Over the weekend, a lot of photos and screenshots appeared on the web showing improbably high numbers of so-called. Żapps, i.e. loyalty points that can be obtained for shopping in ¯abka. It was not difficult to guess that some users in some dishonest way added tens, and sometimes even hundreds of thousands of points to their account.
A bug in the Frog app allowed you to make free purchases. How did it happen?
Shortly afterwards, photos of people’s trunks filled with shopping appeared on the Internet, who “earned money” in the Żabki application and exchanged points for products in stores. The network also provided an explanation of how users managed to award themselves virtual coins of the popular network.
As the industry website describes, everything happened because of a possible hole in the API (programming interface) of the application, which allowed sending the appropriate request to the program without the need for authorization and without knowing the token with the appropriate permissions, explains the service. However, it is not clear who and how managed to find the vulnerability and determine the correct content of the request.
In the end, this method allowed to add almost any number of points to any account. It was enough to know the e-mail address and enter it in the request. This made Internet users award themselves thousands of points in the application without any control. And then they bragged about it on the Internet and rushed to the stores for free shopping.
“Free” shopping in Żabka. Dishonest customers have left many traces behind them
No wonder that both Żabka and the police quickly stepped into action. As described by Niebezpiecznik.pl, the use of this fraud method leaves a lot of traces that Żabka could use to identify the perpetrators, especially when they topped up accounts associated with their e-mail addresses. Access to the application for some people has already been blocked.
According to information from one of the website’s readers, the police entered the apartment of one of the users of the application. The man was to describe in detail the method of stealing Żapps using a vulnerability in the Internet API.
Ricardo is a renowned author and journalist, known for his exceptional writing on top-news stories. He currently works as a writer at the 247 News Agency, where he is known for his ability to deliver breaking news and insightful analysis on the most pressing issues of the day.