.png)
1 week ago
17 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey Everyone , welcome to not so common story of US DoD VDP.
If you are here , make sure to read the full story and most importantly why you should never give up and try for atleast one last time no one knows it may work for you.
Recently I was exploring US DoD(Dept of Defense) VDP trying to gain some reputational points in Hackerone before starting out with the much more Hardened Targets like BBP .
Just like any other hunter , started to look for domains which belonged to DoD . The . mil top level domain is reserved exclusively for United States Department of Defense organizations.
So thought why not start with Google Dorks
Site:*.mil "ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx"Tons of Files were listed , now there will be sensitive information but being lazy tried another dork :)
site:*.mil "docs.google.com/spreadsheets"Started to check each link manually , after few minutes got some kind of manual checklist which contained link to the google spreadsheets.
Clicked on the link and …………
BOOMGot Unrestricted Access to Google Spreadsheet of Air Force Base Ledger which contained the details of Who , When , Where , Why all reasons listed to leave or enter the base updating in Real Time.
Delete the data , Modify the Data … everything was possible
Reported to US DoD through Hackerone :)
After reading this I was like …
Report got closed as P5 , added a comment so that report get reviewed again …
No reply for a week from Triager , Now I had two options :
Bring this out in public domain as it was not considered sensitive enough :)Or else , let’s try some other approach , Reported this to US CERT(Computer Emergency Response Team) and waited for their perspective on it .I was not that much hopeful to be honest .
Meanwhile , started to do OSINT (Open Source Intelligence) on the Persons , interestingly found one of them were having a marriage so from that information found their marriage website whom they were marrying who was in family …..etc etc .
I was laughing out loud while doing this just imaging that’s a basic stuff state adversary groups would find interesting. If you know you know :)
Notification popped on my mail from Hackerone , US DoD has reopened the Report , acknowledged the Fact that it indeed was a valid Security issue .
Report was re-opened and vulnerability was fixed .
Moral of the Story :
Believe in yourself as well the bug you found . Indeed , US CERT helped in the process , but ultimate decision to fix the issue remained with US DoD.
I hope you learned something valuable from this story of P5 to P3.
Bye Bye!!
Bengali (Bangladesh) · 
English (United States) ·