per my exit strategy i’m seeking a senior technical role. so when a friend recommended i check out HustleWing, an anonymous job board with “side hustle opportunities,” i thought it was my lucky day.
after creating a profile you’re forced to pay for access. despite the marketing site not mentioning fees, i figured whatever. it takes money to make money right? i subscribed for $29. then i did a quick search and found this reddit post accusing HustleWing of being a scam website with no real jobs. yikes!
with my $29 already gone and a spiritual revulsion for chargebacks, i figured i’ll eat my mistake but poke around the site to salvage some losses. and poke around i did.
everything you’re about to read took less than 30 minutes with my terminal and 2 bare hands. i didn’t brute force endpoints, write SQL injection queries, engage automated scanners, or DDOS servers. just common sense and a little bit of elbow grease.
HustleWing flaw #1 – not anonymous
first i visited my HustleWing profile and inspected XHR network requests. here i spotted an innocent looking
fetch() to this endpoint:
in case the link above gets got, here’s a visual preview. it’s my entire user profile, name(!) included, and can be retrieved without authentication.
for an “anonymous” job board, HustleWing already sucks IMO. but maybe their secret sauce is the
mem_ prefixed profile IDs. using hashed primary keys instead of enumerable integers makes it ~impossible to find other profiles, right? lol nah.
back on the main job feed i inspected more network requests and found these gems:
so i start guessing. can i list user profiles the same way?
/api/hustlers/profiles (43,773 records)
HustleWing flaw #2 – dishonest
to back up real quick, HustleWing’s website claims 100,000+ users. since the actual number is 43,000, they’re lying by 233%.
another fun fact, immediately after joining HustleWing you realize it’s not a place for side hustles at all. it’s a “seeking co-founder” community forum.
which is fine if that’s their pitch, but it’s not. HustleWing presents itself as a place to find part-time consulting projects with household brands.
and to top it off, HustleWing doesn’t let you cancel your account.
there is no billing page, live chat, support center, customer service widget, or “contact us” form anywhere. it’s a 1-way valve from your wallet to theirs.
HustleWing flaw #3 – vulnerable AF
if you checked out my profile JSON above, you probably noticed there’s no email address. phew! but what happens if we Use Our Brain and Find A Way?
i did, and found an even juicier endpoint. just replace “hustler/profile” with “user” at the end for the full kimono.
- public profile (includes names, not cool):
- private profile (name / email / etc):
as before, here’s proof in case these links break:
to make it just a little harder for bad actors reading this post, i’ll refrain from sharing code snippets that paginate every Business + Opportunity and traverse to the owning member’s ID => private profile.
but it is possible. and i may or may not have downloaded 50,000 hiring agents’ names, emails, and job listings. tomorrow i may or may not cold email a few of them 1) their doxed profile and 2) a Ryan Kulp developer pitch.
HustleWing flaw #4 – took $29 from Ryan
i can go all day about API endpoints that shouldn’t exist, like this one that seems to indicate more than 3,000 people are paying or have paid for HustleWing, a scam job board with zero accountability.
on Thursday, Oct 19th 2023 i emailed HustleWing to cancel my paid subscription. having not received confirmation that my request was completed, i’m earning back the $29 by sharing this exposé with 1000s of people. i’m aiming for at least the same number of people they tricked.
competing with Ryan Kulp is traditionally a bad idea.
HustleWing flaw #5 – thinking it won’t get worse
usually when i find a vulnerability i email the company directly and avoid public drama. but HustleWing is a POS website run by POS people and i don’t care.
if a fellow ethical hacker wants to carry the torch, i suggest first figuring out if “Jessica” is a real person. this account sends all the newsletters and onboarding mailers.
my second suggestion is to get in touch with Brian Ficho, HustleWing’s co-founder according to an online directory called LinkedIn. maybe then he’ll send a scary legal notice for my trash can.
Brian, do better man.
HustleWing flaw #6 – zero talent
until i signed up last Friday, nothing good came from HustleWing. it was an open endpoint of 50,000 professionals trying to anonymously pay their bills. HustleWing sold them on a promise and failed.
HustleWing + “Jessica @ HustleWing,” you suck!