Notes:
It is crucial to implement server-side price verification.
Timeline
Sarmad | 27 Nov 2019
Initial Report
WT.Social | 30 Nov 2019
Report Triaged
WT.Social | 09 Dec 2019
Fixed By WT
Sarmad | 11 Dec 2019
Fix Confirmed