I want to tell how i got $200 from tumblr bug bounty program.
- Follow by email allows for following by unverified emails ( $100)
- Theme Assets uploader allows HTML content ( $100)
First bug is based on email adding.You can add email without verified but that is not vuln and it not effect to tumblr customer.
I found function on tumblr that allow to search blog using email.
So attacker create tumblr blog using vitcim’s domain. When other user search vitcim’s domain email,they see attacker’s blog.
I report to tumblr via hackerone.They accept my report and award $100.
Second bug is file upload bypass.They allow to upload to blogger for theme assets.Buy they does not allow html file to upload.But they allow json file.
I try to upload json file with html code.Faillll
I use file.json with json code that include alert code.
Successfully.I try to using with double extenesion file.json.html Boom!!!.Uploaded file.Go to file path and i got alert.
I report to tumblr and i got $100 again.
Report : https://hackerone.com/reports/769998
I am noob but i am lucky man.Thank for reading.