Bug Bounty Challenge: Day 5–14/03/2024

Wallotry
2 min readMar 14, 2024

--

Welcome to Day 5

I’ve decided to extend this challenge to the 30th of March instead of the 23rd, it’s day 5, and I haven’t received a single bounty therefore extending it only makes sense considering It has been really fun for me so far, why stop now :)

On Day 4, I mentioned a vulnerability I wanted to report, the vulnerability is a Broken Access Control that allows an attacker to communicate with company staff as another user, the program uses a third-party endpoint for this, and I figured I’d have to escalate this vulnerability or else it’ll get closed as an informative. I tried to get my second account deleted using this vulnerability, but the staff member told me to send an email confirming account deletion and this renders the vulnerability useless in the context of bug bounty hunting, I believe a malicious hacker with social engineering skills can get through this obstacle easily, but that is out of scope, therefore, I’ve decided to move on from it and keep hunting for more vulnerabilities.

I spent hours doing recon — specifically directory brute forcing. When it was all done, I found nothing of value, but I came across an interesting page — “.DS_Store”

My excitement was short-lived because I found out that there was no sensitive information I could retrieve from this, and submitting “.DS_Store is exposed” is a golden ticket to getting your report closed as an informative, there’s simply no impact at all. I’ll keep hacking and trying my best, as they say, “Hard work always pays off” :)

Happy Hacking. See you tomorrow. ❤

--

--

Wallotry
Wallotry

Written by Wallotry

I'm just addicted to hacking.

No responses yet