Warning:- Dumb Bugs here!!!
When you see this title you may think “Sreeram is a LEET hacker and there bug must be something serious bug” Obviously you’re wrong, neither I’m not leet nor its a tough finding. If you’re expecting some awesome findings here or looking to learn something new from this page, you can just close page now. The matter is I was so lucky… by the end you will understand what I mean.
I got a Youtube’s internal IP months back in some POC (I don’t remember the location). I just saved it in my “Ch3ck lat3r.txt” and forgot about it. Then one day when I was cleaning my desktop and I saw the IP, I just thought
I was starring at the IP for sometime and decided to scan its range. Scan took around 3 minutes and I got popped up with some results.
Then I selected an IP and just visited it. My browser popped up with a HTTP-Authentication dialog box.
I was just like “damn.. I expected clickjacking vulnerability there” Then visited all the IP in the range all was having HTTP-Authentication. I felt so frustrated.
Then without any expectation It tried the basic password there like:
admin, Admin, Password, localadmin…
But none worked 😦
With broken heart I tried to cancel and look for other sites but fortunately I mispressed <ENTER> with blank credentials.
The next scene I saw frozen me for about 10 seconds
It took some time for me to recognize what I did, All I know is I GOT ADMIN ACCESS in Something!!
The words over there was Gibberish to me. After 2 minutes of Googling I found it was a Satellite Receiver or Decrypter Admin Panel. It was like damn I…WOAH, WTF!!
Soon I reported it to Google and it was fixed on September 19.
Sept 4 : Reported
Sept 4 : Initial Triage.
Sept 4 : Filled a bug.
Sept 19: Bug is Fixed and $13337 bounty was awarded.