per my exit strategy i’m seeking a senior technical role. so when a friend recommended i check out HustleWing, an anonymous job board with “side hustle opportunities,” i thought it was my lucky day.
after creating a profile you’re forced to pay for access. despite the marketing site not mentioning fees, i figured whatever. it takes money to make money right? i subscribed for $29. then i did a quick search and found this reddit post accusing HustleWing of being a scam website with no real jobs. yikes!
with my $29 already gone and a spiritual revulsion for chargebacks, i figured i’ll eat my mistake but poke around the site to salvage some losses. and poke around i did.
everything you’re about to read took less than 30 minutes with my terminal and 2 bare hands. i didn’t brute force endpoints, write SQL injection queries, engage automated scanners, or DDOS servers. just common sense and a little bit of elbow grease.
HustleWing flaw #1 – not anonymous
first i visited my HustleWing profile and inspected XHR network requests. here i spotted an innocent looking fetch() to this endpoint:
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/hustler/profile
in case the link above gets got, here’s a visual preview. it’s my entire user profile, name(!) included, and can be retrieved without authentication.
for an “anonymous” job board, HustleWing already sucks IMO. but maybe their secret sauce is the mem_ prefixed profile IDs. using hashed primary keys instead of enumerable integers makes it ~impossible to find other profiles, right? lol nah.
back on the main job feed i inspected more network requests and found these gems:
/api/businesses/profiles(50,107 records)/api/opportunities(817 records)
so i start guessing. can i list user profiles the same way?
/api/hustlers/profiles (43,773 records)
yep!
HustleWing flaw #2 – dishonest
to back up real quick, HustleWing’s website claims 100,000+ users. since the actual number is 43,000, they’re lying by 233%.
another fun fact, immediately after joining HustleWing you realize it’s not a place for side hustles at all. it’s a “seeking co-founder” community forum.
which is fine if that’s their pitch, but it’s not. HustleWing presents itself as a place to find part-time consulting projects with household brands.
and to top it off, HustleWing doesn’t let you cancel your account.
there is no billing page, live chat, support center, customer service widget, or “contact us” form anywhere. it’s a 1-way valve from your wallet to theirs.
HustleWing flaw #3 – vulnerable AF
if you checked out my profile JSON above, you probably noticed there’s no email address. phew! but what happens if we Use Our Brain and Find A Way?
i did, and found an even juicier endpoint. just replace “hustler/profile” with “user” at the end for the full kimono.
- public profile (includes names, not cool):
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/hustler/profile - private profile (name / email / etc):
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/user
as before, here’s proof in case these links break:
to make it just a little harder for bad actors reading this post, i’ll refrain from sharing code snippets that paginate every Business + Opportunity and traverse to the owning member’s ID => private profile.
but it is possible. and i may or may not have downloaded 50,000 hiring agents’ names, emails, and job listings. tomorrow i may or may not cold email a few of them 1) their doxed profile and 2) a Ryan Kulp developer pitch.
HustleWing flaw #4 – took $29 from Ryan
i can go all day about API endpoints that shouldn’t exist, like this one that seems to indicate more than 3,000 people are paying or have paid for HustleWing, a scam job board with zero accountability.
/api/hustlers/profiles?plan=pro
on Thursday, Oct 19th 2023 i emailed HustleWing to cancel my paid subscription. having not received confirmation that my request was completed, i’m earning back the $29 by sharing this exposé with 1000s of people. i’m aiming for at least the same number of people they tricked.
competing with Ryan Kulp is traditionally a bad idea.
HustleWing flaw #5 – thinking it won’t get worse
usually when i find a vulnerability i email the company directly and avoid public drama. but HustleWing is a POS website run by POS people and i don’t care.
if a fellow ethical hacker wants to carry the torch, i suggest first figuring out if “Jessica” is a real person. this account sends all the newsletters and onboarding mailers.
my second suggestion is to get in touch with Brian Ficho, HustleWing’s co-founder according to an online directory called LinkedIn. maybe then he’ll send a scary legal notice for my trash can.
https://www.linkedin.com/in/brianficho
Brian, do better man.
HustleWing flaw #6 – zero talent
until i signed up last Friday, nothing good came from HustleWing. it was an open endpoint of 50,000 professionals trying to anonymously pay their bills. HustleWing sold them on a promise and failed.
HustleWing + “Jessica @ HustleWing,” you suck!
Hey thanks for the this post – much appreciated!!
And good. Wondered if you could help with even more pathetic scammers… Details described here: https://t.me/DarknetDeutschlandMarkt4IsAScam
This is epic! Thanks for a great read…
Thanks so much,
Was contacted by one of their “representatives” this morning. Quick google search and your site came up 3rd! Thanks for helping me dodge a bullet (and save my $$$$).
Yep they responded to my Director of Engineering application with a link to sign up to their website, which is basically a terrible version of Fiverr. I didn’t sign up or pay any money but they still have my email on file and there’s no way to delete an account there.
Total scam.
I fell for a job posting jobs on LinkedIn that looked like HustleWing was hiring. After I applied, “Jessica” sent a suggested opportunity that I would have had to pay to see it.
Total scam. Thank you for saving me $29 and a bunch of time today!
This was the same rabbit-hole I nearly fell into. There were a number of postings on LinkedIn, and they sounded quite promising. Before filling in *anything*, I did a google search and yep – this page came up second.
