In case you have any questions, or just wanna do some research with me, hit me up at @deadoverflow
I decided to make a YouTube channel that teaches you how to actually find bugs, you can find the first episode here: https://youtu.be/fGMxekgqpm4

This is an old story, happened to me a while ago, probably around 2 or 3 months but it is a crazy one for sure!

I was doing security research on a music streaming based website, I won’t disclose a name for privacy reasons even though the issue has been fixed. I was looking into the forgot password functionality, I was just trying to maybe inject a custom host header in the password reset request to see if that would work but no, it didn’t work. I was still trying to mess around the password reset functionality for example how password reset was handled but still this website seem to be doing everything the correct way. I had to change plans and maybe look somewhere else to find a bug but right as I thought that to myself, I opened the response of the password reset request. In there, this is what I saw:

There, in the response, was an object called validationSession and it looked very interesting to me. I didn’t notice anything at first but when I saw my password reset link that I received on my mail, things started to click in my head.

This was the email I received from this request and then I noticed it. There in the response for password reset was a sessionId which was the code needed to reset the password. Now I could just send someone else’s email address, check the response of the reset request, take the sessionId, reset the password for that user and login to this website without any issues whatsoever. So on 14 Sep 2023 12:19:33 I reported this issue. Note that I started my research exactly at 11:50 or something like that. So yeah it took me like 10 minutes to find this bug. So after I reported the vulnerability to bugcrowd, I got a response:

After this I was very nervous but relieved because I knew that the issue I found and reported is not a duplicate. And 6 days after I got the initial response, the team rewarded me with $2500.

This was really an easy bug to find and as I said it only took me 10 minutes to realize that there is something off about this password reset functionality. Again, as I said in the previous write-ups, even websites that seem “all secure and safe” can still screw up with something so basic. So you should always pay attention to smaller things no matter how much the website is popular. I always have this thing in me which says “well they aren’t that stupid, they probably have thought of that”. Well, as it turns out, people can make mistakes, and will make mistakes. That is why I am $2500 richer B).