Improper Privilege Management in monicahq/monica

Valid

Reported on

May 6th 2021

✍️ Description

Bypass payment verification and add more contact. From free account user can add only 10 contacts . but using this bug user can add more than 10 contacts for free

🕵️‍♂️ Proof of Concept

  1. First goto https://app.monicahq.com/people from free account and add 10 contacts . Now you cant add more contacts , you need to buy pro account . Now bypass this payment and add more contact with bellow step lets you have 10 active contact .

a) archive any of your contact . So, now your total active contact is 9 .

b) add a new contact . now you have 10 active contact .

c) Now unarchive above archived contact . Now you have total 11 active contact .

So, using this method free user can add unlimited contact .

#Video poc-->https://drive.google.com/file/d/1_17BK7M0DhYqrp8Yhdh_G5P9krtiw47u/view?usp=sharing

💥 Impact

Bypass payment verification and add more contact. From free account user can add only 10 contacts . but using this bug user can add more than 10 contacts for free

Alexis Saettler
2 years ago

Confirmed! Nice trick ... thank you for submitting!

Alexis Saettler validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alexis Saettler marked this as fixed with commit 8357d0 2 years ago
Alexis Saettler has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation