Duolingo: A tale of two APIs

Hi, I’m Duo the owl!

The Researcher’s Dilemma

Response from HackerOne

Summary of findings (if you read no further)

please, no more ads..

3,000,000 (estimated worldwide Plus users) * $120 (yearly subscription cost) = $360,000,000 in annual revenue lost.

Path to discovery

Path to exploitation

1. Free Perks

2. Duplicate submission of practice routines

3. Duplicate submission of profile updates

Note: the XP field in the payload with value set to 5000 as an example amount
Before: 10,334
After: 15,334
After, after: 50,016,894




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jon Roethke

Jon Roethke

information security, blockchain, travel, surf https://waymobetta.com