I picked up a cryptocurrency platform subdomain xyz.REDACTED.net

Before starting, I already believed their security measures would be stringent, but little did I know that nothing is actually secure unless tested.

So I observed how the platform worked, looked beyond the fancy frontend, and tried to sign up with [email protected].

Boom!!! I saw on my screen that a mail had been sent.

Good. Now time to hunt proper.

I set up all what was needed and registered.

I was looking around, tried cache deception, and found an endpoint that got cached by observing the network tab (HIT).

Wooow.

I was so happy and had to try it on incognito to see if it was actually cached to return my info but oh no, I got “session expired.”

I documented it to try cache poisoning later, but moved on to see what else I could do.

Then I noticed a tab to create a contact and here was my catch.

Created a contact for User A and noticed a contact ID.

Logout from User A and login as User B.

Create a contact for User B, but this time, swap the contact ID of User A into User B’s request.

Oh wowowooooooo!!!
I saw User A’s contact.

Tried User B’s again and saw User B’s contact.

I reported immediately but got a duplicate.

The triager said the fix is still pending in the pipeline, and the first researcher’s report has already been closed and awarded.

I was happy to get a broken access control flaw but the mode of communication made me stop on the platform.

Bug bounty hunting is becoming frustrating.
Most triagers get you pissed, but then, the skills will never leave you.

Until you land the big win one day, keep hunting.

Feel Free to connect with me on LinkedIn or X :

https://www.linkedin.com/in/umanhonlen/

https://x.com/sudosu01

Thank you!