Abusing Broken Link In Fitbit (Google Acquisition)To Collect BugBounty Reports On Behalf Of Google !
I usually track acquisitions of websites for which I am hunting bugs regularly.
I knew that Fitbit acquisition has been completed by Google and is eligible for bounty in GoogleVRP platform.
But, I previously remember that, Fitbit was also part of some other bugbounty platform before Google’s acquisition, So wanted to make sure that I am reporting to correct platform.
Hence, I made a simple Google search and found this broken link in official website of Fitbit in the 1st page of Google result.
Now, as the reported vulnerability is fixed, you can visit the archive to see how it was, when I reported.
It means that, although the acquisition is fully complete by Google, The website mentions that vulnerabilities found in Fitbit should be reported through — Bugcrowd.
Although Bugcrowd may not host a malicious page at this broken link and start collecting Bugbounty reports from security researchers, By following zero trust for better security — It’s suggested not to trust any entity blindly whether internal or external !
Impact:
Attacker might create a new company in bugcrowd with that url and may take vulnerability reports from actual reported and exploit.
Bugcrowd platform itself may exploit this. (Although they might not, there is still a possibility)
Hence, created a nice report and submitted via GoogleVRP platform, This was triaged to Trust & Safety team, as the reported issue was identified as an Abuse Risk.
I was hoping for a good bounty, but unfortunately I was awarded with only honorable mentions, But as I am already in Google’s Hall Of Fame (Leaderboard), This wouldn’t be much beneficial for me.
As this is my first abuse risk report not a usual vulnerability report, I asked the team how the severity was assessed and evaluated to learn more.
Timeline:
Reported — Aug 10 2022
Triaged — Aug 11 2022
Accepted — Aug 16 2022
Fixed — Sep 9 2022
