.png)
4 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE AD
About a year ago, when the researcher started exploring HackerOne, they discovered one of the most impactful bugs ever. they received a private invitation to a Vulnerability Disclosure Program (VDP) from an airline group. Since they were still learning and wanted to gain experience, they decided to participate in the program without prioritizing bounties.
Initial Discovery
After a few minutes of analyzing the scope of the program, the researcher noticed that the airline group used a unified login system across multiple airline websites. They decided to test the “Forgot your password?” endpoint first.
When they entered their email, they received a password reset link in the following format:
https://████████/password/?key=████████After clicking the link and reaching the password change page, they captured the request, which looked like this:
PATCH /api/members/314159/profile HTTP/2Host: ████████{"credentials":{"token":"MyNewPassword"},"resetToken":{"token":"████████"}}
At this point, they noticed something interesting: the request contained a numeric user ID (314159), which could be auto-incrementing. This hinted at a possible IDOR (Insecure Direct Object Reference) vulnerability.
Exploiting the IDOR
To test the hypothesis, the researcher accessed the following endpoint directly in their browser:
https://████████/api/members/314159/profileTo their surprise, their email was displayed in plain text. They then iterated through other user IDs and were able to list thousands of emails without authentication.
Using Burp Suite, they automated the process and confirmed that this vulnerability exposed the email addresses of thousands of users.
🚀 First report sent: The researcher immediately submitted the vulnerability report, which was triaged as high impact.
Taking Over Any Account
Instead of stopping there, they decided to test if they could change the password of another user by modifying the user ID in the request.
They created a second account for testing and attempted the following request:
PATCH /api/members/<second_account_id>/profile HTTP/2Host: ████████{"credentials":{"token":"MyNewPassword"},"resetToken":{"token":"████████"}}
🔴 Response: HTTP/2 400 Bad Request
{"@type":"application.error.ValidationError","code":"REQUEST_UNAUTHORIZED"}So they tried removing the resetToken:
PATCH /api/members/<second_account_id>/profile HTTP/2Host: ████████{"credentials":{"token":"MyNewPassword"}}
🟢 Response: HTTP/1.1 204 (Success!)
At this moment, they realized they had fully taken over another account without any user interaction!
Impact
🔴 The vulnerability allowed changing the password of any user in the airline group.
🔴 Users’ credit cards and sensitive data were at risk.
🔴 Attackers could have accessed millions of users’ accounts across multiple airlines.
🚀 Final report sent: The researcher submitted this as a critical vulnerability and asked if it was eligible for a bounty.
Since the original program was VDP (not paying rewards), the airline group transferred the report to a private Bug Bounty Program. They assigned it a CVSS score of 10.0 (maximum severity) and awarded the researcher the highest possible bounty.
Conclusion
💰 One of the researcher’s first bounties on HackerOne was also one of the most impactful bugs they had ever found!
This vulnerability could have compromised thousands or millions of accounts, exposing sensitive data, including stored credit card details.
The lesson? Always check password reset mechanisms and test for IDOR vulnerabilities in API endpoints!
Bengali (Bangladesh) · 
English (United States) ·