.png)
8 months ago
53 BOOK THIS SPACE FOR AD
ARTICLE AD
Welcome to Day 5
I’ve decided to extend this challenge to the 30th of March instead of the 23rd, it’s day 5, and I haven’t received a single bounty therefore extending it only makes sense considering It has been really fun for me so far so why stop now :)
In Day 4, I mentioned a vulnerability I wanted to report, the vulnerability is a Broken Access Control that allows an attacker to communicate with company staff as another user, the program uses a third party endpoint for this, and I figured I’d have to escalate this vulnerability or else it’ll get closed as an informative. I tried to get my second account deleted using this vulnerability, but the stuff member told me to send an email confirming account deletion and this renders the vulnerability useless in the context of bug bounty hunting, I believe a malicious hacker with social engineering skills can get through this obstacle easily, but that is out of scope therefore I’ve decided to move on from it and keep hunting for more vulnerabilities.
I spent hours doing recon — specifically directory brute forcing. When it was all done, I found nothing of value, but I came across an interesting page — “.DS_Store”
My excitement was short-lived because I found out that there was no sensitive information I could retrieve from this, and submitting “.DS_Store is exposed” is a golden-ticket to getting your report closed as an informative, there’s simply no impact at all. I’ll keep hacking and trying my best, as they say, “Hard work always pays-off” :)
Happy Hacking. See you tomorrow. ❤
Bengali (Bangladesh) · 
English (United States) ·