I saved 10 million eToro accounts. That's cool.

12/02/2025

It's now a month, almost to the day, since I discovered the most significant exploit eToro has ever had identified by a non-employee (Stat per hackerone official bug bounty records). It was also their highest rated flaw ever.

In a since deleted post, made out of frustration at eToro's initial reaction to dismiss the flaw as "intentional design", I had explained in part, how that flaw was possible. For those who missed that post, I had detailed an exploit that allowed any person - of pretty much any level of coding skill or even none - to discover the exact equity values of a given account.

This was a flaw that was made possible by a recent update to the stats page on a users overview. Somehow, and seemingly by a serious oversight on the behalf of an engineer, eToro had added the number of shares a user currently owns.

This is a value called LotCount within eToro's internal database, and is usually only accessible for the user you are logged in as. For example, if I am logged into my own personal account, I can see I own N number of shares in X asset. But I can't then see the number of shares Bob owns, because that would require Bobs' authentication tokens, which are heavily protected.

But eToro added this LotCount parameter to a semi-public endpoint which only required a parameter called the CID, which is the eToro equivalent of a customer identification number. It's quite easy to get any users' CID value, because you can just open https://www.etoro.com/api/logininfo/v1.1/users/{username}, and the realCID value is displayed.

That in itself is a bit of a flaw, because once you have the CID you can access a lot of other functions given by other API's you might find elsewhere. But when eToro accidentally added LotCount values, we could create a simple script to convert usernames to CID's, and then send the CID to the portfolio contents API which had the LotCount value.

In about 4 hours of processing, I had ended up with about 10,000 randomly picked accounts, all broken down into exact values. It must be said that all this is done with the permission of eToro, per the eligibility of bug bounty schemes, you must make a test account to do these tests on. 

So whilst it might be tempting to point out I know when people are lying, legally speaking I can't use that data to my advantage and have since deleted records. (Exception to the rule if your name is diegoubal whom I used the data to prove he was fraud and has since been permanently banned - He pissed me off.)

In credit to eToro, the bug was fixed within 48 hours, and my pay-out was received relatively soon after, despite technically having violated the rules on active disclosures - they realised they were in the wrong and I had contributed something whilst being a complete non-professional whom isn't a qualified bug bounty seeker and had literally just made the account to report the bug.

I could have very easily kept this secret and used it as a fun party trick, and it was genuinely tempting.  But I already have a bag of party tricks and this was a bit more serious, eToro was at serious risk of violating GDPR and various other data protection laws on a massive scale (20% of all 50 million + users were impacted immediately).

I also learnt a lot from this experience. There are things I would do differently were a similar event to occur in the future, and perhaps more importantly I discovered that my random hobby of understanding this fascinating website structure, has benefitted huge amounts of people whom will never know me.

It's a proud achievement to say, and occasionally brag, particularly when you are at the age where you don't quite know what you will be doing in the future, it showed me I do have some skill and tenacity in things I genuinely find interesting. I am often told I am wasting my time, but well.. 

I wasted my time, saved 10 million accounts and got paid.

You are welcome.

I am now on eToro's bug scheme for future bug spotting and I hope to make updates on future updates as they come, however boring that may be :)

In addition to all that, I have started work on using my knowledge of eToro to develop an automated bot for detecting trades across thousands of users. It's currently running through a discord server and whilst it is in development, you can check it out https://discord.gg/y43WQSccyM




© 2023 Marau All rights reserved.
@Marau2021
Powered by Webnode Cookies
Create your website for free! This website was made with Webnode. Create your own for free today! Get started