Securing Biggest Electronic Brand Worth Me My 2nd 4 fig. $2259 Bounty!

Hello, I’m Manan Sanghvi. This is my second write up on how I hacked Biggest Electronic Brand (Ethically) and it worth me 30 lakh Korean WoN (~$2259).

Before that if you have not read my 1st write up on In under age (<18), How I Hacked Multi- Billion-Dollar-Corp and got first 4 fig. $2600 Bounty! https://medium.com/@manan_sanghvi/in-under-age-18-how-i-hacked-multi-billion-dollar-corp-and-got-first-4-fig-2600-bounty-d9ce97b3652e

Now, Let’s Begin.

I won’t reveal the name of the company I targeted this time because the security hole I found hasn’t been fixed yet, and it might take a while for them to patch it up. Plus, the data I accessed is quite sensitive. Anyway, this company is one of the biggest electronic brands globally. This have bug bounty program but unfortunately this don’t pay bounty reward for finding security vulnerabilities in websites. It only pay for Hacking Hardware, Firmware and their Other Products.

I found a way to access the sensitive personal data of over 50,000+ user’s Sensitive PII Data with just one click and reported more than 10+ High/Critical vulnerabilities, they initially weren’t going to pay me because of their policy. However, after sometime, they agreed to pay me bounties for two of my reports.

Both Vulnerability are Insecure Direct Object Reference ( IDOR )

First Vulnerability:

I’m fuzzing and analyzing the website manually, and my browser is always connected to my Burp Proxy. During fuzzing each and every functionality, I got an endpoint:

GET /api/license/data?licenseId={5_digit_id}.

I quickly send this Request to Repeater tab of Burp.

It is very easy to guess because the web application is generating continuous IDs for storing and fetching license information of customers on that website. So, I just tried another ID: 65460 -> 62459, and it gives me other users’ sensitive data like reqUsername, reqEmail, issueToEmail, adminRegion, adminRegionName, accessIp, accountEmail, etc., and many more pieces of information.

These IDs start from 10000 and end with my latest ID 62460. So, there are approximately 50,000+ users’ PII data at my single click; I just need to do an Intruder Attack in Burp Suite.

Second Vulnerability:

After finding the first vulnerability, I felt like I shouldn’t stop hunting. It seemed like developers kept making the same silly mistakes over and over again.

So, I started fuzzing more endpoints, and eventually, I got another one:

GET /api/qna/{id}?qnaId={id}.

I quickly sent the request to the Repeater Tab.

In this you can see that there are 2 Ids one is in url and one is in qnaId’s value but both are same, when I changed the qnaId’s value I got other user’s qna communication with the company.

This ID is also easily guessable, just like the previous vulnerability. So, I changed qnaId=10171 to qnaId=10170, and just like that, I got access to another user’s sensitive data and their communication with the company.

The data included critical information like reqTitle, reqContents, reqEmail, reqUsername, accountId, accountType, region, and many other details.

After reporting these vulnerabilities I got email from the company :

I just got 15,00,000 + 15,00,000 Korean WoN (~$2259) for these 2 reports.

Conclusion:
These vulnerabilities, known as Insecure Direct Object References (IDOR), allowed unauthorized access to sensitive user information with relative ease. By highlighting these flaws, I not only helped to safeguard the privacy and security of over 50,000 users but also underscored the importance of thorough security testing and remediation efforts in safeguarding digital assets against potential threats. and yes, it also worth my Hardwork and got $2259 Bounty.