We Just Got Funded β Who Needs Security, Right?
How I Got Admin Access to a VC-Backed Dating App in 10 Minutes Flat
A case study in how to speedrun your way into an admin dashboard... because someone forgot to close the signup endpoint.
π Scene: Romance + Series A
A shiny new dating app startup raised multi-million $ and started trending. Love was in the air. So was their admin panel.
π΅οΈββοΈ Recon Mode: On
Subdomain found: prod-internal-env.start.up
Redirects to: /app/login
Things were looking spicy.
Fired up Burp. Intercepted the login POST request to:
POST /auth/sign_in
Changed it to:
POST /auth/sign_up
The server responded with a helpful tip: βField 'role' is not optional.β
So I obliged.
{
"email": "[email protected],
"password": "Test12344,
"role": "admin"
}
Response: 200 OK.
Yup. That actually worked.
π― Dashboard Unlocked
Logged in with my new account, and boom β welcome to the moderation panel.
Things I now had access to:
- Full user database
- KYC ID docs
- Private match history
- Phone numbers
- Everything short of blood type
π Responsible Disclosure
βHey, can we jump on a quick call?β
Reached out privately. Demoβd the issue live.
To their credit: shocked, but polite.
π‘ Startup Lessons
- π Never leave signup exposed in prod β especially not with a "role" param.
- 𧱠Internal dashboards must be firewall-restricted. Always.
- π§ͺ Get a security audit before TechCrunch finds out.
βοΈ Final Thoughts
I'm not here to name-and-shame. Iβm here to help you stay out of the headlines.
"Would I know if something like this existed in my stack right now?"
If that question stings β you know where to find me. π