ISRO: YouTube Broken Link Hijack

Hello Hackers, Today in this write-up I am going to discuss very quick and easy bug broken link hijacking and how I got acknowledge from NCIIPC for finding Youtube Broken Link Hijack vulnerability in ISRO. This bugs are consider as low but if it is not in out of scope for the program then you should invest your time in finding this bug to at least get hof.

Note: Those who already know about this vulnerability can skip the introduction part and directly see how this can lead me to acknowledgement by NCIIPC.

What is Broken Link Hijacking? 🤔

Broken Link Hijacking (BLH), also known as Dangling Domain or Domain Takeover, occurs when a domain or subdomain linked in a web application is no longer owned by the original entity and becomes available for anyone to register. If these broken links are critical to the application’s functionality (such as hosting scripts, images, or style sheets), an attacker who registers the domain can inject malicious content into the web app, effectively “hijacking” the link.

How I found Broken Link Hijack in ISRO? 🧐

When I see other peoples are getting acknowledgement from NCIIPC so I quickly visit their site and gather all the necessary information about how to submit the bug and all the stuffs. If you don’t know about NCIIPC then let me tell you if you found any vulnerability in site of gov.in then you can submit bug through NCIIPC and as a reward they will acknowledgement your efforts and if you found a vulnerability at a scale then you will also get hof.

You can visit below link for more details:https://nciipc.gov.in/RVDP.html

I am very well used to with manual hunting so I don’t know any tools to find this vulnerability but if you know then let me know in comment section.

I personally like google dorking more, so during google dorking I found a isro website. However this vulnerability is no longer exists. This is the website of ISRO:

If you want to learn more about google dorking please check out an amazing articles made by AbhirupKonwar bhaiya.

so as I open every website which I found during google dorking to see what I can do in the website & whether the website is static or dynamic and that’s sort of thing I open the ISRO website and just scroll down the website and I see the some external links of X, facebook, youtube, instagram something like this:

Now I open every link and I find-out that youtube link and to my surprise it was not register and I see this page:

So I quickly go to my youtube setting and simply change my youtube handle to that unregistered youtube channel of the isro:

and when you click on that tiny youtube icon it redirect to my youtube channel and I am really happy that I found broken link hijack vulnerability in ISRO 😀

After researching about how can I submit the bug to ISRO? I finally come with some articles that people reported their bug to NCIIPC because ISRO doesn’t have any VDP or RDP program so I also do that thing. I also submitted bug to NCIIPC and after reviewing my report they finally acknowledgement my finding.

You can find out more disclosed reports on broken link hijack vulnerability by simply this google dorks:

That’s it for today and thank you for reading. please clap if you found this write-up useful and follow for more.

Other articles which might helpful to you: