Tuesday, June 25, 2013

Bug Bounty - Is it similar? NO!

I'm going to share another case where I attempt from bug bounty program.
The issue I found initially was from Paypal Bug Bounty Program. And few weeks ago, I found a similar issue in Google's service. So did I rewarded from both of them? Lets check it out.

The issue I found is Sensitive Information Leakage. Where user's personal email used for registration for that application exposed to the attacker with a simple method.

In Paypal Bug Bounty Program, the URL affected was

As we can see from above screenshot, there's a form for us to "Retrieve Password" a.k.a Forgot Password.

If we submit a non-exist user, the application will throw a message "No User Found" 

So? what's the issue actually? its normal aint it?!

Nothing's wrong?! Hah! Look on image below then!

Got it? Yeah! If we put a valid username on that form,the message will show user's personal email. As shown above, I test for username administrator and I can see his/her personal email used for this application. This might be used for some Social Engineering attack.

For this issue, Paypal rewarded me $100. 

So how about the case with Google Bug Bounty? Did they reward me as well?
Yeah,Google did not accept that issue as a risk. I'm not going to deny their judgement. Its up to their company. Each company do have their own severity level identification.
Below is the screenshot I sent to Google team.

I think that's all guys. Till next time with another sharing from me :)


some of you might noticed that this post disappear with sudden previously. This is due to another reply I got from Google;

Yes, Google also take this issue as a threat/bug as well. So I need to draft the post until the issue fixed. Just checked just now and seems the issue was resolved.