What if you could generate money (and not worry about inflation)?

That would be awesome right? (Yes. The answer is yes).

Here's how I was able to generate and steal "infinite money" from a car company.

Note: I found this issue during a legal, cybersecurity engagement with the car company.

This car company offered rewards points.

You earned points by spending money on their services and products.

So, buying a new vehicle or getting your vehicle fixed with them would give you points.

You could spend these points on:

• Vehicle accessories (like floormats)

• Tires, Tire rotations, Oil changes, Brakes & Engine repairs.

• $1000's off of a new vehicle

• Gift cards

• Shirts, sweatshirts, backpacks, & more.

Their website at https://rewards.███.com described how it all worked.

On this website, there was a "Sign-Up" button. So I clicked it of course.

Underneath the registration form, was a note:

"1000 point reward for signing up for ███ Rewards!"

So, I signed up.

Sign-up flow:

1. Enter name, email, address, phone number, and password.

2. Click register.

3. Check your email and click the verification link.

Then the site awarded 1000 points to your account. You could transfer your points to another user. There were requirements to transfer points:

1. You must have the same address as the person you're transferring points to.

2. You confirm the transfer via your email.

Sign-in flow:

To sign in, the application redirected to Microsoft to log in:

https://customerlogin.███.com/█████.onmicrosoft.com/oauth2/v2.0/authorize?SNIP

Wait for the page to load. Enter username & password.

The application set a cookie called "████Rewards.AspNet.ApplicationCookie".

Then it redirected to https://rewards.███.com.

Transfer flow:

1. Sign-in

2. Go to the transfer page.

3. Fill in the fields to transfer your points to another member

4. The web application will generate a TransferID and email it to you

5. The user confirms the transfer by visiting the link (containing the transfer ID) in the email

So what do we know so far?

1. Anyone can sign up at https://rewards.███.com/

2. You get 1000 points for signing up

3. You can transfer your 1000 points to any account that has the same address on it.

Low-severity problems:

Problem #1:

Registering through the sign-up form would result in a POST request to: https://rewards.███.com/api/EN/Profile/SignUp

POST /api/EN/Profile/SignUp HTTP/1.1
Host: rewards.███.com

--- snip ---

{
    "phonetype": "Home Phone",
    "country": "USA",
    "UsernameVerification": "",
    "username": "<unique>@youremaildomain.com",
    "ConfirmUsername": "<unique>@youremaildomain.com",
    "password": "password123",
    "ConfirmPassword": "password123",
    "firstname": "<random-string>",
    "lastname": "<random-string>",
    "address1": "1337 Hacker Way",
    "city": "Test",
    "state": "CA",
    "zipcode": "55555",
    "number": "<random-10-digit-phone-number>",
    "TermsAndConditions": true
}

Notice:

• No captcha.

• Also, there was no rate-limiting.

Problem #2:

After signing up, the website sent you an email to confirm your account.

This email contained a link: https://rewards.███.com/confirm/<TOKEN>

When you visited the link, it would send a POST request to: https://rewards.███.com/api/EN/Profile/Confirm?randomId=<TOKEN>

Again:

• No captcha.

• No rate-limiting.

Problem #3:

Well, not a problem, but you could use a headless browser to login in and out.

Problem #4:

Remember the transfer flow from earlier?

Step 4:

The web application will generate a "TransferID" and email it to you

Step 5:

The user confirms the transfer by visiting the link (containing the transfer ID) in the email

Filling out the Transfer form would result the following HTTP request:

POST /api/EN/Rest/CreateTransfer HTTP/1.1
Host: rewards.███.com
Content-Type: application/json

---- snip ----

{    
    "username":"attackerMain@example.com",
    "ConfirmUsername":"attackerMain@example.com",
    "message":"enjoy the points",
    "points":"1000"
}

In the HTTP response? The TransferID. No need to check your email for the link.

You could take the TransferID and make an HTTP request to the following URL:

https://rewards.███.com/api/EN/Rest/ConfirmTransfer?tNum=TransferID&confirmation=Approve

Where does that lead us to?

Exploitation:

The overview:

An attacker could:

1. Create a bunch of accounts that share the same address. Automate it by abusing Problem #1.

2. Verify the accounts via the links in the verification emails. Automate it with a script that listens on SMTP and abuses Problem #2.

3. For each of the created accounts, log in. Automate it abusing Problem #3.

4. Create a transfer to your main account. Automate it by abusing Problem #4.

The automation:

First, I added a DNS MX record to a domain I controlled. I pointed it to my VPS.

Here's what the zone file looked like:

vps.example.cloud.	IN	A 167.172.xxx.xx
hackerone.cloud. IN MX 10 vps.hackerone.cloud.

Then I wrote a tool to automate it (I'll link the Github Repo at the bottom).

The tool does the following:

1. Generates a random name, phone number, and also a random email that I have control over.

2. It then POST's it to /api/EN/Profile/SignUp

3. It launches a mail server. It listens for emails that have the subject of Confirm Your Rewards Account. Then it grabs the confirmation token from the email.

4. It makes a POST request to /api/EN/Profile/Confirm?randomId="+confirmationToken to confirm the account.

5. It logs into https://rewards.███.com via https://customerlogin.███.com using a headless chrome browser. This grabs the cookies and exits. (I used headless chrome because I was too lazy to automate the Microsoft OAuth process)

6. With those cookies, it POSTs to /api/EN/Rest/CreateTransfer to create a transfer to my account I'm boosting.

7. It takes the TransactionID from the response from the last HTTP request. It then requests /api/EN/Rest/ConfirmTransfer to confirm the transfer.

You can find the code here.

I ran it and stopped once it generated 250k points. For reference, it cost 200,000 points to get $1000 off a new car purchase.

I reported it to the company and after about 3 weeks they paid me $500.

Outro:

I hope you learned from this story! I spent a few hours trying to write this clearly.

If you enjoyed it, make sure to sign up for the newsletter and follow me on Twitter.

See you around,

Corben Leo