A naukri.com initiative
Medium
3d
336
Image Credit: Medium
“HACKERONE” I Didn’t Break It — I Just Showed It Was Already Fragile
- The author found a vulnerability using an invisible Unicode character in JSON payloads sent to Hostinger's configuration API.
- The phantom key bypassed validation and reached the backend, allowing injection of unauthorized parameters.
- The system accepted the payload with the Unicode character, demonstrating the flaw in the system's validation logic.
- Despite providing a detailed report, code, video proof, and evidence of impact, the author was repeatedly dismissed by Hostinger.
- The vulnerability allowed for unauthorized changes in account tiers without valid authorization.
- The author exposed a logic-level vulnerability that posed a real business risk, but Hostinger downplayed its significance.
- The author's meticulous work was dismissed by Hostinger, highlighting how vulnerabilities can be overlooked if they are not straightforward or cause immediate disruption.
- Hostinger asked the author to close the report to avoid damaging their reputation, showing a reluctance to acknowledge the severity of the vulnerability.
- Despite following best practices in reporting the vulnerability, the author's findings were ignored, emphasizing the challenges faced by researchers in getting their concerns addressed.
- This experience serves as a reminder that even legitimate and well-documented vulnerabilities can be disregarded if they are not convenient for the affected system.
Read Full Article
20 Likes
For uninterrupted reading, download the app