Warning:- Dumb Bugs here!!!
When you see this title you may think “Sreeram is a LEET hacker and there bug must be something serious bug” Obviously you’re wrong, neither I’m not leet nor its a tough finding. If you’re expecting some awesome findings here or looking to learn something new from this page, you can just close page now. The matter is I was so lucky… by the end you will understand what I mean.
I got a Youtube’s internal IP months back in some POC (I don’t remember the location). I just saved it in my “Ch3ck lat3r.txt” and forgot about it. Then one day when I was cleaning my desktop and I saw the IP, I just thought
I was starring at the IP for sometime and decided to scan its range. Scan took around 3 minutes and I got popped up with some results.
Then I selected an IP and just visited it. My browser popped up with a HTTP-Authentication dialog box.
I was just like “damn.. I expected clickjacking vulnerability there” Then visited all the IP in the range all was having HTTP-Authentication. I felt so frustrated.
Then without any expectation It tried the basic password there like:
admin, Admin, Password, localadmin…
But none worked 😦
With broken heart I tried to cancel and look for other sites but fortunately I mispressed with blank credentials.
The next scene I saw frozen me for about 10 seconds
It took some time for me to recognize what I did, All I know is I GOT ADMIN ACCESS in Something!!
The words over there was Gibberish to me. After 2 minutes of Googling I found it was a Satellite Receiver or Decrypter Admin Panel. It was like damn I…WOAH, WTF!!
Soon I reported it to Google and it was fixed on September 19.
Time Line:-
Sept 4 : Reported
Sept 4 : Initial Triage.
Sept 4 : Filled a bug.
Sept 19: Bug is Fixed and $13337 bounty was awarded.
so, Admin with no password worked?
LikeLike
Yep
LikeLike
Infact without username
LikeLike
Would love to know how you got the Youtube’s internal IP ? You found it or you got it from any other external resource?
LikeLike
I got it from some POC months ago
LikeLiked by 1 person
You mean a POC you did and found IP from youtube.com?
LikeLike
what do you mean by poc?
LikeLike
Proof Of Concept
LikeLike
Hi sreeramkl are you from india any twitter profille or yours….? where to follow you……?
THanks!
LikeLike
https://www.facebook.com/sreeram.kl
LikeLike
good one at age of 16
LikeLike
Thanks buddy 🙂
LikeLike
congrats from usa
LikeLike
Thanks buddy
LikeLike
good congrats
LikeLike
Thanks buddy
LikeLike
its good catch bro
LikeLike
😉
LikeLike
Congrats From US !
LikeLike
malayali daaa…!! ❤
LikeLike
That’s interesting. I’ve never heard of such a security vulnerability before.
LikeLike
Congratulations:)Youtube ip range is too long.
There is too much.
You’re lucky
LikeLike
Can you give the ip range that you used ? Help would be really appreciated.
LikeLike
hhhh nice story i like it
LikeLike
Impressive.
LikeLike