How I Found a Credential Exposure Bug on BBC.
Hey all,
I’m a beginner in bug bounty hunting. Even though my bachelors was in electronics, I got fascinated with cyber security while reading about computer networks in my bachelors. As my interest grew, I got to know more about network security & web security by reading and practicing them. I was aware of bug bounties by reading articles related to them but at the start, I was not confident enough to find bugs if a target was given to me. I’m not attracted to the bounties which people post on social media and I always firmly believe that constant learning, perseverance and sharing whatever you’ve learnt matters in all walks of life. Imagine if google search was restricted only to the employees of google :P, we wouldn’t be here LOL.
After learning a bit, I thought to give it a try and after few attempts, I got a lot of N/As & duplicates. I was fuming to myself and I decided to enhance my skills properly and get back to it later. After some time, when I started to hunt for bugs again, I picked a site that was accepting bugs as per their responsible disclosure policy. I went ahead and started to do reconnaissance as I came across many articles stating that “reconnaissance is the first and foremost step to find bugs related to a target” and that’s why probably there’s a tool named ReconFTW :P(credits to the author of the tool). After few struggles and learnings, I was able to find low/medium severity bugs only because of proper reconnaissance(Note: Both Passive and Active reconnaissance can be carried out depending on the target scope and the technologies that have been used by the target).
One fine day, I got to know about BBC’s responsible security disclosure program via LinkedIn and Twitter. I started to google about the target and found their GitHub repository. I used GitHub dorks to check if there’s any sensitive information that’s been leaked in any of the repositories belonging to BBC and to my surprise, I found two valid sensitive credentials that were committed to their repository. I immediately went ahead and reported it (Note: Please make sure that the secrets you’ve found are valid and make a significant risk impact to an organization before reporting it).
Timeline:
15th August 2021- Found the issue and reported it to them.
18th August 2021- Issue was fixed and I was included on their HoF website.
References:
githubdorks/dorks at master · shifa123/githubdorks · GitHub (Credits to shifa123)
Your Full Map To Github Recon And Leaks Exposure | by Orwa Atyat | Medium (Credits to Godfather Orwa)
Huge respect and grateful to the infosec community for helping out by sharing your experiences.
