Wishlist Logic bug: How I Manipulated Item Quantities Without Access
Hello everyone! I’m Omar Mohamed, also known as 0xnanashi.
In this post, I’ll talk about a Vulnerability I have found that allows me to Manipulate Item Quantities for any Wishlist.
Summary
The Core Vulnerability: Two Flaws, One Exploit
The flaw was a dangerous cocktail of two security issues:
- Broken Access Control
Users could Manipulate any public registry’s item quantities — even with zero ownership or permissions. - Improper Input Validation
The backend used signed 32-bit integers without validating user input, enabling integer overflow exploits.
Together, these allowed me to hijack any wishlist.
Attack Workflow
I started by creating my own registry with some test items.
Then, I switched to another account and visited that registry as a normal user
From there, I clicked “Mark as Purchased” and intercepted the request
The request included a purchased_quantity parameter, so I thought, why not try adding a massive number
{
"purchased_quantity": 9999999999999999
}so I got that response
So, there’s a limit we can’t bypass — thea maximum value is 2,147,483,647. I entered that number into the purchased_quantity parameter to see what would happen.
Hmm, nothing interesting happened. So I thought, why not try sending the request again?
Oh! The needed item quantity changed from 1 to 3 — and no one should be able to change needed item quantities except the owner of the wishlist.
and also you can follow me on LinkedIn :