Bug Bounty 101 — Always Check The Source Code

Never miss out on checking out the source code! In a recent bounty program for a company I can’t disclose, I found a hilarious information disclosure that is a great example of why you should always check out the source code.

This vulnerability sat inside a enrollment portal that was meant for people to redeem discounts that worked for affiliated companies. It required you to enter any email, and the account phone number. In the next step, it required some extra steps of verification. One being, the last 4 of the SSN which turned out not to have a request limit….oops? LOL

This vulnerability started out being no request limit turning into an information disclosure, as I reported this to the company soon after checking to see if they fixed it I happened to check out the source code on the next step. That’s when I found more that adds to the information disclosure! It included a HTML comment that I originally believed to only contain filler info…but no it actually was information of the account. It contained the account number and the answer to one of the extra verification steps! Crazy right? I couldn’t believe a company this large, to have something so simple.

With this someone with malicious intent would be able to complete the verification, know the customers last 4 of the ssn, and the extra verification info that included the answer in the source code.

Simple but toxic, proves never miss out looking at changes in the source code!