How I Generated Endless Money by Hacking Survey Apps
1) Introduction⌗
Survey apps? Infinite money? What on earth are you talking about?
Survey apps allow users to earn rewards by answering surveys and participating in similar activities are well-known. These apps are designed to collect data and opinions from users on various topics, such as products, services, lifestyles, shopping experiences, and more. The information gathered through surveys is then used by companies and organizations to improve their products or services, develop new marketing strategies, or make informed business decisions.
The functioning of survey apps is quite simple. Each completed survey awards a certain number of points to the user, and typically, the longer it takes to complete a survey, the more points can be earned.
Once a user has accumulated a certain amount of points, they can redeem them for a reward. The rewards may vary depending on the app, but common rewards include:
- Gift cards
- PayPal transfers
2) Recon⌗
From here, the challenge begins. I started by exploring the Play Store, in search of an app that could inspire me. After a long search, I finally found an app that sparked my interest… Here’s the rewards page:
3) Attack⌗
My first idea was to search for possible interesting APIs by decompiling and extracting links from the APK.
I decompiled the APK:⌗
I searched for the smali files:⌗
I extracted the links from the files:⌗
Noticing keywords like “getuserdata” and “adjustpoints” in the endpoints, I think that they might be the APIs I was looking for.
- I tested the first API by entering my referral code to invite friends in the “invitecode” parameter and noticed that the API worked, as it returned the number of points I had.
- Moving on to the second endpoint, I entered the referral code in the “uniquecode” parameter.
Now, by checking through the first API or using the app, it’s possible to notice an arbitrary increase in points, which allows me to redeem unlimited PayPal cash and Amazon gift cards.
4) Conclusion⌗
The vulnerability has been reported