$1,000 HackerOne Bounty | Viewing redacted username information

Channel:
Philippines Japz Divino
Subscribers:
38,500
Published on ● Video Link: https://www.youtube.com/watch?v=-ur6_NBilYs


Category:
Guide
Duration: 2:44
529 views
12

#hackerone #bugbounty #informationsecurity

Researcher: https://hackerone.com/japz

Report:
https://hackerone.com/reports/2109009 (undisclosed - resolved)
https://hackerone.com/reports/2054222 (disclosed) - this is a reference report of #2109009, the vulnerability is similar, the undisclosed only shows bypassing fixes of the first/original report.

---------------------------------------

SUMMARY BY HACKERONE:

The hacker has reported vulnerabilities on this item in the past when it was .. more broken. We reverted it as the feature was neither secure nor functional. This is a follow up of https://hackerone.com/reports/2054222

In our second iteration of this feature, we put it behind a feature flag and invited the hacker to deliver direct feedback to improve the accuracy of the feature, the below report is the outcome of that. We're happy with where the feature is at now as a balance of security vs convenience.

JAPZ SUMMARY

I submitted 3 different root cause including the one that is recorded in the poc video, though the poc video seems to be doesn't have any impact, the other 2 root cause have impact that's why it was rewarded $1,000

1. username was disclosed when tagging participants using @username feature
2. username was disclosed on the internal data, like custom field etc.
3. username disclosed in reference (this is recorded in the poc video)

---------------------------------------

Please note that the email address disclosed in the PoC video is my test dummy email, that being said no sensitive info on the PoC video.



Other Videos By Japz Divino


2025-01-01Countdown to Cyber Success: Bug Bounties for the New Year! | Philippines HackerOne Club Webinar #1
2024-07-24888domino GAME REVIEW 2024 | SCATTER NA PWEDE MAG CASH IN GAMIT ANG CRYPTO
2023-09-21Stored XSS on bugzilla.mozilla.org via comment edit feature | by @r3dpars3c
2023-09-20IDOR - Send a message on behalf of other user by @lamscun (Bounty: $500 - $1,000)
2023-08-29$2,500 HackerOne IDOR - Delete all licenses and certifications of H1 users
2023-08-18$1,000 HackerOne Bounty | Viewing redacted username information
2023-08-07$500 HackerOne Bounty "I want to redact all usernames" Vulnerability #bugbounty
2023-07-13HackTheBox Sending Unlimited Respect Vulnerability by Ameer (@0x1877)
2023-07-04Getting email address of any HackerOne user | $7500 bounty #dupes #bugbounty #disclosure
2023-06-25Tara ML.. Long time no live stream! namiss ko kayo :)
2023-06-08SAKUPIN KO CHANNEL MO
2023-03-10MAP2EARN: Map the world, own and monetize the data | 2023 hottest web3 project
2023-02-20Xeno Dragon New NFT Game Review 2023
2023-01-10WIKIBIT presents THE BREAKING BAD | Topic: XIAN GAZA SCAMS ?
2022-12-16KOF ARENA: Netmarble Play To Earn Game! | Steam #002
2022-12-10MetaPlayerOne: How to Join a WEB3 Community | DAO Setup for Influencers with $MEU token raffle!
2022-12-10Modern World: New NFT Game on WAX Blockchain
2022-12-05KOF ARENA: New Play-To-Earn game by Netmarble! | Stream 001
2022-12-04WikiBit: Cotton Candy Airdrop Event | $5,000 Total Giveaway!
2022-12-01AutoChess MOBA: Soft Launch | DOTA on Mobile?
2022-11-26Live: WikiBit Presents | Japz Blockchain Jeopardy | GCash reward up to 1000 Php


Tags:
bug bounty
bug bounty hunting
hacking
ethical hacking