search
Bugcrowd Profile
Page cover

🔥H4ck1ng the Same App for a Month -> $$$$

Critical IDOR & PrivEscs.

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3.

So, let’s get to it. Today’s story is about some good bugs I found last month while hacking the same app. Let’s call it msg-app.com—a cloud-based communication platform with APIs/SDKs for real-time chat, voice, and video in apps.

My main target was dashboard.msg-app.com. The usual dashboard for controlling user roles, permissions, and tons of other juicy settings perfect for manual testing.

hashtag
#0 New Target? Let's Hack It - 20 Feb

First 3-5 days on a new app? I just learn everything about it:

  • Read the docs - see what the app does

  • Watch videos - understand why people use it

  • Check forums - find real user problems (easy bug ideas!)

  • Use the app - with Burp running in background

  • Start anywhere - no strict plan, just explore

Okay, let's find some bugs!

hashtag
#1 PrivEsc - P4 ($$$) - 24 Feb

I focused on the channels feature, specifically the report function. Owners can add custom report types for users to flag messages. The free plan has limits:

  • 6 custom types + 4 system types

  • Or 10 custom types + 0 system types

I added 10 custom types, then sent a request to enable the system types. The backend didn’t enforce the limit, so it worked. Free plan users got extra report types they shouldn’t have.

hashtag
#2 PrivEsc - P3 - $$$ - 3 Mar

The same report function had another PrivEsc flaw. Not all users should be able to report messages, right?

Steps:

  1. Created a custom role with only view + chat permissions in channels

  2. This role couldn’t report messages (as intended)

  3. Sent API requests to report messages/users/channels200 OK

Thought I’d get 3 bounties for each report, but they got me xD, Turns out it was one root cause, not separate bugs.

hashtag
#3 IDOR - P1 - $$$$ - 14 Mar

Time to play with the docs! After reading a lot of them, I found a hidden premium feature - message translation. It wasn't in the UI since it's paid-only.

First thought: "If I use this as a free user, maybe P4/P3 at best." But surprise - it was way worse!

The Bug: The request took a message ID, translated it, and leaked:

  • The Message

  • Sender PII

Tested for IDOR... and it worked perfectly.

Bugcrowd Drama (I hope this happens so much xD):

  • Me: Reported as P3 (Based on Bugcrowd VRT)

  • Triager: Upgraded to P2

  • Customer: "Nah, this is P1" xD

Sure, I got a lot of duplicates, infos, and N/As—but that’s bug bounty, you know xD

That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>

PreviousLogic flaw k1lled business messaging for all usersNextLogic flaw led to a $$$ privilege escalation

Last updated