Open in app

Sign in

Write

Sign in

Member-only story

How I Accidentally Bypassed a Paywall and Got User Data for Free

NorthStar
2 min readMar 23, 2025

--

So, I was recently checking out a popular online platform where you can post ads and get responses from interested people. They have a paid feature where you need to upgrade to see users’ contact details. Fair enough, right?

But then I thought… What if I could see those details without paying?

How I Found the Issue

I had posted a rental listing, and some people responded. Their names were visible, but their email and phone numbers were locked behind a paywall. Some users’ details were free, but others required an upgrade.

I decided to poke around a bit using Burp Suite. When I intercepted the request my browser was sending to fetch the response data, I noticed something interesting:

  • The request had an ad ID in it.
  • There was a specific API endpoint fetching the user details.
  • Some users’ data was being shown without any extra checks.

So I thought, what happens if I tweak the request a bit?

The Simple Trick That Worked

I sent the request to Burp Suite Repeater (which lets you modify requests before sending them) and changed:

  1. The ad ID to another random valid listing.
  2. The API version to an older one that might not have strict controls.

Hit send… and BOOM 💥 — I got the email and phone number of a user I wasn’t supposed to see. For free.

Why This is a Big Deal

  • Privacy Nightmare — Personal info is exposed to anyone who knows how to tweak API requests.
  • Paywall Useless — People can access paid data without paying.
  • Potential Legal Trouble — GDPR, data protection laws, and all that scary stuff.

How This Could Be Fixed

  1. Check user permissions before returning sensitive data.
  2. Don’t rely on frontend controls to block access — validate everything on the backend.
  3. Use proper access control mechanisms like role-based access.

Final Thoughts

This was a classic IDOR (Insecure Direct Object Reference) vulnerability, where you can access things just by changing request parameters. It’s shockingly common in web apps, and companies really need to audit their security better.

--

--

NorthStar
NorthStar

Written by NorthStar

67 Followers
58 Following

Securing the World!

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech