How I was able to see the bounty balance of any Bug Bounty Program in HackerOne

Good day everyone!

Today. I will proudly share to you, how I found a bug in HackerOne that reveals the bug bounty program’s balance without escalating user’s privilege.

To begin, I will tell you that I am originally looking for a bug that will allow me to comment on a disclosed report. But when I checked the HTTP Request via Chrome’s Developer Mode, I found something that caught my attention:

Request:

Response:

By that time, I thought that i really don’t had a good knowledge to find a bug in HackerOne. But after spending 10–15 minutes of checking the HackerOne site . I saw the same request while checking my own reports. By that time i realized that if you are a “Member of a Team” that giving a bounty on a valid report you will be able to set the amount that you want to award for it.

Also because of that i feel that i’m gonna be rich, So i started check what i can get by using that.

Request:

Response:

As you can see on the response it’s showing

{"flash":"You have successfully awarded a bounty.","reports":[]}

and it makes me feel

But wait, after the page reloaded it’s not showing that the report was rewarded. So the response is just a response

Request:

Response:

It showing an error

{"flash":null,"reports":[{"errors":[""Validation failed: insufficient funds to award this bounty."]}]}

So for someone didn’t understand how i am found this bug . This is a video that i can share on this blog. Before you watch it i want to say sorry for this Video POC because it was a 5 minutes video.

This vulnerability might be currently fixed by HackerOne. But always remember that even you always getting duplicate on your report’s doesn’t mean you didn’t got a reward . The reward here that you are able to claim is a knowledge/skill that you can use for your future penetration testing on the other application that you will test/use.

Kindly share if you like my first write-up. Also if there’s something wrong about this write-up just comment below. Also follow me on my Twitter Account for more write-up’s Thanks!

Related posts:

These are the days that you don’t feel to do any chores. You are burnt out by work stress and want to spent time relaxing and focusing on yourself. Week days are so stressful and you will be…

We all know that gut-punch feeling of hearing familiar chords tied to a past relationship. Whether it was ~our song~ or our favorite track from the band they turned us on to, losing the music we use…

Armenia is home to young entrepreneurs and professionals with a strong understanding of high-level digital matters. The 1980s and 1990s-born Armenians hold a versatile understanding of what it takes…