let’s Unlock Advanced Permissions

Yousef Muhammedelkhir
4 min readApr 19, 2024

--

بسم الله الرحمن الرحيم

  • Hello there, my name is Yousef Ismail — rofes

i will share to you most interested finding i discovered at @revenuecat private program at hackerone .

in this program , you can create a project and invite Collaborator with two types of permission Administrator and View only

  • administrator Can view and manage everything except billing. This role can invite other collaborators to your Project.
  • view only Can view most project data but not make any edits.

i click at More Information about permissions to learn more information about this permissions and what they can do .

and found their other permissions but available one at Scale and Enterprise plans.

  • Growth This role is for anyone who needs control over project but is not a developer. They can view nearly everything, and edit things like Paywalls, Offerings, Entitlements, and Products.
  • developer This role is for anyone who needs control over your app configuration and integrations, but not view any financial data. They can view and manage customer data available on Customer Timelines.
  • support This role is for anyone who needs to manage individual customers, but not view any financial or most app settings. They can see Customer Timelines, grant Promotional Entitlements, issue refunds, and delete customers.

After clicking on More information to learn about the permissions and what they do , I started thinking about where I could get an account to test these roles. After a few minutes, I had an idea: ‘What if I try to guess these roles and attempt to invite myself with them?’

I sent the request to invite a collaborator to the repeater and edited the role section with ‘growth’, guessing the correct permission. To my surprise, the API debug was enabled and gave me the available roles.

so I entered the correct role, and it worked! I received the invite success email in my inbox. I created my report, and the team accepted the issue, rewarding me with this response:

after view day’s i back to test the issue again and try to bypass the fix

  • i add at start and end and space and use unicode and try many idea but all didn’t work
  • I thought the issue was fixed and there was no way to bypass it. However, I didn’t stop there. I said to myself, ‘What if I change the first Char to uppercase?

from customer_support i change it to Customer_support and the big surprise it’s working and i can now invite other Collaborators with the Advanced Permissions .

i write new report and sent it and they accept it with response :

after that they fix the bug and reword me .

TimeLine

1 — Submit the Report on March 17, 2024 .

2 — Fixed and reward March 23, 2024

3 — Submit new bypass March 27, 2024 .

4 — Triged on March 29, 2024 .

5 — Fixed and reward april 4 , 2024

  • I received permission from revenuecat to share my findings with the public, and the truth is, their security team is excellent and extremely responsive in resolving bugs. They are also great at communication. Respect for them.

Thank you for reading. If you have any questions , feel free to ping me on X , or LinkedIn.

--

--

Yousef Muhammedelkhir
Yousef Muhammedelkhir

Written by Yousef Muhammedelkhir

always do your best. what you plant now you will harvest later

Responses (1)