Hello, It’s me Bikram Kharal from Nepal.I am infosec learner and engineering student.

Today I will be writing about the bug that i recently founded on Vulnearbility Discolure Program so in this blog i will be naming it as redacted.com. I was scrolling the twitter while my online class were running and someone was suggesting to hunt on that redacted site. So me to my studies

Now i started testing on that site.

As normal I registered on that site and start understanding how the website was working.After registration it was asking me to verify the email using the 6 digit code.So i tried to bruteforce the endpoint but there was rate limiting.

After one hour testing i realized that it was IP based rate limiting then i bypassed that using IP rotate extension in burpsuite.Then quickly reported that bug.lol

After one day i got reply from them that it was Duplicate. :(

I was still searching for other bug on the same program.Again i register at the site with my email and this time i didn’t verified my email.So I was not able to login without verifying an email and in the login flow we need username to login .

Now i started thinking that what will happen if I forget my username?I will not be able to login right?Again i tried to register with the same email i got mail saying that Duplicate Registration.

Now i moved to Help section and saw the option to Recover the username.After clicking on Recover my username option it was asking for email to recover my username.

I entered my email and clicked on Recover username.Then it said that Username email sent.

So i quickly checked my email but i didn’t received any mail. I was refreshing for more than 7–8 times lol.Again i tried to recover my username and still didn’t get any mail.I was like

There was also option to reset the password but we need username and email to rest the password. In this case we don’t know the username :)

After almost 10 hours i clicked on the verification email that was sent to my email during registration process that was also expired.Now there was no any functionality to send further verification code which means i will be never be able to to login or register at redacted.com with that email.

Then i quicly made a messy report like this medium article but i after one day i got reply saying that it was Duplicate. That’s how my life is going Lmao :(

This is my first medium article and there may be mistake so you guys can give me suggestion on impoving it.Hope you, enjoy reading this article.For any query you can comment below.

Find me on: Twitter.