Finding Hidden Login Endpoint Exposing Secret `Client ID`

  • Feb 16, 2021: Submitted the Initial Report as stated above.
  • Feb 18, 2021: HackerOne Team Triaged The Report.
  • Feb 24, 2021: Internal Team Reviewing the Report and Investigating the Submitted Issue.
  • Feb 26, 2021: Internal Team Want to Know How I Discovered The Endpoint.
  1. If you navigate to https://accounts.redacted.com/redacted/login you will get an error message stating No client id found.
  2. From the above error I resulted that there should be a parameter named client_id or clientid.
  3. Simple Google Dorking: site:accounts.redacted.com inurl:client_id.
  4. Found the login endpoint and the client_id value: https://accounts.redacted.com/redacted/redacted/redacted?client_id=1111111111122222222222test222223333111
  • If you found an Endpoint hiding the Login form and then you managed to find the hidden Login Form then this is highly possible to be a valid bug. Try identifying additional bug in the discovered Login form and report it.
  • At first, I didn’t know that the client_id that I discovered is secret until I saw the internal team’s comment. So try to be creative and curious about any word commented by the internal team.
  • Notice the power of Google Dorks. I found the hidden login page by using a Google Dork to search for the client_id value.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder at Cybit Sec | Managing Director at Resecurity®.