How I Found a Credential Exposure Bug on BBC.

Hey all,

I’m a beginner in bug bounty hunting. Even though my bachelors was in electronics, I got fascinated with cyber security while reading about computer networks in my bachelors. As my interest grew after reading about networks, I started to read, practice and got to know more about network security & web security. I was aware of bug bounties by reading articles related to them but at the start, I was not confident enough to find bugs if a target was given to me. I’m not attracted to the bounties which people post on social media and I always firmly believe that constant learning, perseverance and sharing whatever you’ve learnt to others matters in all walks of life. Imagine if google search was restricted only to the employees of google :P, we wouldn’t be sitting here LOL.

After learning a bit, one fine day, I thought to give it a try and after few attempts, I got a lot of N/As & duplicates. I was fuming to myself and I decided to enhance my skills properly and get back to it later. When I started to hunt for bugs again after some time, I picked a site that was accepting bugs as per their responsible disclosure policy, I went ahead and started to do reconnaissance as I came across many articles stating that “reconnaissance is the first and foremost step in finding bugs related to a target” and that’s why probably there’s a tool named ReconFTW :P(credits to the author of the tool). After few struggles and learnings, I was able to find low/medium severity bugs only because of proper reconnaissance(Note: Both Passive and Active reconnaissance can be carried out depending on the target scope and the technologies that have been used by the target).

One fine day, I got to know about BBC’s responsible security disclosure program via LinkedIn and Twitter. I started to google about the target and found their GitHub repository. I used GitHub dorks to check if there’s any sensitive information that’s been leaked in any of the repositories belonging to BBC and to my surprise, I found two valid sensitive credentials that were committed to their repository. I immediately went ahead and reported it to them. (Note: Please make sure that the secrets you’ve found are valid and make a significant risk impact to an organization before reporting it).

Timeline:

15th August 2021- Found the issue and reported it to them.

18th August 2021- Issue was fixed and I was included on their HoF website.

References:

githubdorks/dorks at master · shifa123/githubdorks · GitHub (Credits to shifa123)

Your Full Map To Github Recon And Leaks Exposure | by Orwa Atyat | Medium (Credits to Godfather Orwa)

Huge respect and grateful to the infosec community for helping out by sharing your experiences.