First Bug, Big Win: How a $100 IDOR Bug Kicked-off My Bug Bounty Journey

T2 Social, an upcoming social media platform that could be accessed via https://t2.social is where i got my first bug from.

Like every other webapp, users need to create an account and by this they either use their phone numbers and/or email addresses

To create an account on T2, an active email address was required. So, I created an account and started using the app like a regular user. The platform had a follow feature similar to X (formerly Twitter), along with a suggestion feature that recommended accounts to follow.

I then launched Burp Suite and began examining the HTTP history, which is when I encountered GraphQL for the first time. To be honest, I was unfamiliar with it, as I had only worked with REST and SOAP APIs

I decided to do some research to gain a basic understanding of what to look for, and I came across a PortSwigger post about GraphQL.

After that, I returned to Burp Suite and discovered a request with the operation name fetchNewAccounts.

There was a variable limit set to 3, which was meant to suggest 3 random accounts for you to follow. I experimented by changing the limit to 10, 20, 50, and noticed that I could retrieve details of the accounts based on the limit set. For example, setting the limit to 100 would return 100 account suggestions.

At first, I didn’t consider this a bug, so I didn’t report it. However, after examining the request more closely, I wondered what would happen if I added email/n to the request. To my surprise, it worked. I was able to see the email addresses of the accounts within the specified limit.

The CEO frequently announced the app’s progress and the number of users who had created accounts. At the time I found this bug, the CEO had mentioned that T2 had 5,000 users.

You can probably guess what I did next 😂.

I set the limit to 5,000, and my laptop froze 😂. But eventually, I retrieved the details of all 5,000 users along with their email addresses. I decided to report this directly to the CEO since they didn’t have a bug bounty program.

They replied the same day, acknowledged the issue, and mentioned they were willing to offer a reward, although they asked me to consider that they were a startup. I received a $100 bounty, and I wish you could have seen how happy I was.

Unfortunately i can’t post the video coz thats hella lot of email addresses but i’ll try to edit and share it with y’all