How I got $13337 bounty From Google

Warning:- Dumb Bugs here!!!

When you see this title you may think “Sreeram is a LEET hacker and there bug must be something serious bug” Obviously you’re wrong, neither I’m not leet nor its a tough finding. If you’re expecting some awesome findings here or looking to learn something new from this page, you can just close page now. The matter is I was so lucky… by the end you will understand what I mean.

I got a Youtube’s internal IP months back in some POC (I don’t remember the location). I just saved it in my “Ch3ck lat3r.txt” and forgot about it. Then one day when I was cleaning my desktop and I saw the IP, I just thought

giphy.gif

 

I was starring at the IP for sometime and decided to scan its range. Scan took around 3 minutes and I got popped up with some results.

Then I selected an IP and just visited it. My browser popped up with a HTTP-Authentication dialog box.

 

tp-3

I was just like “damn.. I expected clickjacking vulnerability there” Then visited all the IP in the range all was having HTTP-Authentication. I felt so frustrated.

tmhnks.gif

Then without any expectation It tried the basic password there like:

admin,  Admin, Password, localadmin…

But none worked 😦

With broken heart I tried to cancel and look for other sites but fortunately I mispressed <ENTER> with blank credentials.

The next scene I saw frozen me for about 10 seconds

tp-3.png

It took some time for me to recognize what I did, All I know is I GOT ADMIN ACCESS in Something!!

The words over there was Gibberish to me. After 2 minutes of Googling I found it was a Satellite Receiver or Decrypter Admin Panel. It was like damn I…WOAH, WTF!!

3ECBbP8.gif

Soon I reported it to Google and it was fixed on September 19.


 

Time Line:-

Sept 4 : Reported

Sept 4 : Initial Triage.

Sept 4 : Filled a bug.

Sept 19: Bug is Fixed and $13337 bounty was awarded.

 

Advertisements

20 Comments Add yours

  1. jeff says:

    so, Admin with no password worked?

    Like

    1. sreeramkl says:

      Infact without username

      Like

  2. xssfun says:

    Would love to know how you got the Youtube’s internal IP ? You found it or you got it from any other external resource?

    Like

    1. sreeramkl says:

      I got it from some POC months ago

      Liked by 1 person

      1. xssfun says:

        You mean a POC you did and found IP from youtube.com?

        Like

  3. Kryz says:

    what do you mean by poc?

    Like

  4. Hi sreeramkl are you from india any twitter profille or yours….? where to follow you……?
    THanks!

    Like

  5. rahutejapdn says:

    good one at age of 16

    Like

    1. sreeramkl says:

      Thanks buddy 🙂

      Like

  6. itsmylife says:

    congrats from usa

    Like

  7. AE Crypliyn says:

    Congrats From US !

    Like

  8. Muhammed says:

    malayali daaa…!! ❤

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s