Free Downloads Itch.io Vulnerability FIXED Without Credit and Reward by CYBER KALKI #ImproperAccessControl

In essence: One legitimate purchase grants infinite unauthorized downloads worldwide.

While conducting security research on itch.io, I purchased Back Flow by Beedok for $1. What I found wasn’t just a bug—it was a breach of trust.

While tearing through itch.io’s defenses, What I uncovered wasn’t just a glitch—it was a slap in the face to every creator and user on the platform.

Book purchase link 👇

After purchase, I received a download link which is still working and serves as live proof of concept which anyone can download for FREE

No session lock. No login required. No barriers. No Access control but Just a wide-open gate to a paid file, ripe for the taking. One purchase, and anyone with that link could leech the game / file for free—forever.

Let that sink in:
💸 One buyer = infinite free downloads of any product from itch.io for the world.

🧪 Proof of Exploit

I tested the link across browsers, devices, and IPs. No authentication. No purchase check. Just raw access. I responsibly surfaced the issue via Twitter, tagging itch.io and the developer.

No response. No bounty. No thanks.

🩹 The Silent Patch

Days later, I repurchased the same game. This time, the download link was:

Now it required login from the purchasing account. The vulnerability was patched—but quietly. No changelog. No disclosure. No acknowledgment.

And yet—the original link still works screaming proof of their negligence and their quiet fix.. Proof that the vulnerability was real. Proof that they fixed it. Proof that they said nothing.

🧠 Why This Matters

A culture of silence. A refusal to honor researchers who protect users. It’s about a rotten culture of secrecy. It’s about platforms like itch.io profiting off creators while ignoring the researchers who guard their gates. This is a pattern. A parade of silent patches from tech’s biggest names:

Let’s name names. These companies have all silently patched vulnerabilities I reported: ☠️

– YouTube
– Google
– Zomato
– Netflix
– Reddit

– Stripe
– OpenAI
– ExpressVPN
– Itch.io

Eight giants. Eight silent patches. Zero credit. Zero respect for the researchers who exposed their weaknesses.

⚔️ A Battle Cry to the Industry

You don’t get to sweep your failures under the rug.
You don’t get to patch in the shadows while we bleed for transparency.
You don’t get to silence the warriors who protect your users.

You don’t get to fix your flaws and pretend they never existed.
You don’t get to patch quietly while researchers go unacknowledged.
You don’t get to profit from silence while we fight for transparency.

I am Cyber Kalki, and I’m done with your games. Every exploit is archived. Every patch is branded. Every silence will be shattered into a deafening roar for accountability.

Rise up, researchers. Let’s burn down the culture of silence.