heavenly's blog

software engineering, reverse engineering, and bug bounties

powered by hellish technology

beerbuddy - 1m+ users

published on september 4, 2025 • edited on september 16, 2025 • • 192 views

in this post, i will explain my journey on finding a data leak, ratelimit issues, and unprotected endpoints on beerbuddy

tools used

postman, requestly

what happened?

a classic "forgot to ratelimit everything" and "left my user uid and profile photos bucket public" and "forgot to check bearer token"

bug tags

cwe-552 - public bucket
cwe-400 - no ratelimiting on cool endpoints
cwe-284/285 - no bearer authorization checking

the action

my setup

i found this cool tool requestly that i have been using, it allows me to read requests and also add rules to requests. i set up my phone to proxy through my requestly instance on my macbook, then loaded up beerbuddy to check out the requests.

what i noticed

all the profile photos get loaded on app startup, from a firebase bucket. all the images on each post get loaded from a cloudflare bucket. i checked both buckets to see what i can get, and the profile photos bucket was open, allowing me to enumerate and get like 2 million lines worth. i made an http request and realized that for some reason, the notification to your friends that you started drinking is done clientside? so that means i could spoof as many notifications as i wanted. while fiddling with the request, i realized that i could change the recipient to any of my friends, and then on further inspection, i realized that none of the fields even mattered and neither did the bearer token. i could do literally whatever i wanted with 1 post, as long as i knew the username i wanted to send a notification to. in addition to that, i spammed the endpoint a few times (7 requests manually sent through postman), and found out there wasn't any ratelimiting. with this power, i could pick multiple people (they had a bulk notification send endpoint) and spam them eternally with hundreds+ of notifications.

results

what i learned

in some cases, the bearer token is not read, and in some cases, a lot of fields in post requests aren't even read / used.

notif-spam

bounty

$0.00 - i emailed the beer buddy owners, looks like they fixed the bug, didn't get any recognition or anything. i asked if they paid for bug bounties and they didn't say yes or no, just asked for what bug(s) i found. i asked for an engineering role but looks like they won't be giving me anything