.png)
6 months ago
44 BOOK THIS SPACE FOR AD
ARTICLE AD
Introduction
Hey everyone, I’m C. Sri Shavin Kumar, an ordinary guy who is passionate about cybersecurity, constantly exploring ways to enhance digital defenses and protect against online threats. Let’s gather around as this my first ever bug bounty write-up. In the depths of the crypto platform (we’ll call it redacted.com, gotta keep it incognito because you know secret and stuff yeaa), I unearthed a goldmine – their KYC feature. But here’s the kicker, I was able to bypass the KYC Lvl 1 verification and get myself verified without dropping no ID card and selfie . Who needs an ID card anyway and a selfie anyway yeaa?
Anyways let’s jump right into the scenario:
What is a KYC feature?
KYC, or Know Your Customer, is a process designed to verify the identity of customers to prevent fraud and illegal activities. Here’s a brief explanation of KYC levels:
KYC Lvl 1: Basic verification that includes collecting essential information like name, address, date of birth, and government-issued identification number. It’s typically done through documents like a passport, driver’s license, or ID card and your selfie.
KYC Lvl 2: Involves more thorough verification, often including additional documentation or proof of address. This level may also involve screening against various databases to ensure compliance with regulations and to detect any potential risks associated with the customer.
Exploitation:
In the KYC mechanism, I stumbled upon a URL that resembles redacted.com/account/kyc/individual/1 . Out of curiosity, I impulsively changed the ‘1’ to ‘3’. To my utter surprise, this action redirected me to Level 2 verification, where users are required to provide proof of address. Supposedly the user shouldn’t be able to do so without a successful verification in Level 1 right? In that moment, a rush of adrenaline flooded through me, realizing the significance of what I had found. It was both thrilling and alarming to uncover a potential loophole in the system.
But then, like a sudden thunderclap, a pressing question struck me. Damn how am I supposed to show the impact to the team with this tho? Remember a quote goes like, when there’s a way, there’s a will? Here’s the juicy part: while navigating Level 2 verification, I stumbled upon an upload feature for proof of address documents. Taking a leap of faith, I uploaded a random PNG file and guess what? I got myself verified just like that!
I’m be like:
Conclusion
After pouring my heart and soul into crafting a detailed report, complete with a killer Proof of Concept, I braced myself for the team’s response. Five days of nail-biting anticipation later, my inbox pinged with the news: cha-ching! I’d hit the bounty worth of $$$.
The reason why the vulnerability is rated as low has two aspects:
1. After the KYC Lvl1 verification documents are submitted, the business system generates a ticket to their internal manual review system. Even if the KYC Lvl1 verification status is altered using this flaw, the ticket in the manual review system does not close. There will still be manual intervention to process this ticket, so even though the KYC Lvl1 status was temporarily changed, the manual review will ultimately revert it to an unapproved status.
2. KYC verification is mainly used to increase the withdrawal limits. Their withdrawals are governed by strict risk control mechanisms, hence it does not pose a significant security risk to users. Furthermore, to maliciously withdraw funds using this vulnerability, one prerequisite is gaining control of a user’s account.
Based on the above reasons, the business team has ultimately rated this issue as low.
Thanks for reading! Hope you enjoyed it :D . And always remember, trust your intuition in bug bounty hunting. It truly can be your secret weapon for uncovering those elusive bugs and securing those bounties. Happy hunting! Stay tuned for more from me.
Follow me:
Bengali (Bangladesh) · 
English (United States) ·