7 comments

[ 764 ms ] story [ 65.5 ms ] thread
Well done for getting them to pay up!

This looks a lot like the one I found a while back (after falling victim to it myself and spending a few weeks looking for it). Reported it through HackerOne and thanks to a shirty Twitter developer and his boss, got a permanent ban from HackerOne.

Needless to say, if I find anything else of this magnitude, I'll be keeping it to myself.

I'm sorry that happened to you. I've had mixed success with the large bug bounty sites. Some companies are clearly there as a fig-leaf, and others are unable to handle the large volume of reports they get. But I've found most to be good.
Yeah I've seen a few patterns with the worse companies...

  * "We've already fixed it" (we haven't but we don't want to pay up, and a fix mysteriously appears a month or three later)
  * "This is not eligible" (we don't actually care)
  * Silence
  * Legal threats ("send us your address so we can send you something for this", and a C&D turns up)
Can you elaborate on that experience?
I submitted a similar bug to the OP after someone bragged about reading my DMs (and sent a bunch of them to me as proof). Spent what must have been a month poking at the website and API, looking at various attack vectors. Eventually I boiled it down to a simple POC which ran perfectly on my account and a second account I created for the purpose. A friend volunteered, worked on their account too.

Did a full report including POC and quick summary. First line was something to the effect of "I'm not interested in the bug bounty, I just want to see this fixed. If a BB is awarded, I'd like to see it donated to charity." (I had a few in mind, mostly local LGBTQ+ support charities)

Response I got was "This isn't OWASP TOP10 fuck off". Literally just that (I'm looking at the emails).

Scanned the OWASP guidelines, found one it hit, replied. "Are you sure it's not covered by (x)? Seems like it would be to me. At the very least it's an exposure of private data."

Response: "I told you already to F off, noob."

I replied: "Can you please at least clarify why this isn't covered? I'd like to submit better reports in future."

No response, and I dropped it at that point. Two days later someone else in Twitter responds: "I'm the manager of Engineer'sName, the conduct in this report horrifies me. Expect to hear from us."

A bit later I got an email from HackerOne explaining I'd been banned, and that if I created another account I'd be hearing from their lawyers.

And that's how my first and last security vuln submission ended.

Just ran across this when browsing HackerOne for fun last night. Bravo, great job!
Why do many popular sites have bugs in Oauth? Isn't there a standard implementation or lib?