This post is about a security bug i have found in one of the bug bounty program which was very easy to find and accepted by the company which leads to $25 bounty.
So, i was exploring the programs at openbugbounty.org where i got a website which have responsible disclosure. So, i decided to look for the bugs at that website.
So , after login i notice there was a button which allows user to delete his/her account. Which gives me the idea to test for “failure to invalidate session after deletion of account”
So , i try to look for some other domain of the website which uses the same credentials for login. And luckily I found one.
So, the functionality/flow was like this
- User login using account.SomeWebsite.com
- Then , also login at forums.SomeWebsite.com with same credentials.
- Now , once you delete the user account from accounts.SomeWebsite.com
- Still, session at forums.SomeWebsite.com is usable and also even able to post the commente and can perform other functionalities.
- Also tried it with two different browser , login on both domain from both the browser then deletes from one browser and closed it. Still, session on other browser was usable.
Submitted the report and thought this will not be accepted but i give a try and they accepted it, fixed it and gave $25. Few days back i have found same issue with their another domain and got another $25. So ,it is now “A Easy $50 bug”