Not sure about you, but I move around a-lot.
Being as my team and I have all been permanently ID-banned off of Uber for a previous exploit totaling $30,000+ in customer-related lossses, I tend to use Lyft nowadays. (If there was a HackerOne option to report flaws of this nature, it would have been reported. Unfortunately, Uber has no interest in the exploitation of their own networking vulnerabilities and enjoys waving their endpoints around like a well-endowed male stripper.)
Anyways; always on the lookout while browsing, I noticed something strange a while ago. A small bug, if you could even call it that...
I was able to get an automatic refund out of Lyft on a previously-missed order. I was refunded in full. Zero customer-interaction, completely within the bounds of Lyft's policy, and with the countless priority rides that I have taken (extra grounds for refund, higher standards) I was able to obtain roughly $150 in past orders by simply repeating this process:
Top-left "Burger" Navigation Icon >> "Help" >> "View all rides"
from there I simply went down the list, clicking on the individual rides >> "Dispute ride fare or charges" >> "Something else".
About 70% of my rides were eligible for some form of cash-back in the form of Lyft credits or refund to original payment, which I was able to extract ~$50 from... It was like fixing somebody's credit report except the credit bureaus were pointing out their own inconsistencies and immediately refunding you. Lyft credits ~$75 total... I really hope I didn't just fuck these guys' careers but hey, that's Lyft's issue.
No formal submission for bug bounties of this nature so here you go.
Not really an exploit or particularly note-worthy, probably some information Lyft would rather you not know though.
Borderline shitpost, hopefully you find this interesting and are able to score a few bucks out of this small flaw while it lasts, though.
<3 hallowed; sequel
Data-Intelligence Agency, NATO-Europe
Unit */*/*; Director/Instructor of Human & Open-Source Intelligence
Social Engineering/Fraud Investigations (Unit 4/Delta/U4); Team Lead
Being as my team and I have all been permanently ID-banned off of Uber for a previous exploit totaling $30,000+ in customer-related lossses, I tend to use Lyft nowadays. (If there was a HackerOne option to report flaws of this nature, it would have been reported. Unfortunately, Uber has no interest in the exploitation of their own networking vulnerabilities and enjoys waving their endpoints around like a well-endowed male stripper.)
Anyways; always on the lookout while browsing, I noticed something strange a while ago. A small bug, if you could even call it that...
I was able to get an automatic refund out of Lyft on a previously-missed order. I was refunded in full. Zero customer-interaction, completely within the bounds of Lyft's policy, and with the countless priority rides that I have taken (extra grounds for refund, higher standards) I was able to obtain roughly $150 in past orders by simply repeating this process:
Top-left "Burger" Navigation Icon >> "Help" >> "View all rides"
from there I simply went down the list, clicking on the individual rides >> "Dispute ride fare or charges" >> "Something else".
About 70% of my rides were eligible for some form of cash-back in the form of Lyft credits or refund to original payment, which I was able to extract ~$50 from... It was like fixing somebody's credit report except the credit bureaus were pointing out their own inconsistencies and immediately refunding you. Lyft credits ~$75 total... I really hope I didn't just fuck these guys' careers but hey, that's Lyft's issue.
No formal submission for bug bounties of this nature so here you go.
Not really an exploit or particularly note-worthy, probably some information Lyft would rather you not know though.
Borderline shitpost, hopefully you find this interesting and are able to score a few bucks out of this small flaw while it lasts, though.
<3 hallowed; sequel
Data-Intelligence Agency, NATO-Europe
Unit */*/*; Director/Instructor of Human & Open-Source Intelligence
Social Engineering/Fraud Investigations (Unit 4/Delta/U4); Team Lead