Sometimes, a quick glance is all it takes to spot something valuable. While analyzing a public beta site, I reviewed one of its JavaScript files and noticed a small but critical mistake, a hardcoded client secret embedded in frontend code.

It didn’t take complex tools or deep exploitation. Just a simple string search and a few minutes of code reading. That one exposed secret led to a bug bounty payout (aka quick $$$).

In this post, I’ll walk you through what I found, how I verified it, why it’s a serious security risk, and why clear and effective report writing can make all the difference in getting your bug bounty rewarded.

While inspecting the JavaScript bundle further, I found a block of environment-style configuration values directly defined inside the frontend code. Among those values was something that immediately stood out, a hardcoded clientSecret. Below is a simplified and redacted version of what the code looked like: