How I exploited a loophole in a system

Written by xittycat | Published 2016/10/11
Tech Story Tags: hacking | exploit | true-story | life-lessons | thriller

TLDRvia the TL;DR App

How I made a fortune by reviewing softwares

Intro

This is a story about one of those moments when one of your zealous friends approaches you, showing off their genius lets you in on a little secret and tells you about how they found a loophole in a system. How they managed to order a food parcel for free by getting extra cash back and discount from two different parties and hence, effectively not pay for it.

The only difference is that this exploit is on a much larger scale and this time you might be interested in exploiting it yourself. I wouldn’t be wrong if I told you that the exploit is still feasible and you too could make huge money out of it. Just that the difficulty level of the game has increased now since i’ve already completed all the easy levels. According to the data that I have, the exploit should be feasible for at least another 5 months since the time of this post.

G2 Crowd and Prepaid Code Center

A few things that you need to know before we take a plunge and start exploring the exploit.

G2 Crowd is a peer-to-peer, business softwares and services reviewing website. It gives people incentives like Amazon Gift Cards and other rewards which varies in amount from software to software, to write reviews of the softwares they use. According to the data(which is not public) that I have, on only 347 softwares out of around 20k, a review would get you $15. For the rest of the softwares, it’s either $10, $5 or nothing. Users can write as many reviews as they want but would not get paid for more than 5 validated reviews.

Fun fact: There used to be times when they paid up to $25 and god knows could be even higher before that. Such times. Much wow.

Rewards for people in the US would be amazon gift cards which can only be redeemed on Amazon.com. For people in India, it would be Visa gift cards which could be redeemed by a third party site called Prepaid Code Center(PCC), which converts any given number of such visa gift cards into a virtual master card, which could be used anywhere visa master cards are accepted.

The Interesting Part

Reviewing a Software on G2 Crowd

One fine day I got another one of those emails saying “do X get Y in return”. This time from G2 Crowd. Usually I don’t pay any attention to such emails but this one involved one SAS application which I had worked on named Prediction.io. This made me a little curious, as I read further on, the mail said because I had starred one of the Prediction.io’s GIT repositories, they got to know about me and that I could earn $15 if I review this application for them on G2 Crowd. I found the approach quite interesting so I decided to give it a shot.

While reviewing I realised that I’m supposed to login using my linkedIn account for verification. Apart from this step, there is another field where i’m supposed to attach a screenshot of me using the software but is not mandatory. So, it’s just linkedIn profile background check they do to judge user’s authenticity. Anyway, I wrote the review and submitted it. Given how slack the verification and easy the process was, I didn’t expect it to go in my favour, thinking that there had to be some hidden excruciatingly painful steps pending.

Woohoo and here comes the coupon! It did take it a week to get validated but it did come in the end, but still some part of me wasn’t fully convinced as it wasn’t an Amazon gift card but some silly Visa gift card, I had my doubts. So I went ahead, followed the process, converted it to a virtual master card with the help of PCC, browsed amazon.in, selected the most expensive guitar picks I could see, worth $15, paid by the mysterious creepy virtual card and placed the order.

“There is an issue with your payment method”, Amazon said. “Man screw this shit, knew it from the very beginning this ain’t gonna work”, I thought, closed my laptop lid and went to sleep. Just before drifting off into deep sleep, dreaming of beating every penny out of G2 for wasting my time and efforts, I got an email from Amazon saying “The order has been successfully placed”. I quickly logged into PCC to confirm that the transaction has been made. Dayum! It worked! Had a difficult time sleeping that night with my mind running in different directions, thinking about all the possibilities of exploitation and all the random things I could buy.

Beginning of the Exploit

I planned to write 4 more reviews as up to only 5 reviews a user could get paid, but the problem was as I mentioned earlier that only on 1–2% of the softwares, one could get $15. I had to be sure I picked the right ones.

I browsed the site, looked around to find that the API to fetch software details had no layer of authentication. I wrote a script which disguised itself as a browser, hid behind TOR for enabling anonymous communication and fetched all software data including the amount of reward on every software. After googling a little about these softwares, I submitted 4 more reviews and made another $60. But I didn’t stop there, I took my roommate’s linkedIn account access as well, wrote 5 more reviews and made another $75. By then I had made $150 in just 10 days. That’s the amount of money quite a few people — specially in IT firms — make in their regular full time jobs.

