.png)
11 hours ago
8 BOOK THIS SPACE FOR AD
ARTICLE AD
Introduction
When I started my journey as a Bug Bounty Hunter, I started off with a platform called HackerOne. However, I was still finding bugs in different criteria of websites that exist on the internet within the platform itself (called Programs) and hunting on them. Hereafter, I thought of using Twitter as a good source to connect with other hackers in the cybersecurity cycle who are doing bug hunting as well. I’ve found a few of them from my country (Tanzania) and plenty of them that are in our neighboring country (Kenya) and some of these hackers even attended big events as well. However, while I did receive my first bounty about two months into bug hunting, I witnesses several scam programs as well. This newsletter will be a representation of why it’s not worth performing bug hunting especially for big companies that promise big bounties and how these programs scam security researchers.
While other security researchers who get good bounties claim that these researchers who claim they’re getting scammed are probably filing reports that don’t meet the requirements of the bug bounty program, this write-up shines the light necessary to understand that the researchers that claim are being scammed are actually getting scammed. With disclosure of full PoCs, and evidence marking and representing the fraud that’s present in these programs. This write-up will clear all doubts of every researcher regardless of risks involved so that the light is truly shed and the truth is known to the public about what these bug bounty programs do.
The entire story
Everything started off properly when performing my regular bug hunting including being added to the first section of the Hall of Fame in the Bug Bounty Program on the YesWeHack Platform (Which is the only platform I trusted), and another one I used was Open Bug Bounty as well. However, things got really serious when it came to using Bug Crowd and HackerOne.
A few days after getting added to a Bug Bounty Group on Discord from a Kenyan friend of mine, he referred me to a Bug Bounty Program on the HackerOne Platform called Circle. While I thought that this would be good grounds for actually performing some real bug hunting because it was a program that’s still in Beta and most probably has bugs everywhere. We proceeded to perform our hacking. However, there was a vulnerability I found within the system that resulted into an account takeover of an Administrator Account, such vulnerabilities are considered P1 — or in other words, critical vulnerabilities and the program was promising about $10,000 for this vulnerability which I was able to exploit. However, they went ahead and marked it as a duplicate of an informational report that has no impact at all (Which means it isn’t classified either P1 or whatnot) and the quotation that the analyst used for the report exclaimed that the report that was marked as informational was a report that was actually about Session Hijacking, which is completely different from an IDOR + Access Control Violation Combined which I managed to exploit.
How was this vulnerability exploited?
The PoC for this vulnerability was easy. All I had to do is enumerate the User ID of the Administrator Account and use a low-privileged account (with a Viewer role) to change it’s password. This can the leverage the account takeover by the viewer account logging into the administrator account to gain full access to the administrator account. This is nowhere close to a session hijacking that the analyst overlooked.
Did I contact Hacker Mediation on HackerOne?
Apparently, it came to my attention that Hacker Meditation cannot mediate reports for users below the signal of zero. Therefore, this is how the analyst takes advantage of new researchers starting off the Bug Bounty Field, who have legitimate reports, by eventually scamming them this way. The analyst is obviously aware that the researcher won’t be able to ask for mediation or get the help they need even if their report is legitimate, so they decide to scam the researcher by overlooking the report and falsely marking it as duplicate of something that isn’t even related to the report.
What steps did I take next?
Since mediation couldn’t be performed by HackerOne and I noticed this scam — I ended up contacting an agent at the FBI and filing an IC3 Report against the company Circle for fraud. PoC of the vulnerability is shown below for proof:
PoC showing Password Change VulnerabilityIn this PoC, you can see I was testing the Account Takeover between both two accounts (The Administrator and the Viewer) and both were able to reset each others passwords. However, the analyst overlooked this as a session hijacking, but no hijacking was involved however. The point was to prove that a viewer is able to reset an administrators account leading to the account takeover. The User ID can obviously be guessed easily using Python Scripts and Brute-force using Burp Intruder. This is proof of filings to the FBI as well:
Information sent to FBI-Controlled Domain Email is not shown for confidentiality purposes. However, I did forget to state something important here. The report was marked a Duplicate first, then changed back to new then another triage analyst changed it back to the Duplicate of the same false report (Yeah, it’s like the analysts probably are new or possibly don’t even trust themselves or something. Like, how does that happen out of nowhere?):
As seen here, it appears that Jay, even though he’s a new analyst, knew that the vulnerability is there and a different one from what he duplicated, therefore, leading him to reopen the report. However, dexter closes it as a duplicate of the same false and overlooked report. As stated earlier, the whole point of the report is an IDOR + Access Control Violation to test if a viewer account was able to change the password of an administrator account, which was possible through the User ID, this has nothing to do with Session Hijacking. Thus, the scam. You may be asking, how do I know that Jay is a new triage analyst at HackerOne? It’s easy, his profile shows it:
Jay was going on the right track by reopening the report clearly knowing that the vulnerability is still there and different from the report he duplicated mine as, but I don’t know about these other analysts who overlook reports.
