.png)
1 month ago
30 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey amazing hackers!
I’m Mohamed Sayed (@sayedv2), and today I’m excited to share with you a fascinating story about a business logic vulnerability I discovered in a public bug bounty program.
A business logic vulnerability is a type of security flaw that occurs when an application’s logic or workflow is flawed, allowing an attacker to manipulate or exploit the system in unintended ways. This can lead to unauthorized access, data tampering, or other malicious activities.
I spent a week hunting for bugs in this program, The program allows you to create a team and invite users with different roles . but it seemed almost secured .
That was until I stumbled upon a feature that caught my attention — the ability to create a board, add items, and engage with team members through a comment section.
Every item contains a comment section that you can communicate with your members and chat with them about the items .
But what really piqued my interest was the option to react to comments .I made a react and intercepted the request and i found a parameter called “reactions” and has a value
I decided to test the react function by intercepting the request and manipulating the “reactions” parameter. I wondered, what if I entered a random value? Would the system accept it? I sent the request, and then… I waited.
When I refreshed the page, I was shocked to discover that the comment section was now locked — permanently! It dawned on me that any member could exploit this vulnerability to lock the comments, rendering them inaccessible to everyone.
No one can access this page again and the comment section is locked Permanently.
So now any member can lock the comments Permanently and no one can access it again.
This experience taught me that even the most secure-looking applications can harbor hidden vulnerabilities. As hackers, it’s our job to think creatively and test the boundaries of what’s possible. Who knows what other secrets are waiting to be uncovered?
14 October 2024 → reported
16 October 2024 → duplicate
Follow me on:
Bengali (Bangladesh) · 
English (United States) ·