.png)
2 months ago
33 BOOK THIS SPACE FOR AD
ARTICLE ADOnce upon a time in the land of [target.tech], there existed a “Raise a Ticket” functionality, designed to help the noble users communicate their woes to the support team. Little did they know, the very files they uploaded for help were sent off into the wild as easily accessible URLs. No guards, no security checks — just free for the taking! 🎉
At this point, I realised this wasn’t just a bug; it was a gateway to sensitive customer data. I mean, who wouldn’t want to hand over private files to unauthenticated users on a silver platter?
But wait, there’s more! Because I’m thorough (and maybe just a little mischievous), I decided to upload an XML file laced with a little XSS surprise. When I opened that file in the browser, bam! XSS reflected right back at me. Hello, Cloudfront bypass! 😏
Naturally, I reported this glaring issue, expecting a shower of gratitude and maybe a nice little reward for my efforts. But instead, what did they do? They quietly removed the entire support module from the program. Yes, you read that right — they deleted it faster than you can say “security oversight.” 🙃
Apparently, the risk of exposing sensitive customer data to unauthenticated users and giving them a free pass to exploit it wasn’t worth their time. Oh, and the cherry on top? I didn’t even get paid for discovering this security loophole. I guess good security practices are just too expensive these days.
#BugBounty #Infosec #CyberSecurity #XSS #ImproperAccessControl #SecurityFail #EthicalHacking #PenTesting #BugHunterLife #SecureAllTheThings #OopsIDidItAgain #NoPayNoGain #SecurityAwareness #HackerHumor #BountyHunter #VulnerabilityDisclosure
All ears to bug bounty and pentesting linkedIn & twitter
Read my other articles
Bengali (Bangladesh) · 
English (United States) ·