Bug Bounty 101 — Always Check The Source Code

Spazzy
Spazzy
Feb 23, 2019 · 1 min read

Never miss out on checking out the source code! In a recent bounty program for a company I can’t disclose, I found a hilarious information disclosure that is a great example of why you should always check out the source code.

This vulnerability sat inside a enrollment portal that was meant for people to redeem discounts that worked for affiliated companies. It required you to enter any email, and the account phone number. In the next step, it required some extra steps of verification. One being, the last 4 of the SSN which turned out not to have a request limit….oops? LOL

This vulnerability started out being no request limit turning into an information disclosure, as I reported this to the company soon after checking to see if they fixed it I happened to check out the source code on the next step. That’s when I found more that adds to the information disclosure! It included a HTML comment that I originally believed to only contain filler info…but no it actually was information of the account. It contained the account number and the answer to one of the extra verification steps! Crazy right? I couldn’t believe a company this large, to have something so simple.

With this someone with malicious intent would be able to complete the verification, know the customers last 4 of the ssn, and the extra verification info that included the answer in the source code.

Simple but toxic, proves never miss out looking at changes in the source code!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store