This is a story about one of those moments when one of your zealous friends approaches you, showing off their genius lets you in on a little secret and tells you about how they found a loophole in a system. How they managed to order a food parcel for free by getting extra cash back and discount from two different parties and hence, effectively not pay for it. The only difference is that this exploit is on a much larger scale and this time you might be interested in exploiting it yourself.
According to the data that I have, the exploit should be feasible for at least another 5 months since the time of this post. A few things that you need to know before we take a plunge and start exploring the exploit. G2 Crowd is a peer-to-peer, business softwares and services reviewing website. It gives people incentives like Amazon Gift Cards and other rewards which varies in amount from software to software, to write reviews of the softwares they use.
Users can write as many reviews as they want but would not get paid for more than 5 validated reviews. Rewards for people in the US would be amazon gift cards which can only be redeemed on Amazon. For people in India, it would be Visa gift cards which could be redeemed by a third party site called Prepaid Code Center PCC , which converts any given number of such visa gift cards into a virtual master card, which could be used anywhere visa master cards are accepted.
This time from G2 Crowd. This made me a little curious, as I read further on, the mail said because I had starred one of the Prediction. I found the approach quite interesting so I decided to give it a shot.
Anyway, I wrote the review and submitted it. Woohoo and here comes the coupon! So I went ahead, followed the process, converted it to a virtual master card with the help of PCC, browsed amazon.
I quickly logged into PCC to confirm that the transaction has been made. Had a difficult time sleeping that night with my mind running in different directions, thinking about all the possibilities of exploitation and all the random things I could buy. I had to be sure I picked the right ones. I browsed the site, looked around to find that the API to fetch software details had no layer of authentication.
I wrote a script which disguised itself as a browser, hid behind TOR for enabling anonymous communication and fetched all software data including the amount of reward on every software. With this level of extreme euphoria I told 2 of my close friends, people I knew would have the patience to go through the whole process.
They went through the same cycle starting from skepticism to astonishment to wanting for more. All we had to do was send invitations to all our existing connections from the fake profile using our legit email ids for exporting contacts.
Soon, the process became quite hectic, reviewing softwares turned out to be a cumbersome task as it was extremely difficult to scale. We had to write a new review every time because of the manual moderation and writing 3—4 reviews in one sitting used to take the best of us.
We had to scale. We thought of hiring interns who could write the reviews for us but that would have been difficult to manage and sooner or later they would have figured out what was happening. We needed something else. One fine day we were discussing about this and a friend of mine suggested that only if we could automate the process of writing reviews and it struck us!
What happened next changed everything. We thought what if we take the existing reviews of the softwares from G2Crowd itself, jumble their words, replace the words with their synonyms and feed them back to G2Crowd and see if they get approved. We did the POC, manually took a couple of lines from a validated review from G2Crowd itself, jumbled the words, replaced with synonyms, edited the final review a bit and submitted again to G2Crowd. Boy did it work!
All the three of us went bonkers and started day dreaming about going to Bahamas, chilling, maybe writing some more reviews from there, but hey! The other two being Jon Snows when it comes to coding, I alone had to automate the whole process. Curious bunch could checkout the code here. In the end what we had was a masterpiece, where all we had to do was put a name of a software and it will automatically generate its review for us by not only using the data we have on the software but also the data of other similar softwares.
We could put a category and it will generate a generalised review which could be used for any of the softwares falling under the category. Boy did it make our lives easier. Realising that this was something that nobody else had ever done i. We were making a lot of money and buying a lot of crazy things. I started buying all the things that I never event wanted to buy before the exploit.
Things which never existed for me. No matter how many of such things I had bought, I wanted to buy more. My wish-list on Amazon just simply kept growing which never even existed earlier. In my daily life activities I started perceiving things differently. Man I made it rain!
I realised that something was not right and it needed to be stopped. I started questioning myself that why do I need these things now? And if I really want to buy these things now, why do I not simply go ahead and buy them with my own legit money? In the end money is money, hard or easy earned, saved or spent. According to me, the conclusion is that while making an investment, one should consider an E amount of efforts that could be put to get a better deal by a factor of D.
After every better deal the E goes up and the D comes down, which means more efforts are required to get a better deal by a lesser factor. Now, this E and D are very subjective and vary from person to person. A proper balance is supposed to be maintained. Sign in Get started. Home American Equity Bitcoin Bubble? Hacker Noon is how hackers start their afternoons. If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories.
Never miss a story from Hacker Noon , when you sign up for Medium. Get updates Get updates.More...