TLDR; Discovered a programming bug exposing sensitive data on a financial/investment platform, reported it and received an appreciation letter from their CTO.

Introduction

Hey there! I’m Abhishek Bhujang, a novice in CyberSec and Bug Hunting. This write-up narrates my intriguing journey, where a seemingly harmless search on the dark web led me to access internal data of a financial/investment company.

Discovery

My curious habit of Googling(Duckduckgo-ing 😅) my own name brought me to an unexpected discovery. While using DuckDuckGo, I stumbled upon several URLs containing “GetCustomerDetails.” Curiosity got the best of me, and I clicked a few of these links, revealing unfathomable sensitive information. Surprisingly, I could access data like investor names, mobile numbers, email IDs, folio numbers, PAN numbers, and more. Incredibly, I could even download all this information in Excel (.xls) format all without even logging in. To verify this wasn’t just confined to the dark web, I checked on the surface web, where I could still access the information using a regular web browser. Equipped with screenshots and meticulous notes, I compiled a comprehensive report on the vulnerability, fully prepared to report it to the organization.

The Pursuit of Responsible Disclosure

In my effort to do the right thing, I sought out the company’ bug bounty program or a disclosure channel, but my search was fruitless. Determined to report this critical issue, I reached out to them through Twitter DM. They acknowledged the absence of a formal program and promptly offered an email address for reporting vulnerabilities. To my surprise, they assured me of an appreciation letter signed by their CTO as a gesture of gratitude for my responsible actions.

Reporting the Vulnerability

With all the pertinent details, screenshots, and evidence in hand, I composed an email and sent it to the designated email address. I eagerly awaited their response, wondering about the extent of the impact and the urgency with which they would address the issue.

Resolution

A few days later, I received a response from them confirming that the vulnerability existed due to a programming bug, which they had successfully fixed. They acknowledged my efforts in helping them identify and mitigate the issue. True to their word, they informed me that the appreciation letter, personally signed by their CTO, was in the works and would reach me shortly.

Conclusion

This experience has been a significant milestone in my bug hunting journey. It highlighted the importance of responsible disclosure and the need for organizations to establish bug bounty programs or proper channels for vulnerability reporting. The platform’ response demonstrated their commitment to securing their systems and their appreciation for ethical hackers like me.

I hope my account of this journey inspires others to engage in responsible bug hunting and strengthens the bond between cybersecurity enthusiasts and organizations in the pursuit of a more secure digital landscape. Feel free to provide feedback/comment/clap or you can even DM me on my social media accounts.

Thanks for reading!! Happy Hacking!! 🤗🤗

Support me if you like my work! on PayPal and follow me on Twitter (oops X) and Instagram.