1999 or 2000 maybe? I'm 14 years old. I've recently discovered NEOPETS.
Here's how I became a Neopets billionaire, for 12 minutes.
In Neopets there was a daily roulette game you could play. You click a button, you get rewarded with a random (small) amount of Neopoints. Being a tinkerer, I looked under the hood. It makes an AJAX request, to a URL like wheel.php or something, and responds with the number of points that were deposited on the backend. The backend runs all this logic - you could hit that URL as many times as you like, but it would return 0 if you played more than 5 times that day.
All Neopets URLs were .php, and from other tests I learned that Neopets had variable injection enabled in their configuration. (Or rather, not disabled)
At the time, PHP3 had variable injection enabled by default. So one could add any parameter to the URL (?myVar=123) and set the initial value of any variable in vulnerable PHP scripts. Usually, even if you injected a variable, the initial value would get overwritten by the script anyway, as the result of some action. So with Neopets this never netted me anything of value, but I had occasionally stumbled upon some interesting / unexpected behavior.
My initial goal was to make it so I could request that URL more than 5 times / day. I tried overriding the date, ?date=, ?now=, etc
I tested a bunch of potential variable names haphazardly, and eventually stumbled upon ?win=1. In the flurry of testing and refreshing and doing other stuff, I wasn't positive, but I could swear my Neopoints balance was 1 higher than earlier. I tried again: ?win=100. Refresh. I had 100 more Neopoints.
I thought to myself "This isn't real. This is too easy." But the money persisted, and I was able to spend it. I tested a few more amounts.
While I was hacking away, my friend from down the street rang my doorbell. I got up from the family computer, let him in and said "Dude, you're not gonna believe what I just discovered." I asked "How much should I steal from Neopets?" He said, "5 billion"
I hesitated, because I knew that this would raise some alarms. But, the number was so high (above the 32 bit limit), I actually expected the request to fail.
?win=5000000000. Refresh.
Sure enough, I was Neopets' first multi billionaire.
It blew my mind. My friend thought it was... neat. His reaction brought me back down to Earth a bit. We didn't have time to celebrate. My friend and I had some important skateboarding to do. We left the house for a few hours.
When I got back, I found that my wallet had been completely drained. Zero points. I also found an email from Neopets in my inbox. Something like:
"Thank you for discovering that vulnerability for us. We've taken action to correct it. Have a great day!"
The email was sent just 12 minutes after we left the house.
I responded asking for some sort of bounty. Even to restore the points I had pre-exploit. They replied with a simple "Nope."
1999 or 2000 maybe? I'm 14 years old. I've recently discovered NEOPETS.
Here's how I became a Neopets billionaire, for 12 minutes.
In Neopets there was a daily roulette game you could play. You click a button, you get rewarded with a random (small) amount of Neopoints. Being a tinkerer, I looked under the hood. It makes an AJAX request, to a URL like wheel.php or something, and responds with the number of points that were deposited on the backend. The backend runs all this logic - you could hit that URL as many times as you like, but it would return 0 if you played more than 5 times that day.
All Neopets URLs were .php, and from other tests I learned that Neopets had variable injection enabled in their configuration. (Or rather, not disabled)
At the time, PHP3 had variable injection enabled by default. So one could add any parameter to the URL (?myVar=123) and set the initial value of any variable in vulnerable PHP scripts. Usually, even if you injected a variable, the initial value would get overwritten by the script anyway, as the result of some action. So with Neopets this never netted me anything of value, but I had occasionally stumbled upon some interesting / unexpected behavior.
My initial goal was to make it so I could request that URL more than 5 times / day. I tried overriding the date, ?date=, ?now=, etc
I tested a bunch of potential variable names haphazardly, and eventually stumbled upon
?win=1. In the flurry of testing and refreshing and doing other stuff, I wasn't positive, but I could swear my Neopoints balance was 1 higher than earlier. I tried again:?win=100. Refresh. I had 100 more Neopoints.I thought to myself "This isn't real. This is too easy." But the money persisted, and I was able to spend it. I tested a few more amounts.
While I was hacking away, my friend from down the street rang my doorbell. I got up from the family computer, let him in and said "Dude, you're not gonna believe what I just discovered." I asked "How much should I steal from Neopets?" He said, "5 billion"
I hesitated, because I knew that this would raise some alarms. But, the number was so high (above the 32 bit limit), I actually expected the request to fail.
?win=5000000000. Refresh.Sure enough, I was Neopets' first multi billionaire.
It blew my mind. My friend thought it was... neat. His reaction brought me back down to Earth a bit. We didn't have time to celebrate. My friend and I had some important skateboarding to do. We left the house for a few hours.
When I got back, I found that my wallet had been completely drained. Zero points. I also found an email from Neopets in my inbox. Something like:
"Thank you for discovering that vulnerability for us. We've taken action to correct it. Have a great day!"
The email was sent just 12 minutes after we left the house.
I responded asking for some sort of bounty. Even to restore the points I had pre-exploit. They replied with a simple "Nope."