Power of Recon: Hacker accessed bugbounty program’s Triaged reports submitted by other researchers
Hello Everyone,
I’m MRD7
Context:
Many bugbounty programs receives many reports every day. And to fix these reports company spends 1–4 weeks or more depending on the severity. So, what if attacker can access these non-fixed reports, don’t you think, this way attacker can cause serious damage to the company.
No company can fix all security issues in a day. So, it is extremally important for company to keep these security reports private.
So, in this writeup you will read how, I could access all the security reports [Fixed / Non-Fixed] bugs submitted to a company.
PS: I could access everything not just title, everything including screenshots submitted by the fellow researchers to this bug bounty program.
You don’t always need proxy tools:
As I always says are there still many simple bugs that you can find without proxy tools.
I got a private invite email, I checked the private program website from my mobile phone. And I was feeling too lazy to turn on my laptop.
So, I decided to check if there is any misconfiguration in Jira instance. Because to find this misconfiguration, you just have to visit a single link.
What is Jira ?
It is an Atlassian task tracking systems/project management software. Jira is used by many companies including startups to Fortune 500.
What bug I found and what was the impact?
So there was a misconfigured Jira instance which I found. It allowed unauthenticated user to see company’s non-fixed security bugs.
I could see, company has many non-fixed security bugs not just the title but entire POC reports submitted by the researchers.
How to find ?
Simply Visit, https://<target_name>.atlassian.net/secure/Dashboard.jspa
Ex: https://bugcrowd.atlassian.net/secure/Dashboard.jspaOther interesting read:
Here you can read how this researcher could access NASA staff and project data.
