Paddle-PoC-Token-Replay/readme.md

Paddle Session Replay — Bug Bounty PoC

Research use only. Test against your own account.

What it does

Demonstrates that paddle_session_vendor is the sole auth token on vendors.paddle.com/dashboard/api/userinfo with no IP/UA/device binding.

Install

pip install requests rich

Usage

python exploit.py

paste your paddle_session_vendor token when prompted

Findings

See report.md for full vulnerability writeup.