-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- ---
title: "Payment bypass on Twitch and Roblox"
description: "I discovered a vulnerability in the payment service provider used by Twitch and Roblox that allowed me to make purchases for nearly free."
publishDate: "25 Sep 2024"
langs: [en]
draft: false
tags: [research, responsible, disclosure, payment, bypass, vulnerability, beg bounty]
- ---
**tl;dr**: I discovered a [vulnerability](#change-the-state) in the payment service provider [Xsolla](https://xsolla.com/) - used by Twitch, Roblox, and many others - that allowed for nearly free subscriptions/payments. This flaw was reported and fixed through Roblox and Xsolla's bug programs.
## Introduction
I was watching someone do a CTF live on Twitch and after watching a couple of ads I noticed the "Twitch Turbo" feature where for X dollars a month you can skip all ads. There's also a monthly streamer subscription where for X amount of $ a month you support the streamer and gain emotes/recognition/loneliness/etc.
![Yes this cover image was made with Openai - the prompt I used is on my Github](./img/logo.png)
For mere curiosity - and because I love looking at payment flows and payment logic bypasses - I decided to look at the payment processing system being used.
## Novel Payment Bypasses
Generally speaking, payment logic bypasses happen in some of the following instances:
- - Attacker can change the payment value of the current purchase state - throughout the payment flow - and perform a successful transaction marking the state as completed:
To avoid data tampering, most modern payment flows perform cryptographic signatures of the payment data. When a POST request gets made toward the payment provider, a signature of these values is also sent - along with the payment values and IDs. Ideally, this signature would be previously calculated server-side after all the parameters have been properly validated, and the server has deemed the payment state valid and untampered with.
There are however [instances](https://hackerone.com/reports/1295844) where that's not the case - and this signature gets generated client-side, which can be easily intercepted and tampered with by an attacker through javascript breakpoints 1.
- - Attacker completes the purchase of a cheaper item and uses its transaction ID to confirm a much more expensive purchase state. This can happen when there are no purchase-state <-> transaction-state correction checks in the backend.