The Most Dangerous Bug I’ve Ever Found (And No One Was Looking)

Abhijeet Kumawat details his experience with a dangerous bug during a late-night bug bounty hunting session that no one else had noticed.
After reviewing programs that had already been exploited for easy rewards, Kumawat targeted a forgotten endpoint that had possibly been overlooked.
After discovering that the endpoint exposed all user data, he almost didn’t report it, thinking it was an error in the program’s logic, but decided to investigate further.
The vulnerability was a logic flaw, and escalating it allowed an attacker to gain admin privileges and perform any action as the application’s owner.
Kumawat recalled that the program’s developers treated the issue seriously, and after resolving it, they awarded him “$7,500 for this critical bug, which was quite rewarding indeed.”
He concludes that even the most innocuous and boring programs can have overlooked vulnerabilities, and one should always leverage access to dig deeper for more bugs.

Fast Feed