How I got $13337 bounty From Google

Warning:- Dumb Bugs here!!!

When you see this title you may think “Sreeram is a LEET hacker and there bug must be something serious bug” Obviously you’re wrong, neither I’m not leet nor its a tough finding. If you’re expecting some awesome findings here or looking to learn something new from this page, you can just close page now. The matter is I was so lucky… by the end you will understand what I mean.

I got a Youtube’s internal IP months back in some POC (I don’t remember the location). I just saved it in my “Ch3ck lat3r.txt” and forgot about it. Then one day when I was cleaning my desktop and I saw the IP, I just thought



I was starring at the IP for sometime and decided to scan its range. Scan took around 3 minutes and I got popped up with some results.

Then I selected an IP and just visited it. My browser popped up with a HTTP-Authentication dialog box.



I was just like “damn.. I expected clickjacking vulnerability there” Then visited all the IP in the range all was having HTTP-Authentication. I felt so frustrated.


Then without any expectation It tried the basic password there like:

admin,  Admin, Password, localadmin…

But none worked 😦

With broken heart I tried to cancel and look for other sites but fortunately I mispressed <ENTER> with blank credentials.

The next scene I saw frozen me for about 10 seconds


It took some time for me to recognize what I did, All I know is I GOT ADMIN ACCESS in Something!!

The words over there was Gibberish to me. After 2 minutes of Googling I found it was a Satellite Receiver or Decrypter Admin Panel. It was like damn I…WOAH, WTF!!


Soon I reported it to Google and it was fixed on September 19.


Time Line:-

Sept 4 : Reported

Sept 4 : Initial Triage.

Sept 4 : Filled a bug.

Sept 19: Bug is Fixed and $13337 bounty was awarded.



23 Comments Add yours

  1. jeff says:

    so, Admin with no password worked?


    1. sreeramkl says:

      Infact without username


  2. xssfun says:

    Would love to know how you got the Youtube’s internal IP ? You found it or you got it from any other external resource?


    1. sreeramkl says:

      I got it from some POC months ago

      Liked by 1 person

      1. xssfun says:

        You mean a POC you did and found IP from


  3. Kryz says:

    what do you mean by poc?


  4. Hi sreeramkl are you from india any twitter profille or yours….? where to follow you……?


  5. rahutejapdn says:

    good one at age of 16


    1. sreeramkl says:

      Thanks buddy 🙂


  6. itsmylife says:

    congrats from usa


  7. AE Crypliyn says:

    Congrats From US !


  8. Muhammed says:

    malayali daaa…!! ❤


  9. "> says:

    That’s interesting. I’ve never heard of such a security vulnerability before.


  10. cem says:

    Congratulations:)Youtube ip range is too long.
    There is too much.
    You’re lucky


  11. alpha star says:

    Can you give the ip range that you used ? Help would be really appreciated.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s