The users that have been going into the year-wise White hat thanks list has significantly reduced if you check... You can find me four times in that list. There has been a check if it's an unlikely / rare scenario, they just close the report and only say thanks for spending time.
Bug 1: Auth Bypass:
This is my first Auth Bypass and very excited to report and aiming a $ 20,000 as reward. A very interesting bug as Auth Bypass always ranks at the Top in the OWASP.
I captured a vulnerable HTTP Request from https://business.facebook.com. It can be replayed any number of times for at most 2 hours, after the Victim has changed his password.
The report is closed because of the time-out of the session. The attack has gone in vane.
Bug 2: Disclosing if a user had been a member of Facebook group in the Past or has an active invitation.
For this exploitation, the Attacker requires User ID and ID of target group. Since it's a tedious process to curate the group ID and checking the info against the User, the report not taken any further.
Bug 3: Replying to the Instagram notes after the Victim has removed the Attacker as a follower.
Because of the low risk and unlikely scenario, the Bug report is not taken any further.
Take aways for you guys:
Hunting for bugs costs your self-confidence, energy, time.
What do you say about learning ??? I don't think you learn anormous stuff because most of the attacks that you do differ from product to product and no change in the learning curve for the way of attacking (exploiting security flaws) products because not all products are build the same.
I think doing a creative job like painting or music production or any other stuff, then making money out of it is much better as it has 0 chances of putting down or upset you.
For people with no other option other than hunting bugs for a living or making extra bucks, then I've no comments, enjoy going through the roller-coster ride
Comments
Post a Comment