How I was able to Modify Ratings on a Target and Cause Business Impact

📩 Read for Free CLICK HERE.

Hi, I'm Rivek Raj Tamang (RivuDon), a Security Researcher, Bug Hunter, and Ethical Hacker with a Master's in Cybersecurity, a Certified Ethical Hacker from Sikkim, India. I have secured numerous companies, received bounties, swags, Hall of Fames mentions, Letter of Appreciation / Recognition, CVEs and more.

Feel free to connect with me! You can find out more about me on my LinkedIn, I am active there.

Hi readers, this is a detailed write-up on how I was able to manipulate ratings on a target and demonstrate real business impact. It was actually a really interesting and fun bug to discover.

What if you could change the overall rating of a google review?

for example, if it had a rating of 4.5/5 in the first place and after manipulation you could decrease the rating and lower the overall rating to 1/5.

Without further ado, let's get started!

The Hunt

One fine day, while browsing LinkedIn like any other random day, I saw a post of someone showing a swag they received from a target. It was a tech-based platform that offered coding/programming exams as a service. I quickly checked out their disclosure policy and, to my surprise, they not only gave out swag but also paid bounties for medium and higher severity bugs.

The Target

For security reasons, I won't be disclosing the target, so let's call it example.com.

So, let me walk you through my thought process. Every bug hunter follows the same process of gathering subdomains, collecting URLs, fuzzing, and so on. But first, a good bug hunter should read and understand the scope and guidelines of the program. I did just that and noted all the in-scope subdomains and accepted vulnerability categories.

The target mainly had two modules and separate sign-up/login portals for developers and companies.

I simply signed up as a developer and logged in. I found out that they had a separate section for programming challenges. As I mentioned earlier, the platform was focused on coding and programming, so users could practice programming questions. They also had a challenge rating system and a leaderboard.

The Bug

The workflow of the challenge rating system: -

A user is allowed to rate a challenge only once out of 5. Once the user rates the challenge, it is reflected in the rating system. If a user wants to change their rating, they are required to delete the previous rating before submitting a new one.

This is the intended workflow and should be that way.

However, during security testing, it was observed that the backend does not enforce this restriction server-side. By intercepting and replaying the rating submission request multiple times, the system:

• Increments the score distribution count.
• Increments the total review count.

So, how can we show the impact? It is definitely a bug, but it is not as simple as changing a rating from 5 to 1. With the above testing, let's see how the damage and impact can be demonstrated.

We know that we can't simply change a rating from 5 to 1, but we have successfully broken the logic that allows a user to rate only once. With this knowledge, let's think logically about how this can be abused. The answer is simple: repeatedly submit a low rating multiple times and deflate the overall score. It sounds a bit complicated, but it's actually quite simple once you think about it and apply it properly.

Let's see how I did it.

Initial Rating Submission

Request
{"score":1}

Response
[3.8,{"1":0,"2":2,"3":6,"4":3,"5":7},18]

The application accepted the rating and updated the overall score.
Rating Manipulation

The same request was replayed multiple times using an intercepting proxy.

Request
{"score":1}

Response
[3.0,{"1":8,"2":2,"3":6,"4":3,"5":7},26]

Initial Rating Submission

Request
{"score":1}

Response
[3.8,{"1":0,"2":2,"3":6,"4":3,"5":7},18]

The application accepted the rating and updated the overall score.
Rating Manipulation

The same request was replayed multiple times using an intercepting proxy.

Request
{"score":1}

Response
[3.0,{"1":8,"2":2,"3":6,"4":3,"5":7},26]

After repeatedly replaying the same request:

Before

• Average Rating: 4.1
• Total Votes: 14

After Manipulation

• Average Rating: 2.9
• Total Votes: 27

A single user can repeatedly submit the same rating request, artificially increase the total vote count, and manipulate the overall rating score of any challenge. The server should track rating submissions per user per challenge and reject duplicate submissions server-side, regardless of request replays.

• Recalculates the average rating.
• Does not validate whether the user has already rated.
• Does not enforce any rate limiting.

The server should track rating submissions per user per challenge and reject duplicate submissions server-side, regardless of request replays.

And just like that, I could manipulate the ratings of challenges across the platform and influence the website's rating system.

The Win?

So, with all the information gathered about the bug, I created a PoC video, wrote a detailed bug report, and reported it to the target company via email.

This was a really fun and interesting bug, and I was hoping for something big from it. After a few days, here was their reply.

Bummer, but that's life. I felt sad that it went duplicate because it was something one might easily overlook, and it was quite interesting. But this only motivated me to hunt more, and guess what?

Later on, I reported multiple bugs. Some went duplicate, but I was also rewarded for several findings, including High, Medium, and Low severity vulnerabilities.

Tip: The point is not to give up. Keep working hard, and eventually you will be rewarded for your efforts. Like in my case, this interesting bug was marked as a duplicate, but many simpler and equally fun findings were accepted. That's life! Happy Hacking ✨

The End

If you find this article helpful, please do follow, claps and leave a comment to read more from me and encourage me to write more. ♥️

🎯Read my other Bug Bounty Writeups here ⬇️

List: Rivek's Blog List | Curated by RivuDon | Medium Rivek's Blog List · 30 stories on Medium

Feel Free to connect with me on LinkedIn: (P.S. Do drop a message when sending a connection request.) https://www.linkedin.com/in/rivektamang/

🧑🏻‍💻Interested to start Bug Bounty / Ethical Hacking and Cybersecurity

Book a 1:1 mentor session with me: ➡️ RivuDon — Rivek Raj Tamang