DEV Community

Michał Piechowiak
Michał Piechowiak

Posted on • Updated on • Originally published at piechowiak.dev

How I did 1777 PLN from 100 PLN? | My first Bug Bounty

Let's start by explaining what platform I found the bug on.

Codenga

Codenga is a Polish platform where we can buy interactive courses.
The entire course takes place on the platform.

Where did it start?

I took part in the contest on Codenga fanpage on Facebook. The prize in the course was a voucher worth 100 PLN. It consisted in guessing the number of practical tasks solved by the students over the year of the platform's existence. The number was listed in the newsletter I was subscribed to, so I had the winning in my pocket.

So, let's go to the title part

I selected courses with a total value of 98 PLN and added them to my cart. After applying the voucher the price was 0 PLN, I confirmed the order and from then on I had the ordered courses in my account.

It could end there, but out of curiosity I checked to see if the voucher balance was now 2 PLN, or if it was a one-time voucher.

To my surprise, the course that was added to the cart to check if the coupon is still active was discounted not by 2 PLN, but 100%!

I notified customer service via the chat available on the website.
On recommendation, I also wrote a message to the Codenga contact email describing the situations and asking for permission to publish this article.

As a test, I checked how much I could buy with this voucher.
It turns out that the voucher has an infinite number of uses.
This indicates a bug in the platform code, which I did not look for on my own because the problem has already been reported.

For the price to be zero, the value of the cart could not exceed 100 PLN. In this way I placed 20 orders not exceeding 100 PLN with a total value of 1777 PLN.

Summary

As a reward, I can keep the courses.
Thanks to my curiosity I found my first Bug Bounty :)

Top comments (0)