First Valid Bug Bounty Submission — Information Leakage

Disclaimer: I do not claim to be a professional! Just sharing my personal experience ;)

According to Varonis.com, the world experienced a total of 7 million data records compromised everyday and 56 records every second. I am sure that everyone is well-versed regarding the impact of a Data Breach. The range is endless, starting from identity theft, private information disclosure, and many more, depending on the severity of the breach of course. But a breach is still a breach right? No matter how little and insignificant the information is, companies which we have trusted to keep our private information needs to maintain integrity and responsibility for it. Therefore, many companies have resorted to prevent Data Breaches by rewarding white hat hackers through bug bounty programs.

Platforms such as; Hackerone, Bug Crowd and etc. are places to look for these programs. Honestly, there are a lot great hackers out there who are sharing gold information regarding the what, why and how of Data Breaches, but I will try my best to share and discuss from the point of view of a newbie. Let me start of by introducing my-self, my name is Emanuel Beni Harijanto and I am 20 years old. I am a computer enthusiast from Indonesia and I have been in the bug bounty business for a little over 3 months. Why is this important? I have seen a lot of young adults or newbies in this industry discrediting themselves because they are ‘too young’ and is a ‘new’ player. This is completely wrong! I have always been a firm believer that whats done in the winter will show up in the summer. So I guess a tip that I would give to new players out there is to work harder (notice the er) and read tons of books and posts.

Since this is my first time writing a blog, I have decided to take the approach of ‘Learning from Examples’, therefore I will share one of my experiences on a Major bug bounty submission. Due to company strict disclosure guidelines and severity of impact, I will not mention the company name nor the sensitive data found (just trust me on this one guys).

Let’s call this company, X. Company X is a new online based company which provides services, such as consultation, to customers who are willing to pay with experts registered there. Fortunately, this company has an open and public bug bounty program which enables us to see the scope and accepted vulnerabilities. Most companies running bug bounty programs will state explicitly that they’re main concern is regarding user’s integrity and privacy. Now, when looking for Information Leakage, don’t be too blinded by the word ‘user’. As a newbie, the first thing that comes into mind is that user is the customers/clients who are using the services. This is not the case! Other parties such as; employees and experts registered there are considered as users too!

If you are fresh of the boat, a tool that is commonly used to intercept, monitor, alter, compare, decode request and response is Burp Suite. I have not tried the professional edition, but according to a lot of hackers, the community edition is more than enough. A Data Breach can be caused by multiple different vulnerabilities; IDOR, injections, SSRF, LFI and etc. In my case, I was lucky enough to find a broken endpoint where software engineers in company X forgot to filter out private information of the experts registered on their platform. This is a really common mistake in new companies where engineers forgot to exclude private information. For the method of exploitation, all I did was traverse and explore the web application first while turning Burp Suite on, then examining juicy potential endpoints one-by-one. After 10 minutes of searching, I found out an endpoint which discloses private information of the experts registered there. A Submission was made and in under 24 hours, the security team made changes to the backend. Although the discovery of the bug is really easy, the severity produced by this broken endpoint is critical. The company security team considered this to be a ‘Major’ finding since important private information is leaked. Company X decided to give me monetary reward and recognition.

To conclude, starting in the bug bounty business is not easy. There is a lot of reading and practice needed. I started to seriously dive into this industry 3 months ago and received a lot of duplicates on Hackerone. Start low. Know all of the vulnerabilities out there and start learning one-by-one in details. Climb up the OWASP Top 10. Keep in mind what information are allowed to be publicly share and what information are supposed to be private. Remember, what’s done in the winter will show up in the summer!

Feel free to drop a comment and a like. Godspeed!