While testing a bug bounty program on HackerOne, I discovered a forum where users can interact with each other. The forum allows users to create topics (posts) and polls.

I thought about attempting to manipulate the poll results using a race condition technique, similar to a previous finding where I reported a medium severity vulnerability.

I intercepted the following request: POST /topic/1182-test/?fetchPoll=1 HTTP/2

I then sent this request multiple times in parallel, as typically done in race condition testing. While the poll results did not change, I noticed that the "members who voted" counter increased significantly.

However, the actual voting result remained unchanged, as it appeared that only a single vote was being counted. I then attempted to vote again using the manipulated value (e.g., "15"), which seemed to influence how the application validates legitimate votes.

This time, the attack was successful, allowing me to manipulate the poll results and submit 15 votes using a single account.

I reported the issue through HackerOne, but it was classified as Informative. The triager explained that the issue does not impact any reward system or critical functionality within the application.

Summary

The main idea was to exploit a race condition in the "members who voted" counter, followed by another race condition in the voting request itself to manipulate the final poll results. It is important to test different techniques, including parallel requests, single connection, and separate connections.

As always: Hack to learn, not learn to hack.