How I got $13337 bounty From Google

Warning:- Dumb Bugs here!!!

When you see this title you may think “Sreeram is a LEET hacker and there bug must be something serious bug” Obviously you’re wrong, neither I’m not leet nor its a tough finding. If you’re expecting some awesome findings here or looking to learn something new from this page, you can just close page now. The matter is I was so lucky… by the end you will understand what I mean.

I got a Youtube’s internal IP months back in some POC (I don’t remember the location). I just saved it in my “Ch3ck lat3r.txt” and forgot about it. Then one day when I was cleaning my desktop and I saw the IP, I just thought

 

I was starring at the IP for sometime and decided to scan its range. Scan took around 3 minutes and I got popped up with some results.

Then I selected an IP and just visited it. My browser popped up with a HTTP-Authentication dialog box.

tp-3

I was just like “damn.. I expected clickjacking vulnerability there” Then visited all the IP in the range all was having HTTP-Authentication. I felt so frustrated.

tmhnks.gif

Then without any expectation It tried the basic password there like:

admin,  Admin, Password, localadmin…

But none worked 😦

With broken heart I tried to cancel and look for other sites but fortunately I mispressed with blank credentials.

The next scene I saw frozen me for about 10 seconds

tp-3.png

It took some time for me to recognize what I did, All I know is I GOT ADMIN ACCESS in Something!!

The words over there was Gibberish to me. After 2 minutes of Googling I found it was a Satellite Receiver or Decrypter Admin Panel. It was like damn I…WOAH, WTF!!

3ECBbP8.gif

Soon I reported it to Google and it was fixed on September 19.

Time Line:-

Sept 4 : Reported

Sept 4 : Initial Triage.

Sept 4 : Filled a bug.

Sept 19: Bug is Fixed and $13337 bounty was awarded.

25 thoughts on “How I got $13337 bounty From Google

Add yours

Leave a comment

Create a website or blog at WordPress.com

Up ↑