With this level of extreme euphoria I told 2 of my close friends, people I knew would have the patience to go through the whole process. They went through the same cycle starting from skepticism to astonishment to wanting for more. Soon we realised that even fake linkedIn profiles having 60–70 number of connections — just to make it look legit — work like a charm. All we had to do was send invitations to all our existing connections from the fake profile using our legit email ids for exporting contacts. We sure did spam everyone in our connections list but there wasn’t any way to figure out that it was coming from us. By then, we were making around $160 a week, each.

The Main Exploit

Soon, the process became quite hectic, reviewing softwares turned out to be a cumbersome task as it was extremely difficult to scale. We had to write a new review every time because of the manual moderation and writing 3–4 reviews in one sitting used to take the best of us. We had to scale. We thought of hiring interns who could write the reviews for us but that would have been difficult to manage and sooner or later they would have figured out what was happening. We needed something else.

One fine day we were discussing about this and a friend of mine suggested that only if we could automate the process of writing reviews and it struck us! What happened next changed everything. We thought what if we take the existing reviews of the softwares from G2Crowd itself, jumble their words, replace the words with their synonyms and feed them back to G2Crowd and see if they get approved. We did the POC, manually took a couple of lines from a validated review from G2Crowd itself, jumbled the words, replaced with synonyms, edited the final review a bit and submitted again to G2Crowd. Boy did it work! All the three of us went bonkers and started day dreaming about going to Bahamas, chilling, maybe writing some more reviews from there, but hey! no we didn’t have to do it anymore, all we had to do is make a software which could do that for us.

The other two being Jon Snows when it comes to coding, I alone had to automate the whole process. I’m not gonna get into the technicalities of how I did it. Curious bunch could checkout the code here. In the end what we had was a masterpiece, where all we had to do was put a name of a software and it will automatically generate its review for us by not only using the data we have on the software but also the data of other similar softwares. We could put a category and it will generate a generalised review which could be used for any of the softwares falling under the category. Boy did it make our lives easier. With the main hurdle of writing reviews aside, we were able to submit reviews more than ever and made whopping $750 in.. yes you guessed it right.. A WEEK!

The rush was amazing, it wasn’t even about the money anymore but the kick that we were getting out of it. Realising that this was something that nobody else had ever done i.e. scaling the exploit up to such an extent.

A Life Lesson

We were making a lot of money and buying a lot of crazy things. I started buying all the things that I never event wanted to buy before the exploit. Things which never existed for me. Things which I didn’t need. No matter how many of such things I had bought, I wanted to buy more. My wish-list on Amazon just simply kept growing which never even existed earlier. In my daily life activities I started perceiving things differently. For an instance, if I’m brushing my teeth, I’d think that what’s the best tooth brush ever created by humanity that money could buy. I’d quickly go to Amazon, look for one of the most expensive over priced toothbrushes which basically does the same thing as our regular $2 toothbrush, but is only 100 times more expensive. And I’d immediately buy it! Man I made it rain! Money simply lost it’s value for me. I realised that something was not right and it needed to be stopped.

I started questioning myself that why do I need these things now? I’m from a decent rich family and I’ve always had the money to buy such things, then why did I never crave for such things earlier and what changed now? And if I really want to buy these things now, why do I not simply go ahead and buy them with my own legit money? One might say that simply because it’s not hard-earned money, one wouldn’t mind spending it carelessly. It might be true but if you think about it, it’s not right. Spending extravagantly isn’t economical or smart. In the end money is money, hard or easy earned, saved or spent. So how do we decide what’s wrong what’s right.

According to me, the conclusion is that while making an investment, one should consider an E amount of efforts that could be put to get a better deal by a factor of D. After every better deal the E goes up and the D comes down, which means more efforts are required to get a better deal by a lesser factor. One should keep putting E efforts to get a better deal by a factor of D, until they reach the threshold where they think that E for D isn’t worth it. (pun unintended. or maybe not. not sure. anyway)

Now, this E and D are very subjective and vary from person to person. The more rich you become, the earlier you’ll reach the threshold which should be the ultimate goal when you make more money i.e. make life as easy and comfortable as possible. Being stingy over small petty things which don’t make any difference to you is gonna make your life only more difficult. Spending lavishly without considering the E and D formula wouldn’t be a very smart decision either. Once in a while is still justified but it shouldn’t become a habit. A proper balance is supposed to be maintained.

My point is, life is about balance. The good and the bad. The highs and the lows. The pina and the colada.

~ Ellen DeGeneres

Published by HackerNoon on 2016/10/11
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy