AE Screens
← Blog

How I Hacked Gumroad and Broke a Bunch of After Effects Tools

The Bug

I discovered a critical vulnerability in Gumroad's API while developing licensing for my After Effects script called Type. The flaw centered on how Gumroad handles product permalinks.

Gumroad permits custom subdomains and allows creators to assign any permalink to products. The vulnerability: Gumroad allows for custom subdomains (i.e. aescreens.gumroad.com). So when you make a new product you can give it any permalink you want -- even if that permalink already exists!

This meant someone could create duplicate permalinks for existing products and generate valid license keys without purchasing them. I tested this by creating dummy products matching other After Effects tools, successfully generating unauthorized licenses.

Other affected developers included Battleaxe and Good Boy Ninja.

The licensing verification relied on this cURL command:

system.callSystem(
  'curl https://api.gumroad.com/v2/licenses/verify -d "product_permalink=' +
  permalink +
  '" -d "license_key=' +
  licenseKeyInput +
  '" -d "increment_uses_count="' +
  incrementUseCount +
  " -X POST"
)

Since Gumroad permitted custom subdomains like aescreens.gumroad.com, an attacker could create products with identical names to existing tools and generate license keys for them without payment.

The Response

After discovering the issue in November, I immediately informed Gumroad and each of the developers about the vulnerability. However, the platform's response created disruption during the holidays.

Gumroad responded on December 23, requiring developers to replace the product_permalink parameter with a new product_id parameter by January 2nd at 3am. This forced developers to update their tools during the holiday break and notify customers to reinstall them.

Gumroad should have improved developer communication, avoided changes during holidays, minimized user impact by grandfathering popular tools, and disclosed whether others exploited the bug.

Gumroad did extend the deadline by one week and awarded a $500 bug bounty.

Fulton Greenway meme

Business Implications

I remain conflicted about Gumroad's platform but haven't migrated yet, citing early-stage business priorities and Gumroad's strong UX advantages. I acknowledge alternatives like LemonSqueezy but plan to eventually transition platforms.