I'm a bounty hunter from China, and I'm excited to share with you an interesting vulnerability I encountered while hunting for bugs. I hope we can exchange and learn together.

This vulnerability is quite simple but genuinely intriguing. All it requires is an understanding of the business logic to spot the issue.

Let's get started.

First, I registered and logged into the target website, which is a new business venture developed by the target company (I particularly like to focus on new businesses as they often have many vulnerabilities). To attract more customers, they have a feature where you earn gold coins for inviting a new person to register on the site. These coins can be exchanged for a membership on the website.

Let's outline the current business logic: Register an account — Invite a newcomer — Receive rewards.

It's a straightforward logic, right?

However, the interesting part emerged when I noticed that the site also has an account cancellation feature.

Typically, if you cancel your current account, there should be a cooling-off period, like being unable to register the same account again within seven days (verifying the email or phone number used for registration).

But!

I tried something: after clicking to cancel my account, I could immediately re-register on the platform with the same phone number, and it recognized me as a new user!

Here comes the vulnerability:

First, I registered an account named A, then generated a link to invite new users.

Using this link, I registered another account, named B.

Next, I continuously canceled the B account and then used the A account's invite link to keep claiming the reward for inviting a new user!

Thanks for watching!!!