In March 2023, I found a vulnerability on the OtterBox website. OtterBox, a top-tier phone case manufacturer, overlooked details in their warranty claim procedure. This oversight opened the door to an exploit that could theoretically give someone unlimited phone cases.

The exploit process was surprisingly simple. The website automatically places a free replacement item in your cart when a warranty claim is filed. Although you couldn’t directly alter the quantity of this free item, I discovered a workaround.

I added a regular item to the cart and adjusted its quantity, which triggered an API request. I captured this request and then tweaked it to apply to the replacement item.

This was the turning point. By swapping the ID of the regular item in the captured request with the ID of the warranty product, I could fool the website into thinking there were multiple warranty items in the cart.

With this exploit, I suddenly could secure as many phone cases as I desired, all for free. The only cost was a $10 shipping charge. Anyone aware of this exploit could potentially cause significant financial loss to OtterBox. This means anyone could acquire as many phone cases as they desired.

Here is a demo of the vulnerability:

I was able to order multiple free phone cases successfully. However, I quickly canceled my order. 🥱 I don’t want to commit fraud.