There’s a program I’ve been working on for a while now, my goal for today was to finish hacking on this program, but things are not going as expected, in a good way. A new functionality has been added, unfortunately, this function requires a physical verification that is not available to me. I tried bypassing this the best way I know how, but they seem to have been prepared for that scenario. I keep finding information I’ve previously missed or overlooked, which means this asset still has a lot to offer me.
I had 3 informative(arguably) bugs on this asset, I realized that I can chain these bugs together to achieve an IDOR and Improper Authentication vulnerability.
The IDOR vulnerability could’ve allowed me to lock out the account owner from their account. The Improper Authentication would’ve allowed me to gain unauthorized access to the account. Fortunately for the company, they had proper security measures in place, a best practice, that rendered both my exploits useless. I found out that due to the best practices in place these exploits won’t work. But I had a lot of fun hacking, and tomorrow, I look forward to more fun.
Thank you for taking the time to read through my post. Take care.
For updates — Twitter: https://twitter.com/wallotry/
To send me private program invites — HackerOne: https://hackerone.com/wallotry
