Finding Hidden Login Endpoint Exposing Secret `Client ID`

Hello,

My name is Ahmad Halabi, Founder & CTO at Cybit Sec and part time bug bounty hunter on Hackerone.

Today I am going to share one of my cool findings about an information disclosure bug in a private program on HackerOne.

Turning a Low Severity bug into a High one.

Overview ::

I came across a Subdomain as the following https://accounts.redacted.com/redacted/login but I found that there is no Login Form in the page, And there is an error stating No client id found.

Then I did some recon steps and I found the Login endpoint with a client id value in the URL as the following https://accounts.redacted.com/redacted/redacted?client_id=hashvalue. Then I found a Low Severity bug in the target URL and I reported it.

Turning The Bug From Low to High Severity ::

  • Feb 16, 2021: Submitted the Initial Report as stated above.

HackerOne Triage Team Commented as below:

The team would like to know how were you able to discover the endpoint:

Our understanding is while accessible, it’s not easily discoverable — so insights into how it was discovered would be helpful.

Here Where Fun Begins ::

So I submitted my Methodology on How I found the target endpoint. And From that comment I realized that the Client ID is a secret value should not be exposed to public since the Login Form is not for Public Users.

I commented as below::

The whole game is in the recon process.

Discovering Login Endpoint & client_id value :

  1. If you navigate to https://accounts.redacted.com/redacted/login you will get an error message stating No client id found.

By exposing this client_id value, I chained my old bug reported with this value and then I found multiple tokens that seems secret and are exposed as well and reported them all in the same report.

Feb 26, 2021: HackerOne Team Forwarded the comment to the Internal Team.

Mar 3, 2021: Bounty Awarded ($700).

Lessons Learned ::

  • If you found an Endpoint hiding the Login form and then you managed to find the hidden Login Form then this is highly possible to be a valid bug. Try identifying additional bug in the discovered Login form and report it.

Hope to give my Startup Company `Cybit Sec` a follow on its social media profiles: Twitter , LinkedIn , Facebook , Instagram.

If you didn’t read my article yet about how I started bug bounty hunting, how I ranked 1st at U.S. Dept Of Defense (2019) and how I reached top 100 hackers on hackerone, You can find it below.

The article also contains all needed resources to start learning and a lot of valuable tips.

Good Luck :)

Thanks For Reading !

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec