My first bug bounty write-up about my first valid finding | A very simple ATO bug in a target who wasn’t running any bug bounty program (Bounty: 40K INR)
It’s my first bug bounty write-up about my first valid bug which could have allowed a malicious user to take over any account on that target site
Hi guys, I’m Shubham Bhamare from Maharashtra, India. It’s my first bug bounty write-up about my first valid bug which could have allowed a malicious user to take over any account on that target site.
So let's start! 👉
===
Target:
As I can’t disclose the name of the company, let’s call it “Target”. While using their website, I found that there should be something unintended.
But unfortunately, they weren’t running any bug bounty program. But due to the severity of this bug and the vast number of their users, I decided to contact them via email and ask them whether they’re running any bug bounty program or not. TBH, I just wanted to bring this issue to their attention, didn’t expect any reward from them. Just wanted to get this bug fixed as I also was a user of their service(s).
So the next day, they replied that they're not running any bug bounty program currently but can give a bounty based on the severity of a bug.
So with their consent, I proceed further.
===
Setup:
2 accounts of that target i.e. Attacker and Victim.
===
Reproduction steps/scenario:
1) Target has a login option. Users can log in with both by entering a password or OTP.
2) Assume that the attacker and victim have created their accounts on that target.
3) Now from the attacker's perspective, try to login to the victim's account with OTP by entering the victim's phone or username.
4) A 6-digit code will be sent to the victim.
5) After 60 seconds, click the 'Resend' button and capture the request.
6) Modify the "phone" parameter with the attacker's phone (where the attacker can receive messages).
7) Forward the request.
8) Now the attacker will receive the OTP and after entering it, he'll successfully log in to the victim's account.
Here, the target wasn't authenticating the phone number while resending OTPs.
===
Bypass:
When the team fixed this issue, I found another similar vector that also could be abused.
It was asking OTP if the user requested to delete the account. So this endpoint was also vulnerable.
===
Bounty:
40K INR for both bugs.
===
Takeaway(s):
1) Although the company doesn't have a bug bounty program and you believe that there's something unintended in their infrastructure that should be fixed, contact them for their consent to test it further. Because securing something from bad guys is always a good practice.
2) Don't hunt on that programs/features where everyone's hunting already. Find your own programs/hidden features/techniques.
3) Always try to find a bypass.
===
Thank you for reading! Also, I’m going to publish all my Facebook bug bounty write-ups very soon. So don’t forget to follow me on Medium. 😊
===
