Delete Account Functionality Helped Me Earn $250
Konichiwa hackers, I am back with a new bug bounty write-up. This will be a very small write-up but an interesting one. In this blog, I am going to show a logical bug through which we can abuse the functionality to prevent cancellation charges. The company has a public bug bounty program on Hackerone. I will be using redacted.com as the main domain.
The company is a technology platform through which customers book different types of services.
When you make a COD booking on the platform and cancel the booking less than 3 hours before the booking time, a cancellation charge of INR 200 will apply to your next booking. But, there is a way to bypass this charge to avoid paying INR 200 for canceled bookings.
On the application, there is a functionality from which you can delete your account.
I made 3 COD bookings for the next day and canceled it when only 2 hours remained before the booking time. When I try to create a new booking, INR 600 was added to the booking amount as a cancellation charges, and the new bookings should be pre-paid. After that I deleted my account and noticed that all my previous bookings were permanently removed. Also I notice that, I was assigned a new user ID. After this, I was able to make a new COD booking on the platform…
