Finding Hidden Login Endpoint Exposing Secret `Client ID`

Hello,

My name is Ahmad Halabi, Founder & CTO at Cybit Sec and part time bug bounty hunter on Hackerone.

Today I am going to share one of my cool findings about an information disclosure bug in a private program on HackerOne.

Turning a Low Severity bug into a High one.

Overview ::

I came across a Subdomain as the following https://accounts.redacted.com/redacted/login but I found that there is no Login Form in the page, And there is an error stating No client id found.

Then I did some recon steps and I found the Login endpoint with a client id value in the URL as the following https://accounts.redacted.com/redacted/redacted?client_id=hashvalue. Then I found a Low Severity bug in the target URL and I reported it.

Turning The Bug From Low to High Severity ::

  • Feb 16, 2021: Submitted the Initial Report as stated above.
  • Feb 18, 2021: HackerOne Team Triaged The Report.
  • Feb 24, 2021: Internal Team Reviewing the Report and Investigating the Submitted Issue.
  • Feb 26, 2021: Internal Team Want to Know How I Discovered The Endpoint.

HackerOne Triage Team Commented as below:

The team would like to know how were you able to discover the endpoint:

Here Where Fun Begins ::

So I submitted my Methodology on How I found the target endpoint. And From that comment I realized that the Client ID is a secret value should not be exposed to public since the Login Form is not for Public Users.

I commented as below::

The whole game is in the recon process.

Discovering Login Endpoint & client_id value :

  1. If you navigate to https://accounts.redacted.com/redacted/login you will get an error message stating No client id found.
  2. From the above error I resulted that there should be a parameter named client_id or clientid.
  3. Simple Google Dorking: site:accounts.redacted.com inurl:client_id.
  4. Found the login endpoint and the client_id value: https://accounts.redacted.com/redacted/redacted/redacted?client_id=1111111111122222222222test222223333111

By exposing this client_id value, I chained my old bug reported with this value and then I found multiple tokens that seems secret and are exposed as well and reported them all in the same report.

Feb 26, 2021: HackerOne Team Forwarded the comment to the Internal Team.

Mar 3, 2021: Bounty Awarded ($700).

Lessons Learned ::

  • If you found an Endpoint hiding the Login form and then you managed to find the hidden Login Form then this is highly possible to be a valid bug. Try identifying additional bug in the discovered Login form and report it.
  • At first, I didn’t know that the client_id that I discovered is secret until I saw the internal team’s comment. So try to be creative and curious about any word commented by the internal team.
  • Notice the power of Google Dorks. I found the hidden login page by using a Google Dork to search for the client_id value.

Hope to give my Startup Company `Cybit Sec` a follow on its social media profiles: Twitter , LinkedIn , Facebook , Instagram.

If you didn’t read my article yet about how I started bug bounty hunting, how I ranked 1st at U.S. Dept Of Defense (2019) and how I reached top 100 hackers on hackerone, You can find it below.

The article also contains all needed resources to start learning and a lot of valuable tips.

Good Luck :)

Thanks For Reading !

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec