How do I Bypass Payment when a Subscription ends so I don’t have to pay for my subscription

Aidil Arief
4 min readMay 2, 2023

--

Hi Everyone,

When I do Bug Hunting. I spend a lot of time looking at the API flow in processing requests. In this article, I found a unique problem where a user with an Admin role can remove user access with an Owner role ( highest role access rights ).

Before continuing, I will explain the categories of access role rights from highest to lowest:

  1. Owner
  2. Admin
  3. User
  4. Guest

I started this by looking for API requests when removing a user from an organization. And here’s the request :

DELETE /api/[ORG]/deleteUser HTTP/2
Host: redacted.com
Cookie: *********************
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Bearer ************
Content-Length: 37
Origin: https://redacted.com
Referer: https://redacted.com/redacted/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{“user”:”owner_role@gmail.com”}

And I tried to delete the Owner role account through the Admin Role account. Here, I got the response :

HTTP/2 200 OK
Content-Type: application/json
Content-Length: 2
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=0; includeSubDomains
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy:
Server: cloudflare

{}

It worked, I tried to report this to the bug bounty program team at HackerOne.

Then, a few days my report was closed as Duplicate

Not great news, but I had expected that before. Then I saw that the original report still had Informative status. I asked that to the HackerOne Triage team.

Following are the answers from HackerOne Triage team:

The team had provided reasons on why it was considered informative, and it’s still valid, hence this is considered a duplicate.

We don’t consider this a security vulnerability. The account owner can be deleted from the platform by an admin user, that is expected behavior.

The next few days should the Trial period be ended and the next subscription payment will be billed to the Owner role account as shown in the example screenshot below:

I then opened an admin role account, and I didn’t get a notification that the Trial subscription had ended. I’m a little confused and trying to remember why the account subscription didn’t ended.

Now I understand, at that time I tried to remove the Owner's account from the Organization.

Apparently, subscription payments can only be made by accounts with the Owner role. And if the Owner role account is not in the Organization, subscriptions will not be billed to anyone other than the Owner role.

Now I found a way to bypass the subscription payment feature.

Without waiting, I tried adding this information to a previous report that closed as Duplicate with information to bypass the Payments feature on subscriptions.

After a few days, I received additional information from the HackerOne Triage team, which was sent to the Bug Bounty program team for review.

The report was reopened again.

Conclusion :

Do not be sad when your report as duplicate, because if it is your fortune, it will not be exchanged with other people.

--

--

Aidil Arief
Aidil Arief

Responses (2)