Easy 150$ Bounty: Delete all votes

I have been hunting for a while on the Hackerone public program and what I learned is If you choose the right program and spend more time on it you wont regret wasting hundreds of hours (you will regret other things :) because If you read my "Easy 130$ Bounty: User to Admin" article I found a privilege escalation vulnerability which let me access all admin features and I earned only 130$(+50$). It was a self hosting program, actually it was solo entrepreneur site. Whatever and this vulnerability which granted me 150$ for vote deletion bug. There is a huge gap. But bounty is bounty :). Let's see the details of bug.

As you know every e-commerce site has a comment section and they allow customers to vote comments(reviews). Some sites sort them according to their votes some of them not. In my case votes do not affect the sorting(its their word, I am not totally sure).

And I tested vote deletion vulnerability endpoint which was:

DELETE reviews/likes/<review_id>

Host: api.redacted.com

But funny thing is If you repeat this request again and again this endpoint does not control whether vote belongs to you or not so for every DELETE request it deletes one more vote for that review which cause any authenticated user to delete votes belonging to other users due to missing authorization checks. simply

No fancy tool. No hidden technique. No AI. Just repeat the request :).

Follow for more easy bounty techniques and leave a comment if you find similar vulnerability.