I hate Hackerone / X Website Vulnerability — Bug Bounty Hunter

Hi guys,

First of all, I’d like to say that in this text I’m going to describe a public vulnerability that you can exploit right now. I know that I might even get banned for this. But I’m tired of the feedback on my vulnerabilities. My hands and feet started shaking because of the absurdity of the following feedback I received as a result of the vulnerability I found on Twitter. I mean, accept the vulnerabilities we find, no one wants money, brother. I don’t want any money, do you understand? You have a staff that cannot understand an obvious security vulnerability and they come and talk from above. We are your employees, not your slaves. Stop treating us like your slaves. I understand that a lot of shitty people are writing shitty reports and reaching out to you and telling you nonsense. But there really is a vulnerability in the system itself and this is causing ethical hackers to go to the dark side day by day. Forgetting that we ethical hackers have rights and that there is a labor and knowledge behind the vulnerabilities we send, you are rapidly advancing the bug bounty hunter, which used to be a real job, into a nonsensical form and into an area where companies advertise. My request to my hacker friends reading this article is to tell us about this so that we can change something. Yes, I’m going to tell you about a CWE-200 case on x. The only thing you need to do to understand the vulnerability is to do what h1_analyst couldn’t do and follow the steps I told you one by one. The reason I’m posting this (I’m not anonymous and my identity is completely open) is because the h1 said that the vulnerability I posted is not a vulnerability and insultingly marked the vulnerability I found as N/A as below. Since this will be closed immediately after publication, I don’t know if the vulnerability exists as you are reading this, so let me add that and let’s get started. Lets Fuck

What is CWE-200?

CWE-200 defines a type of vulnerability under the heading “Information Exposure”. This vulnerability occurs when the system discloses information on the system that is not visible to external users. For example, if an API discloses information about a user’s identity that should not normally be visible, it is included in this scope. Our case has a similar structure.
Since it is difficult to explain this in a scenario, we will do this with you in a practical way.

Now let’s do a little CTF here. I don’t want to give the domain directly, so you discover the post with the given path (Yes, the company has too many lawyers). Flag is the username of the person who deleted the post. Those who find it can share it with their ss as a comment or share it on x. Let’s think like this, the post written here could have been written by anyone. A post that he now regrets or I don’t know, a post he wrote when he was drunk. He expressed his opinions and thinks that twitter will protect him from the oppressive state, but when the SS of the post went to the state, the state investigated this post and the person had deleted the post before because of his fear of the state. He thought that he didn’t leave any evidence here, he was not in danger of being tagged and twitter was protecting him. Let’s see if it protects him.
Now I want you to open your BurpSuite, you don’t have the account of user ahmed after all, right, scroll down to the first link I gave you, the flag is hidden in that post.

On the way to this address with Burp, turn on your Intercept mode and proceed until you get to the endpoint I will show you.

This part given above is an endpoint of x graphql api. It uses this endpoint to retrieve data from the system. Now let’s send this to the repeater and send the request and examine the response.

As shown in the figure, graphql gave us the output where the endpoint was returned. I think we can find the flag by analyzing the output a bit. Have you found the flag, now write the flag in the comments.

Why did it happen like this?

It’s not the first time I’ve experienced this, I have dozens of vulnerabilities that I can now describe publicly that have not been acknowledged by hackerone, and even if they haven’t, they haven’t even bothered to fix them. I think this is a general problem now. Since the vulnerability here is not something very critical and the h1 analyst spoke to me in a very insulting and condescending and irrelevant way, I decided to publish this vulnerability publicly. I hope you will close it soon x. By the way, Elon, please don’t sue me, I love you. Take care, see you in the next article, bye everyone.

Note: I had to close the relevant areas because this website has too many lawyers. Please excuse me for this, unfortunately I don’t have an army of lawyers. If I am arrested, don’t forget to tag #freebatuhan. I love you all. I hope this article and others like it can help us to make bug bounty happier in the future in a better environment where we can actually work instead of being slaves.