it was a normal day, i go and smoke a cigarette like every morning,i take a cup of coffee then visite twitter and type bugbountytips to read any new tips there,then after some tips i decide to take a look on Hackerone To see if there is any new -.-
But Before all that let me take you for beginning before one week, i visite company lets call redcat.com , icant say her name becasue repport is not resoled yet, i start searching on that company using my phone and visiting all pages untile i got a page where i can create a project so i make new project then i found and an invite link that i can share with people to join my project.
On that project there is all people files and chat and some sensentive data that only people who i invite with that link can see.
i save that link and i try to find an exploit or make it look like a vuln so
after some searching i type that link on google search and i was surprised
that the link is on google search page and its added before some days,
how is that possible!
i go and make some search and i find that after some people visite that invite link it be on google search result, and that was great for me not for people who make projects -.- , link was looking like
so i make simple dork looks like:
And Yeah it works i could find about 400 new project with all there sensentive data, i repport that and they close my repport as informative and they sad This is not a vulnerability.🥺🥺🥺🥺
But i didnt give up, i was sure that it a valid bug, i mean i can access a private projects that i dont have access to and read all data and chat and files in those projects, so i decide to keep updating them and i access one of those projects and got very sensentive data because the project was for company and they
re-open the Repport and decide that its a valid Bug 😎😎😎
And after 2 days i got a reward for it.
And i got my seconde reward just using google dork to access those project -.-
i hope you enjoy that write-up if you like it follow me here in meduim for more comming write-up’s soon -.-