[Low]Unintended Feature: Exploiting an “Invisible” Delete Function for Temporary Premium Access

2 min readMay 29, 2024

Introduction

By leveraging an accessible hidden feature on the target application, the premium services of the company could be utilized after the free trial, albeit with a small catch. To maintain confidentiality, I will use the term “target” to refer to the actual company.

Walk-through

Upon clicking the ‘edit profile’ feature in the application, a GET request is sent to retrieve the user’s profile details:

https://dashboard.target.io/users/<User-ID>

This request is then forwarded to the Burp Repeater, where the method should be switched from “GET” to “DELETE”. This was reported after a year.

Once the request is forwarded, the account is successfully deleted. The attacker can then create another account with the same email address and gain access to the premium services.

This was considered a valid attack with low severity because the ‘Delete account’ function was not visibly present in the application.

The Catch:

By exploiting this, the attacker must reconfigure the services from scratch. In some cases, this might end up being very time-consuming and potentially unfeasible.

Anomaly:

After executing this exploit, a strange thing occurred: the account continued to use the premium features, the account was not locked or put on hold, and the trial period counter started counting the days in reverse.

I’m unsure if this anomaly was caused by the exploit or if some other test might have triggered it.

After numerous failed attempts to find an exploit that would make the subscription expire sooner, I moved on. I would have had to wait 32 days to test this feature, so I decided to focus on discovering other bugs of critical severity.

Takeaway

This experience underscored the importance of investing more time in finding critical bugs because the reward in terms of time spent is greater compared to low severity bugs. However, it doesn’t hurt to report a low severity bug.