How I Scored 1K Bounty Using Waybackurls

Summary

A security researcher earned a $1K bounty by discovering a significant data leak using the Waybackurls tool to find sensitive user data in a public bug bounty program's deprecated API, which was still accessible.

Abstract

In a detailed write-up, a security researcher shares their experience of uncovering a substantial vulnerability within a well-established bug bounty program on Hackerone. By leveraging the Waybackurls tool, the researcher identified a security flaw that exposed sensitive user data through a deprecated API. Despite the program's popularity and the likelihood of it being thoroughly scrutinized by other hackers, the researcher's unique approach led to the discovery of a leak that could be exploited via a simple POST request. The finding was promptly reported, and the issue was addressed within a few days, resulting in a reward of $1K for the researcher. The article emphasizes the importance of persistence and a unique approach in security research, suggesting that there are always new angles to explore, regardless of a program's maturity or the number of researchers involved.

Opinions

The researcher believes that every security researcher has a unique approach that can uncover vulnerabilities others may overlook.
The article suggests that even popular and well-known bug bounty programs can have undiscovered vulnerabilities.
The researcher implies that tools like Waybackurls can be invaluable for uncovering historical data that may lead to the discovery of security issues.
The prompt payment and quick response from the program's team to fix the vulnerability are seen as positive outcomes of the disclosure process.
The researcher encourages others to continue exploring and not to be discouraged by the presence of many knowledgeable hackers in a program.

Hello Security Researchers,Hackers

In this write-up, I want to share with you a finding that I discovered in a public bug bounty program that ended up paying me 1K just using a single command on the terminal

I won’t be able to disclose the name of the program since the leak was huge and they are still merging all the previous algorithm they used before to a new one and the deprecated API is still reachable

The program exist in Hackerone in more than a decade with big names on them, I was familiar with the services they offer since I was a user so I started to enumerate subdomain where I noticed a weird link that may actually hold sensitive data since they are parsing everything in URL path so my first approach was checking the WaybackURLS since TomNomNom has a very unique tools I used it as follows waybackurls requests.redacted.com

I was surprise with the amount of URLS that belongs to users with the tokens and I was like no way they’re valid right ?!

Guess I was wrong, I went to the API page and it looks like a simple POST request with the link leaked and a simple data via curl can do the Proof Of Concept using something like this

I tested in my own env and sent the report right away It got paid under few days and the team started the fix

How I Scored 1K Bounty Using Waybackurls

Hello Security Researchers,Hackers

Takeways