Security & Code Blog

Security and code discussion, with dissections of recent vulnerabilities discovered as part of vendor bug bounty programmes. Don't forget to participate with comments and feedback!

How I got access to millions of [redacted] accounts


I'd like to start by saying that the company involved has my full respect for handling security in a mature manner and actively seeking researchers to take a deep look at their products. It's important to note that during testing I did not access personal data or files belonging to users other than my own.

Onto the chase.

It was a cool, dark night. The world was still, the bounties were calling. One in particular caught my eye. It had been running for nearly two weeks so I wasn't expecting to find many new bugs, but sometimes you get lucky. It was a time-limited affair, and with 24 hours left on the clock I decided to try my luck. At first I didn't find much - the odd information leak, header injection, an XSS, nothing that hadn't been reported half a dozen times. But then...

RSS Feed

Showing posts from Tuesday, 9th February 2016.