Are there any other programs like this?
Absolutely, you’d be surprised if I told you that Bug Crowd has such scammer programs as well. One of them being the big technology giant, Dropbox. Yes, You got that right. Earlier you may have never heard of Circle, but Dropbox is involved in such fraudulent activities as well.
The same scenario that happened with Circle BBP happened with Dropbox as well, however, this was a little bit of a different kind of Account Takeover. This involved the credentials of the developer of the Dropbox Forum being exposed via Inspect Element Tool through Prototype Errors in the JavaScript Code that they had on their site. However, while I was able to intercept these credentials, I still had to prove impact by finding a way to use these credentials. This is when I noticed that the credentials were actually API Credentials, to leverage the Developers Account by using the API to access the site, so that is exactly what I did. The first thing I did took several hours, and that was looking for every GraphQL Endpoint on the Dropbox Forum site that I could possibly use this API Access to login to the Developers Account and prove that it’s the Developers Account without performing any sensitive actions such as Account Deletion or similar, which was exactly what I did.
In addition to this, I found that there are many true and false values used to access additional data, this gave me the idea of possible Mass Assignment Vulnerability being present in the Web Application, I changed all the values of the request from false to true in the endpoint and sent the request. The response was shocking because I was able to access a great amount of information from the Developers Account that proved it’s their account including their User ID, Name, and other information that’s Developer Related just by using that Authorization Bearer.
I decided to take a step further and report this matter to Bug Crowd only to get scammed by Dropbox again because they patched the vulnerability and closed my report as “Not Applicable” regardless of over three days of Penetration Testing and severe work (Because I also had to find the Persistent Hashes and the the GraphQL Operation Endpoints as well). While the triage analyst wanted me to show more impact, it was unfortunate that I couldn’t because they had already patched the issue and I couldn’t capture the credentials again to login as the Developer again.
Was I able to get mediation for this?
Yes, absolutely. I’ve reported the matter to Hacker Mediation at Bug Crowd because the bug actually had the status changed to Triaged before it was changed back to Not Applicable as well. Unlike HackerOne, Bug Crowd does have a full time mediation. However, the mediation team wasn’t quite helpful either as they couldn’t understand the bug was patched and they overlooked the report by rather forcing me to exploit the bug further (Which I would have by making a post using the developers account or similar, given that their account deletion system even has a bug with the persistent query hash, but I couldn’t because the bug was already patched as seen in the PoC’s below further proving the scam).
However, what Bug Crowd doesn’t understand in this scenario is clearly that they’ve committed an act of fraud since the customer had already patched the vulnerability, even making further access impossible. Thus, proving the scam.
What further steps did I take?
The same that I did with the first scam I encountered, I contacted the FBI and filed an iC3 Report, forwarding all evidence including the iC3 Report to a FBI-Controlled-Domain Email Address. The PoC is as shown below:
PoC before patch (and scam):
PoC 1: Showing Access to Account and Ability to read some information
PoC 2: Showing Access to Account and Ability to Display Account Owner Information as well as differentiate between my Account User ID and the Account Owners Account and User ID proving Account Takeover. Keep in mind that in this video, I even show other vulnerabilities such as new sessions being created and old sessions still being in use (So there’s no session expiry for these tokens maybe till the next day):
PoC after patch (and scam):
You can see from these three PoCs that they patched the vulnerability as seen in the last PoC and then closed the report as seen here:
However, the information on impact was enough to triage the report and actually get paid by the customer given 1). I was able to access an account I wasn’t supposed to access (The Developers Account) 2). I was able to prove whose account it was by accessing information from the account itself through the API without performing sensitive actions. However, I thought they needed more information, so I decided to go on Dropbox Forum again to only end up seeing that the forum is inaccessible:
As seen above, the Page Not Found Error appearing while logging in, I tried this with a new account as well and it didn’t work. This made me think they’re probably fixing something, so I decided to check if the vulnerability is still there and to my surprise, they had patched it as seen in the PoC after patch (scam) above:
Oh! Not to forget that fact that the report itself was triaged as well, and then changed back to New:
Once again, to prove the bug has indeed been patched and thus the scam that has been performed:
Before the patch was applied:
After the patch was applied:
Also, the proof that I have a report prepared for the FBI, British and Irish Authorities is as shown below:
However, like I stated, the FBI-Controlled-Domain Email will not be provided in this write-up nor the email with my communications with the FBI for confidential purposes and to abide by Federal Laws.
