HackrGG – Learn by Hacking

In 2017, a researcher discovered that a major airline's flight booking system had a business logic flaw: the final payment step sent the ticket price in the request body. The server used whatever number it received. You could change the price to $0.00 and receive a valid booking confirmation for a real flight — the system would even send a confirmation email.

This is not hypothetical. Variants of this flaw have been found in airline booking systems, e-commerce platforms, subscription services, and banking applications. The pattern is always the same: the server trusts a value from the client that it should have calculated itself.

THREE REAL BUSINESS LOGIC INCIDENTS

Starbucks — Gift Card Race Condition (2015)

A user discovered they could transfer funds from a Starbucks gift card to another card, then immediately transfer from the source card again before the first transfer settled. By automating many simultaneous requests, they could generate unlimited money from a single card. Starbucks had no safeguard against concurrent operations on the same resource.

Robinhood — Infinite Leverage Glitch (2019)

Traders discovered that Robinhood's margin account system had a flaw: buying an option with borrowed funds unlocked the collateral, which could then be borrowed against again. A user turned $4,000 into $1,000,000 in buying power. The flaw was in the logic of how collateral was calculated after options were purchased.

Bitcoin Exchange — Negative Balance Exploit (2016)

An attacker on a Bitcoin exchange discovered that withdrawing more than their account balance produced a negative balance — which the system then treated as a credit. By repeatedly triggering this, they generated real Bitcoin from a negative balance. The exchange lost funds it never had.

In every case, no hacking tools were needed. The attackers understood how the application was supposed to work — and then found the gap between that and how it actually worked.

The Airline That Let People Fly for Free