How I hacked Gumroad and broke a bunch of After Effects tools
I had been a developer for about a month. Surprisingly, that was enough experience to discover a glaring bug in Gumroad’s API.
Gumroad is a platform that makes it very easy for creators to sell stuff online. In spite of the bug I’ll talk about here and the recent controversy around their price increase, Gumroad has been pivotal to my business of selling After Effects scripts (third party tools for Adobe software). Gumroad’s API enables developers like me to add licensing to their downloadable tools.
The bug
Back in November I was working on my After Effects script, Type. Using Good Boy Ninja’s method for talking to Gumroad’s API, I was able to build a licensing system rather easily.
The crux of the system is running a cURL command like this:
Gumroad would return a response based on the product_permalink & license_key you passed it.
The problem is that Gumroad allows for custom subdomains (i.e. aescreens.gumroad.com). So when you make a new product you can give it any permalink you want – even if that permalink already exists!
In good faith, I proceeded to make my own “products” for several other After Effects tools sold on Gumroad. Then I was able to generate my own license keys for those products for free. Sure enough, I was able to gain access with my dummy licenses to all of the products I tested.
I immediately informed Gumroad and each of the developers about the vulnerability.
This was on November 29.
The fix
On December 23, Gumroad emailed me to tell me that Type and Nice O Metric had to be updated in order for the license API to keep working. If users didn’t have an updated copy by January 2 at 3am, the tool would just stop working for them!
The fix itself was straight forward. Replace the product_permalink parameter with their newly created product_id parameter (this one can’t be duplicated).
But I had to make this change over Christmas break and inform all my customers that they have to re-download and install their tools, otherwise they won’t work. It was a headache.
I took some solace (with a pinch of guilt) that I was not alone. Battleaxe and Good Boy Ninja, two prominent After Effects developers, were in the same boat. And since they had to do the same thing, it felt less weird to ask customers to reinstall my tools because of a change Gumroad made that wasn’t my fault (although it kinda was). Undoubtedly, some customers won’t get our emails and we’ll have more customer support work to do as a result.
If there were no duplicate permalinks for your tool(s) then you could keep communicating with Gumroad’s API with no change. Going forward, it looks like all new products will require the product_id parameter.
To Gumroad’s credit they did extend the deadline by a week after I asked. And they paid me a $500 bug bounty.
But here’s how they could’ve handled this way better:
- Better communication with developers impacted.
- Not making a major change like this over the holidays.
- Not making a major change like this right after 3x-ing their pricing.
- Give preference to popular tools that require downloads. Let those tools contact the API the old way and invalidate duplicate permalinks. This would’ve have minimized the impact to end-users.
- Let developers know if anyone (besides myself) exploited this bug.
Will I leave Gumroad?
We will see if this is the final reason some creators need to leave the Gumroad platform. Personally, I am conflicted. I do plan on leaving Gumroad eventually, but my business is still in an early growth phase. Switching platforms now would just delay development of the products currently in my pipeline, so it’s not a priority at the moment.
As an After Effect developer, I still really like Gumroad’s UX and how quickly I can launch new products. There are some attractive alternatives, but I’m hesitant to make such a big change too quick.
Whatever my next platform is, I want it to be permanent.
