My bug bounty journey. The middle-class boy who wanted everything for free.
My name is Vivek. I am currently working as a software developer in a private company.
“Hacking” — I was introduced to this term when I was a school student. I was born into a middle-class family. I wanted everything for free. Whenever I saw some expensive things which I couldn’t buy, I always thought of some stupid ideas of building it myself with the things I own. Still remember I had the idea of building a computer using pens, paper, and cardboard sheets. Computers never excited me until I took the CS branch in the higher secondary. I tried cheating in secondary school exams because I hated the subject ‘IT’.
During the year 2006, my elder brother somehow managed to buy a secondhand mobile phone from one of his friends. It was the era of GPRS. We wanted an internet connection so that we can download games. But our pocket money was not enough to buy the Airtel recharge coupons.
Then, one day I was playing with the phone and I noticed a file which had the title ‘hacking Airtel for free internet access’. I was excited as soon as I saw the word ‘free’. It was about some proxy setting that would allow us to cheat Airtel and access the internet for free. I think that was the first time I heard of the word ‘hacking’. To me, ‘hacking’ was all about accessing free internet after that.
During the year 2000–2007, I developed a keen interest in learning about computers and programming languages. I was active in several forums. I joined the ‘Information technology’ stream in an engineering college in the year 2007. I used to read a lot about networking and started coding computer viruses whenever I get free time. It was all out of curiosity. In 2011 I joined a software firm as a junior software developer. I worked as a windows application developer at that time. Then I started reversing the applications to crack them. Once I found a loophole in the ‘TeamViewer’ application that would allow me to use it for free without any limit. All those things were boosting my confidence.
Later in 2015, I heard about the bug bounty. But I didn’t invest much time for it until 2017 as I was working as a senior web developer at that time. Then I started learning about web application vulnerabilities and read a lot of write-ups. I registered in HackerOne and started looking for vulnerabilities. But I was not able to find a single bug in any application. But I continued learning. So I developed a habit that whenever I visit a website I will look into its web requests and web responses to find anything interesting.
First Bug :
After a lot of struggle, I reported my first bug in the e-commerce platform Myntra. It was a CSRF issue that would let us change the address of any user. After the bug got triaged they didn’t respond to me for a week or two. I was very frustrated and lost my patience. I started asking them for update every day. But they didn’t respond.I stopped asking contacting them. I am a Fide rated chess player and one day I was returning home after the chess tournament. I was very sad because I lost the tournament. I was sitting in the bus and causally checked my email. I was excited to see the response from Myntra that they have fixed the issue and would like to list my name in their hall of fame page. I couldn’t control my happiness.
Second bug and first bounty:
After I got appreciation from Myntra I started looking for the bugs again. My company was using the Microsoft’s social network ‘Yammer’. Luckily I was able to find a bug in the product that would allow an attacker inside a network to change the image that are posted by the users as comments/messages. The users can post an image by pasting the URL of an image in the comment section. The yammer will fetch the image from that URL and create an objectId for that URL and Image. I was able to update the content of that objectId using a web request. But Microsoft responded that the issue is not eligible for a bounty as they were using a third party service for this functionality. But I was happy because they listed me in their hall of fame page. Being listed in Microsoft’s hall of fame page is not a small thing anyway. The issue was then closed.
But after 3 months they informed me that the finding is eligible for a bounty and rewarded me 500 USD. I didn’t sleep that night.
This is how I started my bug bounty journey and I am still learning. I will publish more write-ups here soon.