Hello everyone,

Today I’ll explain how I turned a 403 error into a $200 Supabase key leak

This is a detailed breakdown of the same finding I shared on LinkedIn: https://www.linkedin.com/posts/jeet-pal-22601a290_bugbounty-activity-7395416068464254976-DqA8

I had been testing the target for 5–6 days and had already reported multiple business logic and BAC issues. When I finished the main scope, I rechecked the domains to see if anything new appeared. One endpoint that previously returned a 500 error was now showing a 403, which caught my attention.

I decided to test it further and started fuzzing the domain using SecLists

ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://stage.mpc.Example.com/FUZZ 

I found a directory named demo-test-engine. Its page source contained an exposed Supabase key. I reported it, and after validation, the team fixed the issue and awarded a bounty.

Connect with me
LinkedIn: https://www.linkedin.com/in/jeet-pal-22601a290/
Instagram: https://www.instagram.com/jeetpal.2007/
X/Twitter: https://x.com/Mr_mars_hacker

If you want to exchange program DM me on LinkedIn

Join a community of 3,300+ security researchers on our Discord server, where we discuss Web3 vulnerabilities, audits, and much more! 🚀
👉 Join the server here: https://discord.gg/Y467qAFM4X