How i Hacked BASF Company !!

Hi

its Murtada Kamil a security researcher from Iraq

I would like to share with you my bug that I found in BASF through their bug bounty program

During my recent bug bounty hunt, I came across a critical and yet simple vulnerability.

First i search for subdomains of the company using Virustotal

there is a subdomain which get my attention

Image for post
Image for post

i click on this site to see what is there

and b000m

Image for post
Image for post

so i can access to the admin panel without any authentication and i am able to edit, remove and upload anything

The comapny fixed this bug by secured it by Mobile OTP OR RSA Token

Time Line:

30/3/2018 Report Sent

02/04/2018 Triaged

17/5/2018 Listed in hall of fame

10/10/2019 Report disclosure

Thanks for reading

Written by

Security Researcher | 19 years from iraq

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store