January 2021 - My first bounty

The first bounty is a milestone that many hope to hit. It marks the starting line for a lot of bug bounty hunters today. Mine was interesting. For privacy's sake, I won't disclose the company.

My first bug was an IDOR. IDOR stands for Insecure Direct Object Reference - that is, if you have a parameter in a URL, and you change that parameter and you get access to something you shouldn't have access to - that's an IDOR bug.

That day started off as normal - I did some hunting on Bugcrowd, I studied some hacking techniques, the usual. Anyway, I had recently become interested in mobile hacking - specifically, mobile APIs. Mobile APIs are a lot like web APIs; they have the same types of vulnerabilities. So I had my phone connected to Burpsuite, and I was reading the traffic coming from various apps. I was just messing around, trying to get the hang of it.

Then, on one particular app, a certain endpoint caught my eye. I can't explain it. When you're hunting for long enough, you develop a sixth sense. This endpoint triggered this sense - I paused at this endpoint, and thought what if? This particular endpoint had a memberID parameter, and it returned all of my account information to me. The memberID value was just a number - it wasn't hashed or anything. So, as any innocent hacker does, I changed the value by 1. And I watched in shock as someone else's personal information was returned in the response. I experimented with it, and was able to access more sensitive information. Awesome.

Not only that, but the memberID parameter was present in four more endpoints leaking PII (Personally Identifiable Information). These IDORs leaked full names, addresses, email addresses, phone numbers, balances, and more.

I submitted a report to the company, and they were very nice about it. It was resolved quickly. I was awarded a sweet $2,400 bounty - not bad at all.

Oh, and I'll have a writeup on an awesome DuckDuckGo bug soon - but I need permission to disclose it first.

Show Comments