Get Free Paytm cash from Yippee Masala Noodles Hack

Purchase yipee masala noodles and get free paytm cash

To participate input the cash code from noodles pack here http://paytm.com/yippee

1.Enter Cash code from YiPPee! pack, choose answer of skill question and click Proceed.

2.If you don’t have an account on Paytm. Click “New user” and create one now

3.Your Paytm Cash has been added to your account. Start shopping now !

How Was The Yeppee HACK Exploit Carried Out?

Things You Need:

2 Packets of Yippee noodles from same shop and next to each other manufacturing number.

Working internet connection.

Execution:

When you'd purchased a Yippee pack, on its 'masala' pack, you could see a "recharge coupon" used on PayTM to recharge the phone. Now here's the game. Since you bought 2 Yippee noodle packs made just next to one another, you defeated the coupon generating system as the system printed the coupons in series. For instance, if your code on Yippee pack 1 is ABCDEFGHIJ1, then it should be like ABCDEFGHIJ2 or BBCDEFGHIJ, etc. on the next pack. In short, the code should be somewhat in series.

Scripting:

Obviously, not all the codes in between were working. So I created a simple python script to test each code against original server validation mechanism and filtered out the working codes and discarded the used codes. I won't be posting my script here because I don't want it to be misused. Some of my friends achieved the same using javascript, which could also be a clean method for the trick. The mechanism of the script was simple, it just ran a loop of series and smartly checked whether the code was working or not with the appropriate JSON response from the PayTM server. There were no CSRF verifications or captcha to prevent attackers to misuse the functionality.

Possible Fix:

The team should have adopted a smart measure. Since their algo is obviously hidden, they should've mixed all the packs well and carefully without breaking noodles at the factory or must have coded a well designed totally entropy code system. Its not that hard to code one and stack all of them in database. The other possible fix could have been to limit attempts to server check query. They are neither checking the IPs, attempts of coupon checks, etc. They just return a simple JSON response message with appropriate message which is a cakewalk for a programmer to decode and loop a thousand codes altogether with a simple language like javascript.

Current Situation

Currently, the bug is fixed and my script no longer works. Also, I've heard that they've designed a new algorithm for their codes. Maybe this trick could work on older packs of Yippee noodles but not on new ones.