When you Break the Ice — The Story of Another Bug
I recently published a post in which I was telling you how it took me 10 months to score a paid bug, even though I had a lot of valid submissions up until then.
Well, as I scored that first paid bug, I started getting more valid paid submissions. And I’m going to reveal the story of one of them here, without too much technical detail. There’s not much to it either as it was a relatively simple find.
February 10, 2020
After doing some Google-Fu for external bug bounty programs, I found a program that was relatively obscure, even though we’re talking about a big multinational company in the construction industry. They have multiple engineering software, structural design frameworks, and a hell lot of APIs. They also have 10+ mobile applications.
Their vulnerability disclosure program involves a * scope, so I would be able to do a lot of recon and I would have a large attack space.
My rationale was that if I get bored with recon and web testing, I could easily focus on my passion for mobile penetration testing. After all, they’ve got a lot of apps.
The initial steps of my recon methodology (which I will be teaching in my upcoming course Recon for Security Research) revealed a couple of hundreds of domains.
Narrowing down my results to active only ones, I started looking for visually appealing domains. Note, these were only second-level domains, so secondlevel.maindomain.com
There were a lot of APIs. So, I decided to look closely.
I found this domain: subdomain.domain.com/ws/Pa<xxx>/Api<xxxx>/index.html
I use ‘xxx’ for obfuscation.
Initially, I didn’t understand what I was looking at, but after a couple of hours of exploring, I got the idea that I was looking at a custom-built API, which enabled exploring the interface. And it was revealing a lot of unwanted/sensitive information.
Quickly drafted a report and submitted it.
March 20, 2020
I thought they would respond immediately, yet they didn’t. I kept looking for security flaws in their assets for a couple of more days (as of Feb. 2020) then I moved on, thinking they would not respond.
And this is one key point I want to make. When I look for bug bounty programs outside of platforms, one of the deal-breakers is their responsiveness.
I also need to specify that even though I got no response for this submission for more than a month, I’ve also submitted other minor bugs that I received responses for within days (Feb. 2020).
Anyway, I moved on to other programs.
Then March 20, 2020 came. Checking my inbox, I had a message along the lines of:
Hello,
I’m reaching you out regarding your report.
Could you please confirm the fix?
IMPORTANT. Please send only your valid PayPal email, as due to fraud prevention…
I checked whether I was able to access the API endpoint, confirmed the fix, and replied to their email.
More days went by, and I forgot about the whole thing again.
May 25, 2020
Right as I was about to go to sleep, I got a PayPal notification email.
And to be honest, I really didn’t see that coming. However, since hindsight is 20/20, I could now see why such a big company can be very bureaucratic in getting things done.
They might have multiple security teams across departments and business branches. And getting something fixed, especially since it’s a security risk, would imply double or triple checking it doesn’t open the door for more unwanted security issues.
Yet, this is not an excuse when it comes to responsiveness. Larger companies, i.e. Tesla, have proven sort-of just-in-time responsiveness, regardless of the fact that a security issue might be present or any other issue for that matter.
I think it all boils down to corporate structure, CEO vision, and the level of bureaucracy established.
Conclusion
This little incentive reignited my interest in their program so I will be taking a couple of days to look into their mobile assets because I need a break from a security research program that I’ve been working on over the past couple of weeks. We’ll see where it goes.
Security blog: https://dgtsec.com
Twitter: https://twitter.com/cristivlad25
