Hello People….

After a long time, there is one interesting bug I have found in Grofers using a simple Shodan search. The vulnerability could have allowed an attacker to access the internal API monitoring dashboard of Grofers. This is my 2nd report to Grofers Security team.

I will give small brief info who don’t know about shodan!

Shodan, a search engine for all ports within the internet, can help enterprises identify and lock down security vulnerabilities Shodan is the search engine for everything on the internet.

Exploit Scenario:

Always my bug bounty journey I will start with shodan search or crt.sh (subdomain enumeration). recently I found a bug on Dunzo using crt.sh.

Started with simple shodan dork…

I found multiple hosts related to the Grofers domain. But I observed one interesting host. Immediately opened that host and it’s a Grafana instance login dashboard…

But….I don’t know that username and password….

Entered default username and password like admin: admin.

But the interesting part here is…when I entered username & password (admin: admin), the login page redirected to the new password page and got an alert “Logged in”.

Then again entered the password as admin. At the same time, 2 alerts popped up…

• Invalid or expired reset password code
• User password changed

Password got updated. I can access the complete Grafana instance.

Then I created a report along with POC and submitted it to Grofers security team.

Report Timeline:

08 Dec 2020 — Reported to Security Team

09 Dec 2020 — First response from the team

15 Dec 2020 — Issue fixed

02 Sep 2021 — Received 25k Bounty + Hall of fame + Appreciation letter

Thanks to the Grofers Team!

Thanks for reading!….Happy Hacking!

Linkedin: Lohith Gowda M

Twitter: lohigowda_in

Instagram: lohigowda.in

Portfolio: https://www.lohigowda.in/