I recently found out this service LingualBox that provides one-on-one English sessions by Philippines teachers for whom want to improve their English skill. I figured that the service’s price is highly affordable, plus Philippines’s fluent English speaking is undoubted, so I decided to give it a try. So far I found my favorite tutor and very happy with the service.
But on other hand, as a programmer, when looking around and inspect some API calls from front-end, I found a major bug that allow any LingualBox user (even with Trial permission, i.e no active subscription) to book one-on-one sessions for FREE with any tutors. I’m documenting it here for reference purpose and will not publish it until it’s solved by LingualBox, as it would suffer this great service (and price is already reasonable).
Let’s start with manual booking process
- I registered a new account pltchuong, ID 10030, and I’m a Trial user by default with 0 regular tickets and 2 non-expiration tickets
- I booked a random slot of a random tutor:
- This is how the API looks like:
| Request | Response |
 |  |
- Looking at this API request, I found something interesting:
- Obviously,
start_timestamp,end_timestampandtutor_idare all required for a booking request - However there is also
ticket_costandsub_ticket_cost, which I guess indicating the “price” I have to pay for each session.sub_ticket_costprobably for non-expiration ticket andticket_costprobably for regular ticket.
- Obviously,
- With these two extra parameters, I suppose we can “control the price” by changing it to
0(i.e free), so let’s changesub_ticket_costto0instead of1, and send request by cURL:
curl 'https://api.lingualbox.com/book'
...
'{"tutor_id":7428,"start_timestamp":1594796400000,"end_timestamp":1594797900000,"ticket_cost":0,"sub_ticket_cost":0}'
- Looks like booking is successful:
{"booking":{"id":174092,"start_at":1594796400000,"end_at":1594797900000,"consumed_tickets":0,"consumed_sub_tickets":0,"created_at":"2020-07-13T18:27:28.704Z","updated_at":"2020-07-13T18:27:28.704Z","student_name":"Phan Chuong",...
- And this is the result after a couple more tries: My 2 non-expiration tickets is remain unused, even though I booked 4 slots in total.
- I also tried with my actual account, but this time I changed
ticket_costinstead and as expected, I don’t have to spend any regular tickets for booked sessions
| Timeline | Action |
| 2020/07/12 | Found the bug |
| 2020/07/13 | Publish a protected document |
| 2020/07/14 | LingualBox confirmed the issue and fixing |
| 2020/07/17 | LingualBox fixed the bug |
Phan's notes 