Thank you for saving my time and effort, Ryan!
This is pretty devious.
I’m pretty desperate for money. Like I used to make a ton before the pandemic, but not any more. I’ve run through savings and put groceries and living stuff on my credit card. Any time I put limited time applying to fake jobs, it takes away from me applying to a legit job. To top it off, I I contemplating going to the food bank or not on Thursday.
I never really understood why a job seeker, the disempowered one in the employment dynamic, would have to pay money to get a job. It seems like the employer, with a hiring budget should take the financial burden since they are hiring an asset.
I have been thinking of maybe signing up for the membership to try to find work, but not sure if this would be a bogus or black hole job board like upwork again.
I’ll definitely stop considering choosing between a meal and this sign up fee from now on.
It is really too bad it’s not legit. A power time / moonlight board would have been nice.
Great write up. I used the LI link you included for the Co-founder and I always find it sketch if leaders/founders don’t put their profile photo up. Smells super scammy!
dodged a bullet. Thanks. Do you still have the 50,000 hiring managers emails. Looking for consulting gigs and want to avoid trash agencies like Michael Page and other such crap. I want to feel empowered by finding high paying consulting gigs on my own. Email is [email protected]
Thank you for saving me $29, this is incredible!
thank you so much. I was looking for product work and they reached out. Good to know its a mess upfront and really appreciate your work. Ill pay $29 just to avoid having gotten ripped off.
Legend.
Thank you for putting so much time into this.
While I’m here, Bark.com is a microjobs website that also makes big promises. In my experience, their platform is loaded with fake jobs specifically meant to burn applicant’s money.
Thanks! I saw their ad on LinkedIn.
Thank you! Saved me $29 and a lot of shame
Damn. Feeling super dumb right now. And out $29. I do find it helpful to be introduced to companies I hadn’t heard of and find them outside of the platform. But it’s still scammy. If you have those 43k job listings, I’m interested.
You’re the best – I was suspicious when receiving an email from Jessica after applying for an internal position through LinkedIn (subject said applied through Indeed – sheesh).
I was provided a link to search through other openings. There was only one available, and I had to pay to reveal the other opportunities.
This is a pretty horrible practice.
Thanks for posting.
Same story here Ryan. Jessica is not cool. Way to try to hustle folks who are just trying to make an honest living and actually working all legitimate angles to be a proactive member of society. Thank you for shedding light on this scam.
I arrived at your site moments before clicking to confirm my annual subscription. THANK YOU for saving me the headache.
This made my day. Thank you for sharing.
Oh Wow! Thanks so much for sharing this!!! I thought you could trust LinkedIn not to have so many scammers, but there seems to be a lot on their site. Again, thank you!
Thank you for this. I applied through a linkedIn posting and I’m doing my due diligence before getting too far in the process. Glad I did! Unfortunately, I signed up for an account, but didn’t pay $29. It just took me to this video: https://www.youtube.com/watch?v=kYpPT8oLyZY&t=3s
Thank you for this! I applied for a “job” through LinkedIn and figured it was scammy when they wanted me to sign up. Several pings from them later I stumbled across your post. Shame on them.
Ryan, you’re fucking awesome man! Much appreciated!! People like you is making this world to a better place for sure! Cudos to you my friend!!!!
Thanks –> you’ve done God’s work with this post!! Appreciate it.
Haha ever since you posted these API endpoints hustlewing disabled public access to them. Thank you for calling out startups for not doing their due diligence when it comes to privacy and security. Hope they make a better plaform.
Thank you!
I wish I’d seen this before I signed up. Luckily, I didn’t pay anything because I’m not that trusting, but now I’m on their email list; ugh! I hope others see this heads up before it’s too late.
Love this so much! THANK YOU!
That Was Totally Wicked!!
Finding it is one thing. Posting it is badass. You remind me of my code heroes back in the early 2000’s. – Go on with your bad self.
Thank you for saving me the time and money.
Unfortunately HustleWing and Bravado seem to be very similar and complete scams for real professionals looking to find a side hustle. Anyone know of any legit organizations offering real services? for professionals looking for side hustles? I’d love to know.
I may have just found another potential scam they’re running. Saw a posting for a marketing job with “Fin,” an AI Skincare Assistant app available in the Apple Store. When I researched the company on LI, I found only 1 associated employee so far and few details on Google. When I looked at the app details, the seller is “HustleWing LLC.” I wonder if the app and open jobs were created just to grab more contact info, or if this might(?) be a legitimate situation where a founder is using their services. In any case, based on your technical analysis, I certainly wouldn’t trust an app sold by HustleWing to be secure.
interesting. yes, perhaps a new company named “Fin” hired HustleWing to run a recruitment campaign for them. but finding them online should be pretty easy. and finding duplicate postings of their job opp seems pretty standard too. based on what we’ve seen thus far, i wouldn’t put it past HustleWing to invent a fake app for leads.
I also created an account then found it was a scam. Super frustrated, I tried to figure out who was running their LinkedIn jobs account. After a ton of sleuthing (and after maybe asking a friend at LinkedIn), I figured out HustleWing is owned by a guy named Greg Caplan, the former CMO of Cameo.
Here is his LinkedIn: https://www.linkedin.com/in/gregcaplan/
Thank you this is so helpful!