[PART 2] Anyone can use unlimited Trial Premium on accounts that have used Trial Premium before
Hi everyone,
When our previous report #1808719 was Resolved. We found the Bypass solution for that.
In this article, we use an account with a Premium Subscription.
Then we opened the Upgrade and Claim Offer page
When we choose to Upgrade and claim offer and we get an order:
See you get orders totaling IDR7,022,061.82
How do I get an order with a total of IDR 0.00?
Now let’s take a closer look at this via request.
The following are the requests when selecting the Upgrade and claim offer:
POST /voyager/api/voyagerPremiumDashSubscriptionCheckoutInformation?action=requestCheckoutV2 HTTP/2
Host: www.linkedin.com
Cookie: ****************************
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: application/vnd.linkedin.normalized+json+2.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Li-Lang: en_US
X-Li-Track: {“clientVersion”:”1.1***4",”mpVersion”:”1.1***4",”osName”:”web”,”timezoneOffset”:7,”timezone”:”Asia/Bangkok”,”deviceFormFactor”:”DESKTOP”,”mpName”:”voyager-web”,”displayDensity”:1.25,”displayWidth”:1920,”displayHeight”:1080}
X-Li-Page-Instance: urn:li:page:d_flagship3_premium_atlas_switcher;fyoBEkN***/g==
Csrf-Token: ajax:659422***6
X-Restli-Protocol-Version: 2.0.0
X-Li-Pem-Metadata: Voyager — Premium — Switcher Flow=switcher-checkout
Content-Type: application/json; charset=utf-8
Content-Length: 208
Origin: https://www.linkedin.com
Referer: https://www.linkedin.com/premium/switcher/?upsellOrderOrigin=premium_nav_more_products_panel&utype=sales
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers{“productUrn”:”urn:li:premiumProduct:112000",”mainPriceId”:6455991,”optionalPriceIds”:[6455401],”promotionId”:65580503,”upsellOrderOrigin”:”premium_nav_more_products_panel”,”serviceIdSwitchingFrom”:353397456}
Look, there’s something strange about that request. Before continuing, I want to explain some of the request parameters there:
1. productUrn
This is used to detect the Premium product you want to use.
2. mainPriceId & optionalPriceIds
This section determines the price of a product you want to buy.
3. promotionId
This section is used to determine a promotion for a product.
4. serviceIdSwitchingFrom
This section is the serviceId that is currently in use.
In the request above, we get the promotionId when we want to upgrade and claim the offer. Now let’s do some experiments to get a total order of IDR 0.00
The first experimental step we took was to delete 1 parameter from the request.
“serviceIdSwitchingFrom”:353397456
And the result is that we get a total order of IDR 0.00
At that time we immediately reported it to the LinkedIn team.
A few days later, the LinkedIn Team asked me “Were you able to proceed to place the order at IDR 0”?
I finally remembered that and tried to reproduce it again by making a total order payment of IDR 0.00 at the request of the LinkedIn team.
While we moved quickly, we were not able to reproduce the behavior.
Finally, we tried to find a new way to place orders totaling IDR 0.00
A week later we got a new solution for it.
We make a request by removing 2 parameters, namely:
1. “optionalPriceIds”:[6455991]
2. “serviceIdSwitchingFrom”:361572676
And we get a total order of IDR 0.00 back
Then we pay and complete the order as the LinkedIn team requested.
Timeline:
Report: September 1, 2023
Able to proceed to place the order confirmation: September 4, 2023
Triaged: September 5, 2023
Additional information provided to LinkedIn: September 8, 2023
Update Severity: September 25, 2023
Bounty: $2,500