Which other programs in Bug Crowd act like this?
I’ve witnessed such scams with Programs such as Etsy, Snapchat and Rarible as well. Yup, these may be big companies capable of paying you but greedy enough to let your reports fall apart. Let’s take an example of Rarible:
As we can see above, I had made it clear that everything reported in the third video PoC that I provided had everything that’s capable of accessing something no one should have access to in the Rarible Program. However, they created a blocker for the Customer:
However, we can see from here that they left it for two months and closed the report themselves without receiving information on impact from the customer. Unlike what is actually supposed to happen in terms of receiving information on impact from a customer like I received from my Dropbox Report:
As seen here, when the customer sends a message to the Bug Crowd Staff, it can be known to the researcher as well before the staff reaches out to the researcher, which never happened on the Rarible report. This itself was an IDOR that was reported, and guess what? It turned out that Rarible has paused their program too:
This, however, I believe was done by Bug Crowd themselves because Rarible wasn’t responding to their stuff or researchers reports and queries and Bug Crowd themselves decided to close the report due to this non-responsiveness and paused the program.
While the IDOR in the Rarible has been covered, I’ve not yet discussed about the IDOR on the Etsy Chat Feature. Apparently, you can chat with regular users instead of sellers using the Etsy Chat System, I was able to leverage this IDOR and report it, while the report did get triaged, they still marked it as Informational at the end claiming that the chat is functioning as normal and that the user is supposed to chat the seller, overlooking the fact that I clearly stated that a user can chat a user, not a seller. The PoC is below as seen:
Although the Crowd Control User closed the report as informational, they haven’t understood the report yet. The report clearly states a user chatting a user, but they referenced user (In this case a buyer) communicating with a seller. While what my report explained was a buyer communicating with other users (or buyers according to their terms). Also, whoever they are, they were right about the report being triaged:
The last scam program I would like us to review will be from the HackerOne Platform and it’s called Snapchat. Yes, the popular Snapchat. Apparently, I crafted a CSRF link and what this link was made to do is basically keep changing your snap code on Snapchat every time you clicked on it. Apparently, Snapchat made this feature look like a sensitive feature as well:
However, we can see from the way the triage analyst from HackerOne replied, he says that it’s not a sensitive feature (However, I do doubt this, because if it wasn’t a sensitive feature, Snapchat wouldn’t make it clear about it being a sensitive feature):
This takes me back to the understanding that I was explaining earlier, that they are taking advantage of researchers who don’t have a signal score because they know that we can’t request help, mediation or whatnot and this itself is true because they’re taking reports from researchers whose signal score is below zero as well. However, the whole point he’s stating here is that although I was able to obtain a 200 OK (Which means I was able to click the link and the Snapcode did change after clicking it), the feature isn’t sensitive because every time the Snapchat app refreshes or is opened, a new Snapcode is created. However, like I said, I highly doubt this to be true because Snapchat clearly stated, “If you’re receiving messages from unknown people, you can change your Snapcode.” and even before changing the Snapcode, there is a sensitive warning about changing it before doing so, which debunks the Analysts claim and proving once again, it’s a scam even though the CSRF was a success as the analyst himself claimed that it worked. However, while the Analysts claim is that the Snapcode isn’t sensitive information. The issue arises that if the attacker is able to change the Snapcode of another user by sending them a link without them knowing that the Snapcode is changed and their friends have their old Snapcode then that can be problematic because they won’t be able to reach the person without the old Snapcode again. This is why Snapchat themselves make it clear before changing the Snapcode and even ask if they’re sure they want to do it, and request that they should only do it if they’re receiving chats from unknown people. This is a clear meaning that this feature is sensitive to prevent harassment or attacks by people, but the fact that an attacker can change a Snapcode of a user every time they click the victim clicks the link makes it clearly impactful even if the attacker doesn’t get the Snapcode back to them. The objective of the attacker here is to change the Snapcode and dismiss the victims communications from their old Snapcode. Let’s say for example, if CryptoNWO (A YouTuber I know) has a Snapcode that he uses to communicate with his fans on Snapchat, and if I being the attacker sent him the link and he clicks it without him knowing what it is, it will eventually change his Snapcode and the people he depended on to contact him via his Snapcode won’t be able to reach him through it because it’ll have changed through me sending him the link (This is just an example scenario). That is impactful and can be classed as a P3 Vulnerability as it affects the Integrity and Availability of Snapchat to it’s users. Also, given that someone like CryptoNWO keeps growing his YouTube Channel and currently has over 1.3 Million Subscribers and 162k or more views on his videos. It’ll be quite devastating for someone like him to lose his fans if they can’t contact him over Snapchat over a link being sent that he clicked on that changed his Snapcode because his old Snapcode that’s in the videos don’t work (Like I said, I took Crypto as an example due to his big fan-base and also because he does have a Snapcode on one or two of his very old videos that I’ve watched because that’s how I added him on Snapchat in 2021 as far as I remember). However, the analyst overlooked my report and closed it as Informative, further proving the scam. You can check the PoC of this exploit from the video below clearly showing that I was able to change a Snapcode by crafting my own web page and clicking on it (If this was to be hosted on a website and sent to someone and they clicked it, it would change their Snapcode too without providing warnings or whatnot, only a blank page where they see nothing and won’t know what’s happening in the background):
