dripped
Story 01 / Bug Bounty Write-up

Authorization Bypass Let Free Users Reach Premium Hinge Features Through the API

This write-up covers a moment where loneliness, an empty wallet, and a security mindset collided. Hinge showed me profiles that were clearly positioned as premium-only, and that raised a simple question: was the paywall actually enforced on the backend, or was it mostly a design decision in the app?

Reported Dec 1, 2025 Closed Informative Business Logic Redacted Public Version

Hacker Summary

The core issue was a backend authorization gap. Some profiles were visually locked behind a premium upsell, but the server did not appear to re-check entitlement strongly enough before accepting follow-up actions tied to those profiles. That made the paid restriction feel more like a UI rule than an actual access-control boundary.

How I Ended Up Looking At It

I downloaded Hinge at a point where I was both lonely and broke, which is not a great combination when you also happen to be extremely picky. I started using the app like most people do: liking profiles that matched what I found attractive, and passing on the ones that did not.

What most users do not really think about is that every one of those decisions is training data. You are teaching the recommendation system what you respond to, what you ignore, and what kind of profile will probably make you stop scrolling. After enough of that, the app starts to build a sharper model of your taste than it had on day one.

That is why the Standouts feature caught my attention. From a product perspective, it makes sense: if the system thinks certain profiles are unusually strong matches for you, those are exactly the profiles it wants to monetize. Instead of a normal like, you are nudged toward a paid interaction through roses. The whole flow is designed to say, “These are too good for the free tier.”

What Made Me Curious

The thing that bothered me was architectural, not emotional. A regular profile and a standout profile are still just profiles in the backend system. The difference is supposed to be in what your account is allowed to do with them. So once I saw a profile in Standouts that I liked, but could not pay to interact with, the obvious question became: where is that rule actually enforced?

If the answer is “only in the interface,” then the premium boundary is weak. If the answer is “on the server, every time,” then the system should reject anything outside your entitlement no matter what the client tries to do.

What Actually Happened

I compared the normal free interaction flow with the premium-facing one and found that the app was still receiving enough information about gated profiles for them to be represented on the client side. In other words, the app already knew those profiles existed and had enough context to render them as special, paid-only entries.

That by itself is not always a bug. Sometimes clients receive extra data and still cannot do anything dangerous with it. The real issue came next: the action flow for a normal free like appeared to trust the profile reference more than it trusted the user’s subscription state. Once a gated profile had been represented on the client, the backend did not seem to draw a hard enough line between “this is a valid profile” and “this account is allowed to act on this profile.”

So the issue was not that I discovered some secret profile database or broke into hidden infrastructure. It was simpler than that, and in a way more common: the app presented a premium restriction in the user experience, but the backend appeared willing to process a standard interaction against a premium-target profile anyway. That is why the whole thing felt less like “cracking” something and more like watching a product boundary dissolve once you looked beneath the UI.

Why Standouts Was The Tell

Standouts was the perfect place to notice the flaw because it is built around scarcity. The app is effectively saying, “We know you are going to want these people more, so this path costs extra.” That means the value of the feature depends entirely on the backend being able to separate ordinary interactions from premium ones.

If that separation only exists as a button choice in the interface, then the monetization model is fragile. The moment the client can still identify those premium profiles and the server still accepts an ordinary interaction pattern against them, the distinction between “free” and “paid” stops being meaningful.

The Rundown

At a high level, the flow looked like this: Hinge used my swiping history to get better at predicting what I would like, surfaced unusually strong matches in a premium lane, and then relied on the app to steer me into a paid action. But the account boundary behind that lane did not appear to be enforced strongly enough once the client had the relevant profile context.

That meant the core mistake was not “the app showed me attractive people.” The mistake was that the app and backend did not agree on what my free account was actually allowed to do with those profiles after they had already been selected and delivered into the client experience.

Impact

  • Premium-only interactions could be reached by unpaid users if entitlement checks were not enforced at the server layer.
  • Profile details that looked intentionally hidden in the app could still leak through backend behavior earlier than users expected.
  • The flaw was potentially automatable, which raised abuse and privacy concerns in addition to the direct paywall bypass.

Timeline

December 1, 2025 / 11:58 PM UTC
Report submitted

The report described the mismatch between the premium interface and the backend checks, supported by screenshots and traffic captures.

December 2, 2025 / shortly after submission
Follow-up comment added

A short follow-up noted that the previously restricted interaction appeared to work in practice, which reinforced that the issue was not just hypothetical.

December 2, 2025 / 11:56 AM UTC
Report closed as informative

The triage response classified the behavior as paywall circumvention and business-rule enforcement failure rather than a traditional security bug with deeper system compromise.

Program Response

Status / Informative

The closure rationale was basically that the report showed a product-logic weakness rather than a classic security break. That line comes up often in bounty programs: if an issue harms pricing, privacy expectations, or platform trust without crossing into infrastructure compromise, some teams still push it into the business-logic bucket.

My Take

What I like about this case is that it shows how easy it is for teams to confuse product theater with access control. A blurred profile, a premium badge, and a rose purchase flow all feel like hard restrictions to a normal user. But if the server still hands the client the necessary context and still accepts the downstream action, that protection is mostly cosmetic.

That is why entitlement checks have to live on the server for anything tied to paid access, exposure of user profiles, or messaging rights. Otherwise the product is not enforcing a boundary. It is just hoping the client behaves.

What I Redacted

Public-safe version
  • All real names, profile details, screenshots, and attachment references that could identify users.
  • Exact IDs, raw request data, hostnames, endpoint paths, and replayable parameters.
  • Specific action sequences, traffic inspection details, and reproduction steps that would turn this into a guide for bypassing a live product.
Back to Blog