Behind the Bug Report: From Overlooked to Overhauled

So, let’s start,

Few moths back I found a Pre-Account Takeover, I guess you people might be knowing, If not you can just read this 👉Article in couple of minutes, Issue on a site called “redacted.com” on the authentication page “redacted.com/auth”. There were two forms: one for sign-up and the other for sign-in. I was able to sign up using email, Google Account, or Apple Account. I chose Email Registration as an attacker and successfully signed up, which took me directly to the website’s dashboard without email confirmation. Later, I logged out and signed up again using the Google account, and I was able to log in to the same account I previously created. This indicates a Pre-Account Takeover Vulnerability.

I submitted a report, but after a few days, I received a reply stating that this is not a valid bug, among other messages. Initially, I overlooked the word “Invalid” and didn’t pay much attention and closed the mail.

However, yesterday, while using my laptop, I saw the Proof of Concept (POC) video. Upon watching it, I went to see the reply from that company and noticed the last line, which mentioned, “If you could login as ‘sundar.pichai@gmail.com’ without his Google account, then this is considered a valid issue.” I missed this detail earlier.

If I had noticed and submitted this POC, it might have been considered a valid issue.

The journey of discovering and reporting vulnerabilities teaches us valuable lessons. It underscores the importance of thoroughness in communication and attention to detail. Each encounter, whether successful or not, contributes to our growth as security researchers. It’s crucial not only to identify vulnerabilities but also to effectively communicate their severity and impact. Collaboration between researchers and triagers is key to ensuring the security and integrity of online platforms.

Takeaways:

Please don’t ignore messages from the triager.Embrace each experience as an opportunity for growth and learning in the realm of cybersecurity.Ensure correct spelling and grammar in communications.

Alright, that’s all for now. Catch you in my next write-up. Take care, bye! 👋👋 Until then, Happy Hacking.

Have any Query ? Lets Connect:

👉Linkedin