per my exit strategy i’m seeking a senior technical role. so when a friend recommended i check out HustleWing, an anonymous job board with “side hustle opportunities,” i thought it was my lucky day.
after creating a profile you’re forced to pay for access. despite the marketing site not mentioning fees, i figured whatever. it takes money to make money right? i subscribed for $29. then i did a quick search and found this reddit post accusing HustleWing of being a scam website with no real jobs. yikes!
with my $29 already gone and a spiritual revulsion for chargebacks, i figured i’ll eat my mistake but poke around the site to salvage some losses. and poke around i did.
everything you’re about to read took less than 30 minutes with my terminal and 2 bare hands. i didn’t brute force endpoints, write SQL injection queries, engage automated scanners, or DDOS servers. just common sense and a little bit of elbow grease.
HustleWing flaw #1 – not anonymous
first i visited my HustleWing profile and inspected XHR network requests. here i spotted an innocent looking fetch() to this endpoint:
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/hustler/profile
in case the link above gets got, here’s a visual preview. it’s my entire user profile, name(!) included, and can be retrieved without authentication.
for an “anonymous” job board, HustleWing already sucks IMO. but maybe their secret sauce is the mem_ prefixed profile IDs. using hashed primary keys instead of enumerable integers makes it ~impossible to find other profiles, right? lol nah.
back on the main job feed i inspected more network requests and found these gems:
/api/businesses/profiles(50,107 records)/api/opportunities(817 records)
so i start guessing. can i list user profiles the same way?
/api/hustlers/profiles (43,773 records)
yep!
HustleWing flaw #2 – dishonest
to back up real quick, HustleWing’s website claims 100,000+ users. since the actual number is 43,000, they’re lying by 233%.
another fun fact, immediately after joining HustleWing you realize it’s not a place for side hustles at all. it’s a “seeking co-founder” community forum.
which is fine if that’s their pitch, but it’s not. HustleWing presents itself as a place to find part-time consulting projects with household brands.
and to top it off, HustleWing doesn’t let you cancel your account.
there is no billing page, live chat, support center, customer service widget, or “contact us” form anywhere. it’s a 1-way valve from your wallet to theirs.
HustleWing flaw #3 – vulnerable AF
if you checked out my profile JSON above, you probably noticed there’s no email address. phew! but what happens if we Use Our Brain and Find A Way?
i did, and found an even juicier endpoint. just replace “hustler/profile” with “user” at the end for the full kimono.
- public profile (includes names, not cool):
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/hustler/profile - private profile (name / email / etc):
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/user
as before, here’s proof in case these links break:
to make it just a little harder for bad actors reading this post, i’ll refrain from sharing code snippets that paginate every Business + Opportunity and traverse to the owning member’s ID => private profile.
but it is possible. and i may or may not have downloaded 50,000 hiring agents’ names, emails, and job listings. tomorrow i may or may not cold email a few of them 1) their doxed profile and 2) a Ryan Kulp developer pitch.
HustleWing flaw #4 – took $29 from Ryan
i can go all day about API endpoints that shouldn’t exist, like this one that seems to indicate more than 3,000 people are paying or have paid for HustleWing, a scam job board with zero accountability.
/api/hustlers/profiles?plan=pro
on Thursday, Oct 19th 2023 i emailed HustleWing to cancel my paid subscription. having not received confirmation that my request was completed, i’m earning back the $29 by sharing this exposé with 1000s of people. i’m aiming for at least the same number of people they tricked.
competing with Ryan Kulp is traditionally a bad idea.
HustleWing flaw #5 – thinking it won’t get worse
usually when i find a vulnerability i email the company directly and avoid public drama. but HustleWing is a POS website run by POS people and i don’t care.
if a fellow ethical hacker wants to carry the torch, i suggest first figuring out if “Jessica” is a real person. this account sends all the newsletters and onboarding mailers.
my second suggestion is to get in touch with Brian Ficho, HustleWing’s co-founder according to an online directory called LinkedIn. maybe then he’ll send a scary legal notice for my trash can.
https://www.linkedin.com/in/brianficho
Brian, do better man.
HustleWing flaw #6 – zero talent
until i signed up last Friday, nothing good came from HustleWing. it was an open endpoint of 50,000 professionals trying to anonymously pay their bills. HustleWing sold them on a promise and failed.
HustleWing + “Jessica @ HustleWing,” you suck!
Hey thanks for the this post – much appreciated!!
And good. Wondered if you could help with even more pathetic scammers… Details described here: https://t.me/DarknetDeutschlandMarkt4IsAScam
This is epic! Thanks for a great read…
Thanks so much,
Was contacted by one of their “representatives” this morning. Quick google search and your site came up 3rd! Thanks for helping me dodge a bullet (and save my $$$$).
Yep they responded to my Director of Engineering application with a link to sign up to their website, which is basically a terrible version of Fiverr. I didn’t sign up or pay any money but they still have my email on file and there’s no way to delete an account there.
Total scam.
I fell for a job posting jobs on LinkedIn that looked like HustleWing was hiring. After I applied, “Jessica” sent a suggested opportunity that I would have had to pay to see it.
Total scam. Thank you for saving me $29 and a bunch of time today!
This is pretty devious.
I’m pretty desperate for money. Like I used to make a ton before the pandemic, but not any more. I’ve run through savings and put groceries and living stuff on my credit card. Any time I put limited time applying to fake jobs, it takes away from me applying to a legit job. To top it off, I I contemplating going to the food bank or not on Thursday.
I never really understood why a job seeker, the disempowered one in the employment dynamic, would have to pay money to get a job. It seems like the employer, with a hiring budget should take the financial burden since they are hiring an asset.
I have been thinking of maybe signing up for the membership to try to find work, but not sure if this would be a bogus or black hole job board like upwork again.
I’ll definitely stop considering choosing between a meal and this sign up fee from now on.
It is really too bad it’s not legit. A power time / moonlight board would have been nice.
Great write up. I used the LI link you included for the Co-founder and I always find it sketch if leaders/founders don’t put their profile photo up. Smells super scammy!
dodged a bullet. Thanks. Do you still have the 50,000 hiring managers emails. Looking for consulting gigs and want to avoid trash agencies like Michael Page and other such crap. I want to feel empowered by finding high paying consulting gigs on my own. Email is [email protected]
Thank you for saving me $29, this is incredible!
thank you so much. I was looking for product work and they reached out. Good to know its a mess upfront and really appreciate your work. Ill pay $29 just to avoid having gotten ripped off.
Legend.
Thank you for putting so much time into this.
While I’m here, Bark.com is a microjobs website that also makes big promises. In my experience, their platform is loaded with fake jobs specifically meant to burn applicant’s money.
Thanks! I saw their ad on LinkedIn.
Thank you! Saved me $29 and a lot of shame
Damn. Feeling super dumb right now. And out $29. I do find it helpful to be introduced to companies I hadn’t heard of and find them outside of the platform. But it’s still scammy. If you have those 43k job listings, I’m interested.
You’re the best – I was suspicious when receiving an email from Jessica after applying for an internal position through LinkedIn (subject said applied through Indeed – sheesh).
I was provided a link to search through other openings. There was only one available, and I had to pay to reveal the other opportunities.
This is a pretty horrible practice.
Thanks for posting.