Hello Hackers, Ram Ram Bhyi Sarya Ne

Hope you’re doing great. This is V3D, and I’m sharing a quick write-up with my friend Gaurav Gajre on one of our recent findings, an “Unauthorised Access Leading to Support Admin Panel Takeover.”

Note: This was on a private Bug Bounty Program, so I can’t reveal the actual program name. Let’s just call it REDACTED.COM.

Without any further ado… let’s buckle up.

Initial Discovery

While hunting on target.com, we stumbled upon REDACTED.COM. At first, we assumed it was a subsidiary or asset of target.com. To be sure, we reached out to their security team. They confirmed it wasn’t part of their scope but advised us to report the issue, saying they’d pass it along to the right team.

We then received a response from the parent company of REDACTED.COM:

“Regarding your request related to bug bounty on https://www.redacted.com, please read the policies on https://parentcompany.com/security-policies/ and submit the report to us ([email protected]
) to be eligible under the company’s bug bounty program. We’ll assess the report and get back to you accordingly.”

After reviewing their bounty policy, we began testing REDACTED.COM.

Registration Flow

The platform’s registration was based on a mobile number. While analyzing the signup request, we noticed two interesting parameters:

_token=ALPHANUMERIC-VALUE&userType=0&Mobile=9999999999&h_otp=1&0tp=877430&Name=asdfg&Email=v3d%40wearehackerone.com&PinCode=111111&Date0fBirth=01%2F01%2F2000&referralCode=&termCondition=2&UtmTerm=&UtmMedium=&UtmCampaign=&proengsoft_jsvalidation=&_jsvalidation=termCondition&_jsvalidation_validate_all=false

The two key parameters were:

1. userType=0

2. jsvalidation_validate_all=false

We tampered with the request:

Changed userType=0 → userType=1

Changed jsvalidation_validate_all=false → jsvalidation_validate_all=true

Upon forwarding this modified request, we received a 200 OK response. Shortly after, another similar request appeared with the parameter jsvalidation_validate_all=. Again, we set userType=1 and forwarded it. This time, the response was 302 Found, redirecting us to:

https://www.redacted.com/partner-dashboard

Here’s something important: during our initial reproduction attempts, we missed the second request modification and couldn’t recreate the privileged account. We tried multiple times and failed until we carefully revisited the flow. Lesson learned — always check every request in the chain.

Accessing the Dashboard

Once logged in, the system asked for KYC documents. We uploaded dummy documents and proceeded. At first, the dashboard looked similar to a regular user account, but while exploring the options, we stumbled upon the support ticketing system.

And that’s where things got interesting.

Upon clicking My Tickets, we suddenly had access to 73,000+ support tickets 🤯, including customer queries, PII, attached documents, and even the ability to reply on behalf of support staff.

Reporting

It was around 4 A.M. when we found this. We immediately prepared a report and submitted it to the security team. By 10 A.M., we had sent them a full PoC with detailed reproduction steps.

The team responded quickly, fixed the issue within an hour, and asked us to retest. We confirmed the fix.

Bounty Twist

Afterwards, they said they’d get back with the bounty amount. Two days later, I asked for an update, and instead of telling me the reward, they directly requested my bank details. I asked them to first disclose the amount, but they ignored my request.

When I followed up again, they repeated the same thing. Something felt off.

Finally, I received the bounty mail:

But here’s the twist, their policy clearly stated $3000–$5000 for Critical. When I confronted them, they claimed the old policy had been updated, and the new range was $500–$2000.

On checking, we realised they had backdated their updated policy (dated 10th Jan), while we reported the bug on 12th Jan when the old payout range was still live.

Despite multiple arguments over email and calls, they stood firm on $1000. In the end, we accepted it, though it was disappointing.

Hope you find this write-up helpful.

Hope you learned something new. If you like the write-up, give it a clap and follow me on X( Twitter) and LinkedIn