Saturday, November 14, 2015 critical vulnerability to remotely steal users' money

Eight days ago I tweeted about hitting with a killing vulnerability and since it's fixed and publicly disclosed on HackerOne I decided to write about it here on my blog.

In the Thursday bug hunting night like other researchers I decided to have a look at the new published programs on HackerOne so I started to look for some bugs in algolia and which were the two newest published programs. 
I found some bugs in both websites , but the most interesting one was a bug in cashier on

That bug allowed me to login to any user's cashier account by just knowing the user ID.

Technical details about the bug can be found here on HackerOne , it's publicly disclosed : rewarded me with $300 for this while I could steal thousands of money through this bug , but no , I would never do that :) 
Anyway , I am happy with my finding and actually this is one of the most serious bugs I ever found ;)

Your feedback is highly appreciated.