Found a cool bug at Meta.
From misconfigured Grafana instance to R/W access on 507 private Meta repositories.
Wrote up the full chain here:
https://t.co/LYQ0prc68d
$157k bounty awarded by @metabugbounty
Super excited to release our latest Broken Access Control (BAC) Masterclass on @hackinghub_io with 2 hours of content and almost 20 labs. I'm giving away 3 free seats to anyone who comments, reposts, and replies to this post. Drop a 🔥 below!
More info 👉🏼 https://t.co/g8gwo5vYGN
I loved this article by @iamgk808.
Read it, it’s inspiring, and it’s honest about the time and effort involved.
Honestly, it inspired me.
Thanks for writing it, Ganesh! 😎
https://t.co/Mk58tEavDZ
#bugbounty#cybersecurity
Yay, I was awarded a total of $5,500 in bounties on @Hacker0x01! https://t.co/unepjTWUuT
Vulnerabilities Found:
1. Privilege Escalation (Trial User → Platform Admin)
1. While reading the site's JavaScript files, I found an API endpoint and noticed it accepted an "author" parameter in the request body.
2. The JS hinted that the "author" value was used to identify who the request belonged to — and that this value needed to be an admin's email for certain actions.
3. I collected 15–20 employee emails through public sources (OSINT).
4. I tested them one by one as the "author" value. One matched a platform admin account, and that request was accepted.
5. Using that admin's email as "author" along with my own account ID, I changed my account "plan" from "trial" to "internal". The request went through, and my role was updated.
6. Root cause: the endpoint was authorizing the request using a value from the request body instead of the role from the user's authenticated session.
2. SSRF → Cloud Metadata Credential Exposure
1. The app had a feature that fetched user-supplied URLs from the server side.
2. Confirmed by pointing it at a public echo service — the response showed a cloud server IP, not mine. The server was making the request.
3. The URL filter blocked the metadata service IP in its standard dotted form, but didn't normalize alternate representations. Converting the same IP to its decimal form bypassed the filter cleanly.
4. From there, the standard two-step metadata flow worked: first request returned a session token, second request used that token to return temporary instance role credentials.
5. Root cause: block-list URL filtering without IP normalization. A single canonicalization step on the resolved address would have caught this.
3. IDOR Exposing 285,000+ Customer Invoices
The invoice download endpoint used sequential IDs with no ownership check. Changing the ID returned other customers' invoices.
4. IDOR Enabling Cross-Tenant Audit Log Manipulation
A "log move" endpoint trusted client-supplied IDs, which allowed moving log entries across tenant boundaries and tampering with audit history.
5. Unauthenticated Path Traversal
A public endpoint accepted file paths without sanitization, allowing partial file reads across the platform with no authentication required.
Key lessons:
→ Never authorize based on request-body fields. Use the session/JWT role.
→ URL-fetch features need allow-lists, and must normalize alternate IP forms.
→ Sequential IDs are fine; missing ownership checks are not.
→ "Unauthenticated" doesn't mean "untrusted input is safe."
#bugbounty #securityresearcher #ethicalhacker #cybersecurity #vulnerability #penetrationtesting #securityaudit #digitalsecurity #tech #innovation #hackerone #freelance #freelancer #pentester #ssrf #idor #privilegeescalation #pathtraversal #appsec #infosec #TogetherWeHitHarder #bugbountytips
* Create your own AI scanner
* Create website for that AI
* Offer it for Sale/Subscription
* create a X profile for the AI
* Start Posting Old bounty’s photos with posts like (found this by this @AI, I spend 10$ and I got rewarded 10K$)
Story Of This Days 😤
Not #bugbouny 🫣
$14,337 Google Bug Bounty 🤑
Hacking Google Support: Leaking millions of customer records by Michael Dalton 🤯🔥
👨💻 Michael Dalton (https://t.co/fmpfi56Mdf)
🔗 https://t.co/zwLEQPXQV5
Becoming a pro in finding client-side bugs is simple. Not easy, but simple.
1. Go through a JS tutorial and understand the basics.
2. Ready everything on this blog 8x until you understand it: https://t.co/OxfS2YJmbr
3. Read JS for Hackers by @garethheyes 4x
Then go hack stuff