However, as stated, I couldn’t contact Hacker Mediation for this report as my signal score was below zero, but yeah, as long as I proved that Snapchat has made it clear about this feature being sensitive to their users. It debunks the analysts claim. Also, the page clearly states that the Snapcodes are unique and gives a warning before even requesting a new one. However, using the crafted link I made, anyone who clicks the link will get a new Snapcode in their profile (It wouldn’t matter because there’s no warnings or whatnot, it’s just a one-click link), so you can see the difference of the analysts perspective from here and the proof showing how this program is a scam.
While the Rarible, Snapchat and Etsy Report didn’t have much impact in terms of them being P3 Vulnerabilities, I didn’t report these to the FBI or anything, but decided to rather report those critical vulnerabilities because they are promising high paying money. For example, in terms of Dropbox, accessing a Developer Account that can leverage Privilege Escalation is considered a P1 Vulnerability that has the ability to pay out over $10,000 from Dropbox and in terms of Circle, being able to reset an Administrator Account and leveraging a full account takeover has the ability to pay out over $10,000 by Circle. Which simply means that I’ve been scammed over $20,000 in total by both these programs unlike Etsy and Rarible that would only pay around $300 which is nothing compared to the $20,000.
How about AI Bug Bounty Programs?
AI Bug Bounty Programs are pretty much the same, if you actually find a vulnerability that you’re able to exploit, if they find your report to be of low effort, they’ll close it as Spam and you lose your reputation points as well. You can take a look at this report I was able to submit to huntr platform for the Lunary AI Program:
Since this report is disclosed, it can be viewed by anyone. The Video PoC and everything is as shown on the link itself. Imagine if you were using an AI that another person could access the developer dashboard of your business, look at your customer data and sensitive information about your company, edit such information without being authorized to do so or even delete your entire organizations dashboard, that is exactly what I demonstrated in the disclosed report, and as you can see, the report was closed as Spam for supposedly being a “Low Effort Report” according to the analyst even given the fact that the Dashboard ID can be enumerated by guessing, fuzzing and bruteforcing by an attacker. Given that this has the ability to impact all Confidentiality (Because sensitive information about a company can be accessed by an attacker such as sales information and similar), Integrity (Because the dashboard can be modified by the attacker and non-repudiation can’t be there in this case of the IDOR being exploited) and Availability (Because the attacker can delete an entire company dashboard). We can see the kind of impact it has as P1 — Critical. However, I didn’t take this part of the report seriously because it was out of scope since I didn’t test it from my localhost through docker and instead tested it on the live application on the web, which was something I wasn’t supposed to do. However, this brings doubts to how the analyst is looking at new researchers reports? Remember when I said these analysts take advantage of new researchers? Apparently, while my report was closed as Spam and I lost 10 Reputation Points:
We can see an example of this report from another researcher that was closed as N/A instead of Spam and the researcher only lost -5 Points. Keep in mind that both our reports are legitimate but Out of Scope (Even though tested on the Program itself, it was tested on the Live Program, not through localhost installation of the program itself) and if you look closely at the report, he was warned not to test against Live Assets (I wasn’t warned about anything in my report, however):
However, you may have heard that if a researcher has a duplicated report, that they gain points from the other researchers work, right? Well, with AI Bug Hunting, it’s the opposite, the researcher actually loses points. This was a duplicate report I had on the same program of an Informative report and of a reproducible vulnerability that was closed as informative. Once again, clearly showing that this program takes advantage of new researchers as well because all of these reports are legitimate, including the one that was closed as informative and as seen my report was closed as a duplicate and I lost reputation points because I was able to reproduce the vulnerability (This was after I installed the program through localhost and ran it through a docker container):
Remember, I clearly stated that the IDOR has the ability to edit AI Prompts (Basically, a viewer account being able to edit information on an Administrator Account without the privileges to do so). This would fall under P3 as it’s impactful to the integrity of the application only, and guess what it’s a duplicate of:
An informative report even though the report was clearly reproducible. In addition to this, the owner of the bug bounty program clearly knew that this has been on there for three months and never patched it either. Remember that while I lost -5 Reputation Points for the duplicate, this dude lost nothing and his reputation wasn’t impacted, however, his report was overlooked even though the issue is reproducible. Good thing here is that this Bug Bounty Program discloses reports, so it’s quite clear to see how the scams happen.
