Hunting Bugs for RE Hunter 350

Hola hackers, I am back with a new bug bounty write-up, or rather, a story. It’s been 6 months since I bought a bike, the RE Hunter 350, with my bounty. So, I thought let’s write a story behind it. In July 2023, I thought about buying a bike, and buying things with bounty hits differently. So, I started hunting for it.

I choose 2 programs(Program A and Program B) from Hackerone. Both company has a bug bounty program on Hackerone. I will be using redacted.com as the main domain.

Program A: The company is a technology platform through which customers book different types of services.

Program B: The company is an ads and campaign service provider for the mobile application.

I have a full-time job as a Security Engineer. So, I only used to hunt for bugs on weekends or holidays.

List of Bugs I found

PII Disclosure – $750Emergency Contact Number Disclosure — $250Privilege Esclation — $100Default Admin Credential – $500Phone Number and personal Email Disclosure — $ 500Create competitor rules in other customer account – $750

I have already written a detailed writeup for 1st and 4th bugs in a separate blog. Both the bugs are on Program A. Here is the link for same PII Disclosure and Default Admin Credential

So let’s dive into the remaining

Emergency Contact Number Disclosure — $250

This issue was found in Program A. www.redacted.com and api.redacted.com are in scope. As usual, I started exploring the application and capturing every request in the proxy tool burp suite. redacted.com is the main domain but all the traffic routes through api.redacted.com. There is a feature for adding reviews to the services I used. I have added a review to the service and intercepted the request in the burp suite, a API call is made to endpoint/api/v2/growth/review/addRatings. I notice that in response the emergency contact number of the service provider is disclosed.

I quickly reported this issue to the security team through Hackerone. The Company fixed the issue and rewarded a bounty of $250.

Privilege Escalation — $100

This issue was found in Program B. There are multiple roles on the platform. I signed up with an admin role and added a user with a role that only had the privilege to access the analytics dashboard. Whenever I hunt for privilege escalation issues, I click on every option and perform each operation with the admin role, then repeat the same using the lower privilege role.

There is a feature on the platform where we can see the status and lower privilege users don’t have access to it. I have opened the API endpoint with the lower-privilege user and can see the information. The status is not having any sensitive data, so the company decided to reward a bounty of $100.

Phone Number and personal Email Disclosure — $ 500

This issue was found in Program A. www.redacted.com and api.redacted.com are in scope. redacted.com is the main domain but all the traffic routes through api.redacted.com.

There is a feature to track your delivery partner. When you track a delivery partner for the service you booked, a POST request to the API endpoint /api/v2/marketplace/delivery/trackPartner with the request body {"customer_request_id":"booking_id","refresh_path":true} is used to track the partner. This API endpoint exposes more information than just the tracking details. The response from the API endpoint disclosed the service provider's email and home address.

I reported this issue to the security team through Hackerone. The Company fixed the issue and rewarded a bounty of $500.

Create competitor rules in other customer account — $750

This issue was found in Program B. There is a feature on the platform where you can create custom rules to flag your competitors in Competitor Settings at https://dash.redacted.com/o/adreview/manage/competitors/<account_id>. In Competitor Settings you can see all the created rules and can create new rules. When you visit the url https://dash.redacted.com/o/adreview/manage/competitors/<account_id> a GET request is also made to endpoint https://prod-dash.re.redacted.com/manage/competitors/<account_id>?r=2&data=XXXXXXXX . When you open https://prod-dash.re.redacted.com/manage/competitors/<account_id>?r=2&data=XXXXXXXX you can see all the rules and can also create new rules.

There is no authorization check on the endpoint https://prod-dash.re.redacted.com/manage/competitors/<account_id>?r=2&data=XXXXXXXX means any user can view and add rules in another customer account by directly browsing the endpoint https://prod-dash.re.redacted.com/manage/competitors/<account_id>?r=2&data=XXXXXXXX. Here the attack complexity is a bit high as you need the value of data of the victim account.

I reported this issue to the security team through Hackerone. The Company fixed the issue and rewarded a bounty of $750.

In 4 months, I reported 6 bugs and earned a total of $2,850 which is enough to buy an RE Hunter 350.

On the auspicious day of Dhanteras 2023. yayyy

Thanks for reading, hope you learned something new. Do clap and share if you like. Be fearless and Happy Hacking!

Twitter: 7he_unlucky_guy
Linkedin: Vijeta