A researcher got paid $10,000 for a bug that doesn’t even exist
A security researcher named Valeriy Shevchenko received a 3-week vacation while switching jobs a-mid COVID-19. During the vacation, he thought of trying some bug bounty hunting and went on with it. Sooner he found a bug bounty program whose scope was recently added with a new target and he started trying to discover some bugs.
He explains if the company name is example.com, then bugs found in bug bounty on other domains would be accepted by the company. The researcher only knew that there is an example.com and other registered domains of the company were hidden. After trying several domains like example.io, example.ca, example.org, etc. the researcher got redirected to example.com by example.net, and this served the researcher to have two domains and the bug was discovered on the revealed domain.
Next, he experienced an exemplary situation and assembled all the subdomains for example.com and example.net. And he found that there were not excessively many. However, he decided not to channel them through httprobe and chose to check the essential checks basically by sending demands through nuclie. This was the main choice that helped him find the bug. That is if he would have performed httprobe—-prefer—-https, he wouldn’t have discovered this weakness. Subsequently, he saw certain oddities in the reactions to demands from the subdomain at example.net on the HTTP convention. Eventually, he understood that he had the most well-known way of crossing, which can be discovered more often than not in test labs. The format of this request (example.net/../../../../../../../../../../../../../../etc/passwd) would have returned the contents of the passwd file to him.
He then ran a word list for many of the directories and the content returned by those wasn’t much useful. However, when he ran the last directory he received a huge amount of data in response and as he read through it he was quite shocked, it consisted of keys that a server would need to interact with the service (staying within the network) and other interesting and useful stuff. He then constructed a report and quite soon came in contact with the triager, but till the time the bug was no more functional. The researcher also believed that he was able to manipulate the bug only by luck or a sort of temporary failure of the server.
The researcher stated that “Technically if a researcher finds a vulnerability that works for a short period of time — it should still be considered a security incident for the company. And still, it is necessary to take measures and analyze this security incident in the access format not only from the side of an unlucky researcher but from the side of a real attacker as well. Since the researcher highlighted the problem itself.” He argued with the triager giving examples of various short time vulnerabilities discovered in the past and were rewarded and also states that at times a bug can be functional for a very short period of time but can cause massive data loss. The triager gave him another chance.
He then took the AWS profile and searched for some AWS API methods and was satisfied, as he found an AWS working profile that displayed the entire infrastructure on AWS of the given company. The report was still not triaged even when he showed all the further results. He analyzed all the keys and the results let him access the Postgres database. He explains this by saying “As a result of the subsequent key analysis, I was able to access the Postgres DB through the connection string left in the file. The connection was not limited from the outside. Then I found the FCM/GCM keys which worked and allowed sending out the notifications to all the users. The PoC was also shown to the triager”. After he served tons of information about the bug his report status was changed to triaged, the company then verified the received data, fixed it in a week and a week later the researcher received a reward of $10,000.
He concludes by adding “I am glad this story ended so well for me. And it’s not cool that sometimes you have to do “post-exploitation” and show the obvious things. Because in most places post-exploitation is prohibited. And being able to argue your point of view in the bug bounty turns out to be a pretty important skill.”