Member-only story
💰$100 Bounty: Username Restriction Bypassed
🚀Free Article Link
Hello, fellow hackers! 👋 In this writeup, I’m excited to share how I discovered a Username Restriction Bypass vulnerability on a popular social media platform (name redacted for privacy) during a HackerOne Bug Bounty Program, which rewarded me with a sweet $100 bounty. 💵
This flaw allowed the creation of fake usernames and fake organisations, leading to serious impersonation issues. Curious about how it was done? Let’s dive right in! 🚀
🔎 What’s the Issue?
The platform enforced username restrictions, allowing only alphanumeric characters (A-Z, 0–9) with the exception of underscores (_). However, I discovered a way to bypass these restrictions and create usernames with special characters, making them unviewable or misleading.
🤔 Why is This Dangerous?
Attackers could exploit this to:
- Create fake profiles that are not viewable or traceable.
- Bypass bans on specific users by recreating their profiles with slight variations (e.g.,
L!sainstead ofLisa). - Impersonate legitimate users or organizations by using visually similar characters (e.g.,
L i s awith spaces).
This could mislead platform administrators during report reviews or when verifying user identities, potentially allowing banned users to bypass restrictions or engage in impersonation. ⚠️
💰$1000 Bounty: Command Injection Vulnerability🔓Free Article Link: Click Here medium.com
🔥 How I Did It: Step-by-Step Exploit
[1] Navigate to the Profile Section:
- Go to:
https://redacted.com/profiles/ - Edit your username and attempt to add special characters (e.g.,
!,., or space). - Notice the error message: “Only letters (A-Z), numbers (0–9), and underscores (_) are allowed.”
[2] Bypass Using Burp Suite:
- Enter a valid username (e.g.,
Lisa123) and click Save. - Capture the request using Burp Suite and send it to the repeater.
- In the repeater tab, modify the…
