How I Bagged $300 for a Sneaky yet Simple Bug

Bug bounty hunting is a mix of patience, curiosity, and a bit of luck. One evening, while casually poking around a contact form on a platform, I stumbled upon something that made my hacker instincts tingle. A small tweak in the URL, and boom — an email injection vulnerability worth $300 was staring right at me.

I was playing with a standard contact form, filling in the usual details, when a thought struck me: What happens if I manipulate the URL? So, I added ?email=attacker@example.com to the end of it. The form didn’t blink. No error, no warning—just silent compliance.

But the real shocker? The email field didn’t even show up on the contact page. Instead, any message sent through this form was secretly redirected to my injected email address.

That’s when I knew: this wasn’t just a harmless quirk — it was a bug with serious security implications.

Think about it: If an attacker crafted a malicious link and tricked a user into clicking it, any communication sent through this form — bug reports, personal inquiries, internal discussions — could be hijacked. A simple trick, yet a devastating breach of privacy and security.

I reported the bug, outlining how someone could manipulate email forwarding in a way that shouldn’t have been possible. A few days later, the response came in: confirmed, fixed, and rewarded with a $300 bounty. Not bad for a little URL magic, right?

Bugs like these are often hidden in plain sight. Always test form parameters beyond the UI, dig into the backend logic, and never assume that a simple input field behaves the way it should. And if you’re on the other side — writing the code — never trust user input blindly!

If this article gave you some new techniques to test or a broader perspective of things, consider supporting.