Does this mean the end of Bug Bounties?
No, I don’t believe this is the end of Bug Bounties for new Bug Bounty Hunters. However, I do believe that there are other platforms apart from Bug Crowd and HackerOne that don’t perform fraud like the way how these programs do, and there’s always a potential way to identify scam programs as well. For example, Circle BBP itself had very few researchers reports that it resolved (About 16, I think), which makes it quite a new Program in the HackerOne Platform and even though they may be in Beta, they’re likely doing this to lure in researchers to scam them. For example, they accept reports from researchers without any signal score, which is quite odd as well:
As we can see from here, this HackerOne Program (Circle BBP) that was involved in the fraud has about 16 resolved reports. However, we can see the amount of reports they received is more than the reports they have resolved. Why would that be so? It’s obviously a scam.
While we can obviously think of Dropbox being the same, however, Dropbox has been on the Bug Crowd Platform for a while and it’s obvious that I decided to choose Dropbox for a reason, majority of their scopes never had a critical vulnerability reported especially the forum where I actually found those Developer Credentials Exposed:
It would be easy to identify that this program and most of their scopes are running in Beta, which would be a good opportunity to perform Penetration Testing. However, it’s also a good base to lure in scammers as well even though they may have a very low amount of researchers that they have rewarded to be around 140 Researchers:
It would be hard for a researcher to identify a scam in this program. The reason being that they have a high reward rate and are a legitimate company as well. However, looking at the rate of reports per scope is a good way to get an idea of what is going on and actually identify if something fishy is up especially for a program that’s been around since 2022:
It only makes sense that the program has likely scammed most of the researchers who report their valid vulnerabilities to the program and have patched the vulnerabilities leaving the researchers with nothing and closing their reports.
However, while HackerOne and Bug Crowd may be a platform for Hackers to TRY get their reports triaged and paid out for their research, I would highly recommend YesWeHack as a good alternative if you are willing to continue with your Bug Bounty Hunting journey. The reason why I say YesWeHack is a good alternative is because: 1). Their bounties are low but assured 2.) You will get paid if you can leverage any vulnerability in the process (The bug that I found was able to pay out $1,200. However, since it’s a Government Program, I’ve been strictly warned by Program Policy not to disclose information unless permitted by the Authorities) 3). The most legitimate programs you can trust are of course Government Programs. 4). It’s European. This is why I highly recommend YesWeHack as it’s the only Program where I truly did make money from Bug Bounty Hunting and even made it to the Hall of Fame of the Program itself.
Conclusion
While some scammer bug bounty programs may exist out there, it is important to note that there is hope for researchers out there who are still into Penetration Testing through platforms such as YesWeHack and mostly Government Programs which can either be paid or VDP (Vulnerability Disclosure Policies) that give swag or other items. While I did hunt on a paid Government Program, I cannot state what the vulnerability is or how to exploit it as such is restricted by law and subject to prosecution since it involves the Government. You can see from here that I’ve made it to their Hall of Fame as №1:
Finally, we can see proof that I did get paid from the Bug Bounty Program as well:
So there is hope for researchers out there but it’s best to consider non-American Platforms offering non-American Programs as they can be much more legitimate than American Platforms offering high-paid American Programs that promise you something but give you nothing. However, for me, I have other things coming up and since Bug Bounties are just taking my time and I’ve mostly been scammed throughout this month and not made anything out of legitimate reports that I’ve made, I think I’ll switch to working as a manager and CEO at my own property that I’m a shareholder of. However, I may return to Bug Hunting in the future if it’ll suffice at that time that I should return to it.
Bengali (Bangladesh) · 
English (United States) ·