I found a simple but rare misconfiguration and got $200 on a hackerone program

7 months ago 38
BOOK THIS SPACE FOR AD
ARTICLE AD

Harish

Hi bug bounty hunters. I’m Harish, a budding bug bounty hunter. This is my third valid bug on hackerone platform. Lets dive into the blog.

I can’t disclose the program name, So name it as example.com. The subdomain https://itdeaddrop.example.com has a feature to send messages encrypted with access link and password. The website claims that even the device or the messaging platform was compromised, the encrypted messages can’t be leaked. To protect the encrypted messages, the website takes some security measures. They are,

Your encrypted message is stored for 24 hours, then deleted

They mentioned “Your encrypted message is stored for 24 hours, then deleted”. I checked this feature, after 3 days i opened the link and the encrypted data was there, not deleted. Due to misconfiguration, the server stores the users data instead of deleting it after 24hours.

At first, i thought there is no security issue due to this misconfiguration. The next day, i got an idea on how to make this bug as a low impact. User A creates a link & password and sends it to user B via a messenger app(Like whatsapp, telegram,etc). If user B is not in online or forgets to open the link within 24 hours, user B won’t use the link or delete the messages from the messenger app. Because user B knows that the link was already expired after 24 hours. So it is time waste to open the link after 24 hours and unnecessary to delete the link and password. If user B’s messenger app or the device is compromised, the hacker can able to read the messages from the link because the data was not deleted within 1 day.

Reporting plays a major role in this vulnerability. Because, at first, the security team didn’t accept it as a valid bug. I made a clear report with attack scenario and impact. After few days of testing and conversation, they accepted it as low severity bug and awarded me $200.

Follow me on:

hackerone - bugcrowd - instagram

Read Entire Article