Hello, hackers!
In this write-up, I’m going to present a Business Logic Flaw + Insecure Design report submitted to a Bug Bounty program that allowed a Silent Login to any user account on the platform.
On this particular day, I was looking for a public Bug Bounty program on Intigriti that offered good rewards for reported vulnerabilities.
I came across a financial services company’s program that paid a very decent range for any severity. However, while analyzing the program, I noticed it was an older program on the platform with only 500 submissions sent and just 45 accepted, which made me a bit discouraged and question whether it was a good target for a beginner in Bug Hunting. Still, I didn’t give up and began exploring the program’s scope.
I created an account on the web application and then authenticated myself. Once logged in, I received a notification, which essentially was a security alert from the company, notifying the user whenever a new session was started in their account. But something caught my attention in this notification: the authentication request details, such as time and browser.
I noticed that the server obtained the browser name from the main authentication request and included it in the notification message. This immediately made me think of a potential injection vector in this field.
POST /oauth2/token/ HTTP/1.1
Host: api.redacted.com
User-Agent: luq0xAfter performing the first injection test in the request field, I noticed that the server stopped notifying the user about the initiated session.
I quickly realized that the server received these requests with the session’s User-Agent and compared it against a list of known browsers. If the server didn’t recognize the browser, it simply stopped sending notifications. Digging deeper, I confirmed that the system also stopped sending email notifications, which completely broke the account’s security alert logic.
And voilà! We had found a vulnerability!
Basically, this security flaw opened the door for a “stealth login” scenario: an attacker with valid credentials could log in to a victim’s account without triggering any security alerts.
I quickly produced a PoC for this finding and submitted a report to the company’s program. After 6 days in triage, my submission was accepted, and I received a reward of $500 for this finding.
This case reinforces the importance of thinking beyond traditional technical vulnerabilities and paying attention to the business logic of applications.
A simple absence of security notifications creates an opportunity for a real attack, especially when we’re talking about a platform that directly handles investments and real money.
If you enjoyed this write-up, follow me here and connect with me on LinkedIn
See you soon! Cheers!
To add your blog, send an email to hello@bugbountydirectory.com
