Yo, recently I stumbled upon blanja.live, a site where live streamers can receive payments or donations from their viewers. It’s a really good idea (totally didn’t implement this on 2035Gaming, well RIP 2035G). So, I did some digging and was excited to see something new. However, my first concern about this website was its safety. Can I trust this company to store my donation money?
As a nerd, I did some “digging” and was able to bypass their payment gateways without even paying, if that makes sense. This exploit was only for us to spam the notifications. I know it’s confusing, so let me explain quickly. Streamers can open a donation link -> Viewers decide to donate -> Streamers have an “overlay” web where the donation will be displayed (e.g., I donated to myself with the message “Hello there!” and it will display the message on the overlay if the streamer has it on their OBS or similar) -> That’s it. Supposedly, the streamers should then be able to see their donations on the blanja.live site. However, I was not able to do so. The site contains a lot of bugs, glitches, and a very MAJOR exploit.
Let me explain it again. The exploit allows you to bypass the payment gateway (they are using Pocket, but this is not Pocket’s fault) and spam the overlay with tons of notifications, as I explained above. However, I am not sure if the invalidated payments are stored in my database. Let me just show you.
First things first, I signed up and tried to look for things using just their user interface. It feels unresponsive to touch. Anyway, I was able to get the create order POST where it creates an order form:
Using Node.js and Axios, I was able to create a payment URL from Pocket:
Okay, so you have completed two steps. I will not tell you how, but I was able to get the “Payments Data” from the site WITHOUT any authentication:
This is very crucial and important for us to spam the streamer’s overlay. With the order_id and success_indicator DISPLAYED for the user, this is a very bad practice. Very, very bad practice. The first rule for anything is never trust the client. NEVER! With both the order_id and success_indicator given, I was able to generate a payment success link which is REUSABLE, meaning every time I GET the link, the overlay will play this animation/announcement:
Hopefully, blanja.live will be able to fix these issues ASAP. Hiding or displaying the site using a frame will not hide all the CRUD that my machine has requested to your server. Implementing SSL is also important, but please strengthen the security first, mainly on how you implement items and use proper authentication methods on most of your POST methods.
I am sorry if this blog post has triggered some of you and for my disgusting grammar.
Thank you for reading,
Mirza Muqri.