Got a critical Hole on freelancer.com and Fiverr.com

Hello i got a critical security hole on freelancer.com and fiverr.com,
Is there any one who is willing to be part on exploitation kindly comment down.

Sorry, to confirm what you're asking. Are you looking for an account to exploit in order to demonstrate the vulnerability to collect a bug bounty ETC?

Hello i got a critical security hole on freelancer.com and fiverr.com

Do you have unrestricted/elevated back-end access?

(02-12-2020, 05:42 AM)mothered Wrote:

[To see links please register here]

Hello i got a critical security hole on freelancer.com and fiverr.com

Do you have unrestricted/elevated back-end access?

Hello i able to done Url tempering attack.in order to deposit virtual/fake $

(04-29-2020, 02:20 AM)zorayo Wrote:

[To see links please register here]

(02-12-2020, 05:42 AM)mothered Wrote:

[To see links please register here]

Hello i got a critical security hole on freelancer.com and fiverr.com

Do you have unrestricted/elevated back-end access?

Hello i able to done Url tempering attack.in order to deposit virtual/fake $

Are you referring to web parameter tampering, by manipulating/exploiting the application data?

(04-29-2020, 08:43 AM)mothered Wrote:

[To see links please register here]

(04-29-2020, 02:20 AM)zorayo Wrote:

[To see links please register here]

(02-12-2020, 05:42 AM)mothered Wrote:

[To see links please register here]

Do you have unrestricted/elevated back-end access?

Hello i able to done Url tempering attack.in order to deposit virtual/fake $

Are you referring to web parameter tampering, by manipulating/exploiting the application data?

Able to edit the actual amount of deposit.by editing http request in order by doing Url tempering...
The hole is working on Upwork.com too

---

(05-01-2020, 06:03 AM)zorayo Wrote:

[To see links please register here]

(04-29-2020, 08:43 AM)mothered Wrote:

[To see links please register here]

(04-29-2020, 02:20 AM)zorayo Wrote:

[To see links please register here]

Hello i able to done Url tempering attack.in order to deposit virtual/fake $

Are you referring to web parameter tampering, by manipulating/exploiting the application data?

Able to edit the actual amount of deposit.by editing http request in order by doing Url tempering...
The hole is working on Upwork.com too

I just link my paypal account and just done deposit of $1 and while redirecting(bouncing back to the checkout page) i edit the request and make it like $1000,$2000,$3000....
The fund works to pay for any client over the freelancer platform..

Where's the money coming out of? Does it come out of the paypal account you link, or does it just create the funds from thin air? Also have you cashed it out yet? How do you know that the $500 isn't just a front end display and the server has the actual value stored internally?

(06-25-2020, 06:42 PM)Stratus Wrote:

[To see links please register here]

Where's the money coming out of? Does it come out of the paypal account you link, or does it just create the funds from thin air? Also have you cashed it out yet? How do you know that the $500 isn't just a front end display and the server has the actual value stored internally?

That's a great question i want to find out myself too. I'm interested in hacking these "freelancer" companies.

My guess is this is just a visual bug.
The system will probably block the cashout.

Sounds interesting. Have they fixed it? I don't think that such services have strong security systems. Any vulnerability can remain unfixed for months, if not years. Recently I tried to find something on

[To see links please register here]

, but they seem fine. Also, I would not expect decent bug bounty compensation from freelance services. They don't have a lot of valuable data. Compared to messengers, they have nothing at all. Maybe get some personal data of freelancers, but what's the point? Perhaps really, it was just a visual bug.