How i got 250$ in 5 munites using my phone

Hamzadzworm
3 min readOct 26, 2020

--

Hi , this is my first write up with you in medium and i hope you will like it.

Like everyday i wake up and there was nothing to do, no one to talk with -.-

so i said, lets go to hackerone and take a look in hacktivity maybe there is some new repports, like you know reading repports are better then talking with people :D

and after i read some repports i go to :
https://hackerone.com/directory/programs

to see if there is any new programmes added and i found that one:

it was recentely added so i go to take a look into it:

i signup like any normal user and first thing i notice in settings that i can invite a member to join me in my account so i invite my self with a seconde email
in the invite i can write a sender name so itry to inject an html code in sender name but that didnt work they have filter :’( , i keep searching and i try to accept invite and also nothing new

i try to inject title, subject, sender name but nothing
untile i see there Decline this inviation like you see in photo,i directly click on it and what i found is that i can make a note for user who invite me why i dont want to join here account so itry on that note to write an html code and it works

:D NEXT Step was to proof to the security team what i can do with that so itry to give it maximan impact i can let me tell you the senareo:

User A invite user Be to join Hem
User B recive the invite and click decline invitation
when he click decline he’s redirected to a page ask hem to put a note for user A who is the one who invite you on that note you can put anything and user A will recive that you didnt join hem with the note you put,

ithink senareo is clear now:
so on the note user B make an simple <a href=…> code
with simple button, put any thing on button like :
click here to make user B join you or
click here to know why user B didnt join you

And you can redirect hem to malicious a link ask hem to login again
to takeover her account.

Repport Send 14 Oct
Triaged 14 Oct
250$ Bounty awarded 14 Oct

that’s my H1 Profile:
https://hackerone.com/telaviv_h4x0r

Im New at medium So if You Like that write-up follow me :)

That was the impact i give to them, that’s my first write up with you sorry if there is any mistakes, i hope you will like it :).

--

--