.png)
3 years ago
136 BOOK THIS SPACE FOR AD
ARTICLE AD
Recon never ends! You have to be creative and figure out a way in which you can extend your research and sharpen your skills. I believe that finding vulnerabilities in the bug bounty program is probably easy but the main trick lies in the reconnaissance phase.
After giving a lot of thought, a couple of things hit my mind, and I immediately decided to put a rough sketch altogether:
These are the list of commonly used services. Almost, 99% of the companies use these, so I decided to give a try and find if anyone has leaked the credentials of these services anywhere, my research was not restricted and focused on any specific program be it Samsung or any other. I stick to research ethics while working on research and finding credentials w.r.t the basic services which all tech/non-tech folks work on — across all organization (small, medium or a multinational one).
Amongst the above, Papaly seemed an interesting research topic basis my observation.
What’s Papaly?
Papaly is a tool for saving and organizing links (“bookmarks”). Bookmarks are organized into collections called boards. You can have any number of boards. Each bookmark belongs to a category within the board. A Papaly board can either be public or private.
Did someone mention public board?
I can already smell what was about to come.
site:papaly.com bitbucket
Resulted in quite a few public boards where people had bookmarked bitbucket instances with credentials 😲. After overviewing each board, I got stumbled upon the one which belonged to Samsung’s Engineer. And what was next?
Credentials of BitBucket were exposed on a public board and was not enabled with 2FA, which gave access to their production BitBucket instance. Needless to say, this would have gone worse if it could have gone into wrong hands.
Security is your responsibility — enable 2FA at org level for your repositories.Avoid using the same passwords across accounts, use password managers instead.Shortcuts are fancy but risky — Don’t Store passwords locally or on the Internet.Takeaways are endless but self-awareness is the virtue!Using other passive sources, I encountered credentials of various services pertaining to different organizations out of which I was able to approach those who had a Bug Bounty Program.
What’s important?
Sharing results isn’t but sharing approach is, isn’t it?
IMO, Yes, it is!
site:coggle.it "companyname" →Using this, I’ve found internal flowcharts which on a few occasions had credentials.
site:scribd.com "companyname" →This had a PDF file of a company, wherein their engineer prepped up something for an internal workshop, which contained links to their internal dashboards (which was not internal 😊).
It’s all about being creative. Recon goes on and on!
16th June, 2019 — Reported to Samsung
17th June, 2019 — Report Triaged
19th June, 2019 — Issue fixed
20th June, 2019 — Rewarded by Samsung
I appreciate you all for taking out time and to give it a read.
Happy hacking!
https://twitter.com/prateek_0490https://hackerone.com/prateek_0490
Bengali (Bangladesh) · 
English (United States) ·