In GitKraken there is a potential vulnerability that allows access to Pro features without paying for them. I have tested this in 6.0.1, 6.1.1, and 6.1.4, but I suspect it works in all other versions as well.
Using a proxy server, such as Fiddler on Windows, it is trivial to change the response from the "https://api.gitkraken.com/phone-home" API endpoint to trick GitKraken into thinking the user has a Pro (or other) plan, unlocking the features of that plan even if the user has not paid for it.
This is done by changing the response from the "https://api.gitkraken.com/phone-home" endpoint to:
{
"code": 0,
"message": "Activated",
"availableTrialDays": 0,
"features": [
{"betaFeaturesEnabled": true, "name": "gitkraken"},
{"betaFeaturesEnabled": true, "name": "glo"}
],
"licensedFeatures": ["pro"],
"planCode": "gitkraken_pro",
"planName": "GitKraken Pro"
}
Due to GitKraken not validating or securing the responses on any way, the client treats this as valid and unlocks the features of the plan. I suspect this can also be used to gain access to features of other plans, but I have not tested this.
Using this I was able to access a private repo and interact with it as normal, even though I only have the free plan. I have not tested the full feature set completely.
The response could be potentially be changed and might contain useless data, as I have not fully experimented with the response, but the example here works as expected.