17 lines
434 B
Markdown
17 lines
434 B
Markdown
# Paddle Session Replay — Bug Bounty PoC
|
|
|
|
> Research use only. Test against your own account.
|
|
|
|
## What it does
|
|
Demonstrates that `paddle_session_vendor` is the sole auth token on
|
|
`vendors.paddle.com/dashboard/api/userinfo` with no IP/UA/device binding.
|
|
|
|
## Install
|
|
pip install requests rich
|
|
|
|
## Usage
|
|
python exploit.py
|
|
# paste your paddle_session_vendor token when prompted
|
|
|
|
## Findings
|
|
See report.md for full vulnerability writeup. |