How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne


I was waiting for some invites from HackerOne from many days then after a long wait I decide to hunt some external Private Program and left HackerOne

So I just Go through @google.com and using some dork I found some programs but I don’t want to test them then I goto twitter and searched for #bugbounty #bounty and got few program from @twitter , one guy posted he got some 💵$$$ for report a security issues.

So without wasting my time I go for hunting that site but before I get started I crawl to the whole website to see the functionality (how it works) and saw that there are many clients of the website and most of his client was of HackerOne , but two program are strange for me . so I Decided to go to there website for hunting and got some vulnerabilities and I contact them through mail.

Next Day I got reply from them

“Thanks for Reporting the issue , can you please submit the Vulnerabilities through hackerone as we are running Private program there .
 
 Immediately I replied

“Yes I have a profile in HackerOne and here are my details for invitation”

After getting the Invite I see the thanks page there was HackerOne Top #100 Researchers so I think that there is no more chance to get more Vulnerability. But after spending some hours I did not got more issues 
 
 then was thinking to give up and move on but HackerOne #togetwehitharder reminds me to get harder 😉

so again I started hunting and this time I am using the website simply as there users and after some hours I came back in hunting .
 
 I Got 1 IDOR (me like :- woot woot , happiness 😅 overloaded and become crazy 😍 
 
 Next day the report was marked As “Informative” Then I was like hopeless 😫

Then I said lets look on POC Image (Request/ Response) 😉

In response I got some juicy info with URL of Image with extension .atom 🤔

Quickly i open those URL but all are Page Not Found.

Then I google “what is atom for files”
 
 I got one like https://fileinfo.com/extension/atom
 
 on that i find my answer which helped me little bit “XML-based atom”
Again I Google XML-based atom I got https://validator.w3.org/feed/docs/atom.html

After reading the whole post I get to Know “what is atom feed”

What is Atom?

Atom is the name of an XML-based Web content and metadata syndication format, and an application-level protocol for publishing and editing Web resources belonging to periodically updated websites.

All Atom feeds must be well-formed XML documents, and are identified with the application/atom+xml media type.

Then suddenly I think that let me open the file with .atom extension

Example :- https://example.com/folder/image_token.atom

after opening the url I was like 
 
 “wow , woot woot ” 😂 😘

Information Disclosed :- content , media;content , media:thumbnail

you can get lots of information like files thumbnail so without password files can be access and metadeta of file can not be seen if the image is password protected which is hidden by default but by adding .atom extension in the image url you can see all the juicy information

Immediately I report the vulnerability to the program 
 
 Next day I got replied with Reward (Bounty on triaged)

Timeline
 
6th September 2017 Reported

7th September 2017 Got Response from team

7th September 2017 Triaged

7th September 2017 Rewarded Bounty (cool bounty)

13th September Resolved

“We released the fix for this issue. You can confirm it if you please.

13th September but they have not fixed so I replied

what you have fix please clear me i am not getting you

13th September team replied

FYI: We rollbacked the fix by some release management reason. I’ll let you know when it back.
 EDIT: also I’ll try to explain the fix.

14th September again team replied And given me some “more information” Regarding Patch.

We got back the fix again. So you can confirm it now. Maybe my Bad english confused you . I’ll try in another words
words of Frans Rosén from HackerOne How to Win Over Security Teams and Gain Influence as a Hacker

14th September fixed

10th October Request for blog post

12th October content for blog provided to team

13th October Permission Granted For Blog Post

I would like to Thank HackerOne awesome platform for Hackers (White Hat)

I would also like to Thanks Arbaz Hussain & Ak1T4

for https://medium.com/@arbazhussain/10-rules-of-bug-bounty-65082473ab8c which Reminds me Don’t Give up Easily , Give Time on program for many days .