$500 in 5 minutes

Extremely easy bug to find with good bounties.

Happy new year and hello 👋

This is my first bug bounty writeup, so I apologise if I make any mistakes. I hope this helps in your hunting methodology, so let’s get to it.

I have made this writeup to show how easy it is to find this bug and get that sweet bounty. The bug is impersonation via broken link hijacking.

It’s rated a P4 on Bugcrowd’s VRT, and I’m going to walk you through how I found it and some tools to help you find yours.

How i found it:

I was playing around on DropBox’s bug bounty program and noticed that there was a fairly recent update on their site and that there was another company, HelloSign, that had joined DropBox so I started looking into the social media icons and clicking on all of them when I saw that the Twitter account for HelloSign didn’t exist. So i took it over and made an account PoC.

So it’s extremely simple to test for: simply locate the social media icons (usually at the bottom of the page) and click on all of them to see if the accounts exist; if not, you can perform a takeover by signing up in their username.

So I reported it and got $300 from Dropbox, which was cool. After further testing on some of their subdomains, I found the same bug, but this time instead of Twitter, it was Facebook. I performed the exact same steps and reported it and got $200 for it.

So in total a pretty good day with $500 in 5 minutes, so this is a good little bug to look out for.

Looking out for this bug can get annoying if you have a large target with large subdomains, so there is a way to automate the process. There is a tool called SocialHunter that can automate this process. Props to an awesome hunter called at0m for a video on this tool: (https://www.youtube.com/watch?v=NSp4Mv2CfI8)

Tool: https://github.com/utkusen/socialhunter

Thanks for reading hopefully this helps.

Best of luck ~ CoffeeAddict