The P2 Bug You Could Miss Without Reading the Documentation
Hi everyone,
Many new bug hunters often ask how I uncover impactful bugs that lead to solid payouts without being duped. Here’s a recent experience where focusing on the documentation and the “No’s” helped me discover a significant P2 vulnerability in a platform.
This wasn’t just any bug—it involved a misconfiguration in integration between the platform and a third-party service (it can be Discord, Slack, Telegram, etc.), exposing users to unauthorized actions despite safeguards in place. Given the platform’s focus on sensitive user data and privacy, the finding was categorized as P2 due to its potential to harm user trust, compromise sensitive information, and enable unauthorized actions.
Let’s dive into the details.
The Scenario
I was testing a complex web application (let’s call it redacted.com
The similar feature you will find on crypto-based programs) designed for managing accounts and sharing documents. The platform had robust-looking APIs, and initial tests didn't yield any glaring issues. However, in environments where user privacy and sensitive actions are critical, even small oversights can lead to significant consequences.
This is why I shifted my focus to documentation, looking for promised safeguards and critical functionalities — especially those explaining what should not be possible.
The Finding
The platform allowed users to integrate their accounts with a third-party service for extended functionality. Users could manage their redacted.com
accounts via commands sent to this service, such as:
/redacted info
/redacted sharedocs
/redacted help
The documentation explicitly stated that disconnecting the third-party service from the platform would immediately revoke access to these commands, ensuring no actions could be performed once the accounts were unlinked.
This was a critical safeguard to prevent unauthorized activity.
Testing the Edge Case
I decided to test whether the system truly enforced this restriction:
- I connected my account to the third-party service and verified that the commands worked as expected.
- Next, I disconnected the service via the platform’s settings.
- Finally, I tried executing the same commands through the service after the disconnection.
The result?
To my surprise, the commands still worked. Despite the platform claiming the account was disconnected, I could still perform sensitive actions, such as accessing user data and executing tasks on the redacted.com
account via the third-party service.
Why This Was Considered P2
For most companies, this might have been categorized as a P4 issue. However, the nature of the platform and the potential impact elevated its severity. Even simple bugs can result in substantial bounties when you demonstrate their full impact.
In this case, the customer team was highly knowledgeable and understood that this vulnerability could lead to critical actions, such as unauthorized account management or data breaches. What also helped was the way I presented the report — thorough and detailed.
To be honest, the effort I put into writing the report played a big role in securing the P2 bounty. I made sure to explain the vulnerability’s impact, the specific scenario in which it could be exploited, and why it mattered to the platform and its users. A well-written, long, and clear report can make all the difference in communicating the value of your findings!
The Outcome
The client acknowledged the severity of the issue and promptly paid out a substantial bounty. This finding reinforced the importance of rigorous testing, especially in areas where users expect absolute security.
Key Takeaways
- Read the Documentation Thoroughly: Developers often outline safeguards and assumptions in the docs. Test these assumptions to uncover vulnerabilities.
- Focus on Promised Security Features: Pay special attention to what the app guarantees will not happen. Testing these guarantees often leads to impactful findings.
- Consider the Context of the Target: For platforms handling sensitive user data, even minor oversights can have significant implications, increasing the severity of your findings.
This experience highlights how focusing on the basics — like reading the documentation — can lead to significant discoveries. Remember, sometimes the most impactful bugs are hiding in plain sight.
Happy hunting!