Duolingo: A tale of two APIs

Hi, I’m Duo the owl!

The Researcher’s Dilemma

Response from HackerOne

Summary of findings (if you read no further)

  1. Submission of free in-app store purchases (free perks)
  2. Duplicate submission of practice routines (daily/total XP gain)
  3. Duplicate submission of profile updates (arbitrary increase of total XP)
please, no more ads..

3,000,000 (estimated worldwide Plus users) * $120 (yearly subscription cost) = $360,000,000 in annual revenue lost.

Path to discovery

  • Double your 50 gem wager by maintaining a 7 day streak. Completing this allows you to generate even MORE gems/lingots
  • Streak Freeze allows your streak to remain in place for one full day of inactivity…in case you’re, say, in the wilderness hiking about without service
  • Get full hearts so you can worry less about making mistakes in a lesson
  • Heart Refills are not needed if you are Duolingo Plus member because you have unlimited lives
  • Dress up Duo, the learning coach owl

Path to exploitation

  • 1. Submission of free in-app store purchases — POST requests (free perks)
  • 2. Duplicate submission of practice routines — PUT requests (daily/total XP gain)
  • 3. Duplicate submission of profile updates — PATCH requests (arbitrary increase of XP gain, mostly a cosmetic bug)

1. Free Perks

2. Duplicate submission of practice routines

3. Duplicate submission of profile updates

Note: the XP field in the payload with value set to 5000 as an example amount
Before: 10,334
After: 15,334
After, after: 50,016,894

Impact

--

--

--

information security, blockchain, travel, surf https://waymobetta.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How To Choose The Right VPN Service For Your Needs

OBT’s ‘Mythical Eight’: Flawed Thinking That Traps Cyber-Smart Organisations

The dog 8 Bits NFTS #nfts #8bits #jueves #graffiti #dog #urbanstyle #cryptoart #opensea #arte…

4 Essential Cyber Security Measures for SMEs

Announcement: Definix Opening New Single-sided Pool Stake SIX Get FINIX

Revuto raised $10m USD in the first ever Token Sale on Cardano

Cybersecurity — What it really is (a quick introduction)

Steriotypical hacker

Deception As a Strategy for Cyber Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jon Roethke

Jon Roethke

information security, blockchain, travel, surf https://waymobetta.com

More from Medium

CSRF prevention: Control your TLDs

A pragmatic guide to building your bug bounty program

Detail Description about SPF Records

Part 2 - Behind HTTPS