# Paddle Session Replay — Bug Bounty PoC

> Research use only. Test against your own account.

## What it does
Demonstrates that `paddle_session_vendor` is the sole auth token on
`vendors.paddle.com/dashboard/api/userinfo` with no IP/UA/device binding.

## Install
pip install requests rich

## Usage
python exploit.py
# paste your paddle_session_vendor token when prompted

## Findings
See report.md for full vulnerability writeup.