First of all this is my biggest hack I did in my life.The website I found few day ago while I am looking for bus ticket.After booking Bus ticket I thought let’s find something on there, I know that they don’t have Bug Bounty, This isn’t the matter, I started finding.Long story short let get into steps how I did all this.
I reported first bug which is Blind XSS they replied me
So, one of the admin logged into their admin panel and I got notification from XSSHunter , Again I sent mail to CTO with the DOM snippet where have user information like Name, Mobile Number
After this the CTO wanted to meet with me.
Before I set the meeting time i found another bug which is IDOR On a Sub domain using the vulnerability I can able to check any users wallet information, And my friend Aayush Pokhrel who help me to find out the Sub domain then I reported the IDOR issue to CTO.
Then I go forward and start finding further.So after checking source code I found that they are using Amazon AWS S3 and I visit to the URL which look like.
It’s showing CSS code, Then I thought 🤔 that let’s check it’s open or not, So I visit https://s3.ap-south-1.amazonaws.com/cdn-redacted/ and I found that it publicly open.
I fire up my Kali and Setup AWS with CLI and then I tired type command to know what’s in there.After 10 Minute my AWS account got suspend because my card expired , So I ask help from Aayush Pokhrel but he also don’t have AWS account and then Aayush talk with Smaran Chand who give me his access token and secret key I configured my AWS CLI, Then I got all of these bellow:
$ aws s3 ls s3://cdn-redacted
As you can see db_backups/
Which size is almost 430MB, I found almost 92K+ users information on the database backup.
This how I got all the information and I sync whole bucket ( Total Size: 35.6 GB ) into my PC for show to the CTO that they can understand the issue clearly.
What I Got From The Bucket
- Database Backup
- Affiliate Payment information with users phone number
- Top-up success information
- Lot’s of E-mail, sensitive information including.
- Call record between customer and customer care
Then I meet with the CTO and Co-Founder and I show all the stuff what I got, They really appreciate about my finding.
Then the company offered me job as Security Engineer, and I was really surprised.
Thanks for reading, If there any mistake in spelling pardon me.Find me on twitter @rudr4_sarkar