My first bug bounty write-up about my first valid finding | A very simple ATO bug in a target who wasn’t running any bug bounty program (Bounty: 40K INR)

Hi guys, I’m Shubham Bhamare from Maharashtra, India. It’s my first bug bounty write-up about my first valid bug which could have allowed a malicious user to takeover any account on that target site.

So let's start! 👉

===

Target:

As I can’t disclose the name of the company, let’s call it as “Target”. While using their website, I found that there should be something unintended.

But unfortunately, they wasn’t running any bug bounty program. But due to the severity of this bug and huge number of their users, I decided to contact them via email and ask them whether they’re running any bug bounty program or not. TBH, I just wanted to bring this issue to their attention, didn’t expected any reward from them. Just wanted to get this bug fixed as I also was a user of their service(s).

So on the next day, they replied that they're not running any bug bounty program currently but though can give a bounty based on the severity of bug.

So with their consent, I proceed further.

===

Setup:

2 accounts of that target i.e. Attacker and Victim.

===

Reproduction steps/scenario:

1) Target has a login option. Users can login with both by entering password or OTP.

2) Assume that both attacker and victim have created their accounts on that target.

3) Now from attacker's perspective, try to login to victim's account with OTP by entering victim's phone or username.

4) A 6 digit code will be sent to victim.

5) After 60 seconds, click 'Resend' button and capture the request.

6) Modify the "phone" parameter with attacker's phone (where attacker can receive messages).

7) Forward the request.

8) Now attacker will receive the OTP and after entering it, he'll successfully log in to victim's account.

My reaction that time 😂

Here, target wasn't authenticating phone number while re-sending OTPs.

===

Bypass:

When team fixed this issue, I found another similar vector that also could be abused.

It was asking OTP if user requested to delete account. So this endpoint was also vulnerable.

===

Bounty:

40K INR for both bugs.

===

Takeaway(s):

1) Although company don't have their bug bounty program and you believe that there's something unintended in their infrastructure which should be fixed, contact them for their consent to test it further. Because securing something from bad guys is always a good practice.

2) Don't hunt on that programs/features where everyone's hunting already. Find your own programs/hidden features/techniques.

3) Always try to find bypass.

===

Thank you for reading! Also, I’m going to publish all my Facebook bug bounty write-ups very soon. So don’t forget to follow me on , , and . 😊

===

An ORDINARY guy with EXTRAORDINARY dreams!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store