They Missed This One Tiny Parameter — I Made $500 Instantly
1 min read
Summary
A hacker and bug bounty hunter called Abhijeet has discovered a security flaw whilst investigating a private programme that could allow him to access sensitive information.
The vulnerability was in the password reset function where it interacted with a separate internal API which was not visible in the usual endpoints.
This particular API lacked an important security parameter which meant that all communications were vulnerable and could be intercepted, giving the hacker access to any data held within.
This is a common vulnerability and is easily overlooked during development, which is why it is commonly discovered by hackers during bug bounties.
Abhijeet was able to access highly sensitive data for less than $500 and all it took was meticulously sifting through hundreds of HTTP requests to spot the vulnerability.