Finding Hidden Login Endpoint Exposing Secret `Client ID`
Hello,
My name is Ahmad Halabi, Founder & CTO at Cybit Sec and part time bug bounty hunter on Hackerone.
Today I am going to share one of my cool findings about an information disclosure bug in a private program on HackerOne.
Turning a Low Severity bug into a High one.
Overview ::
I came across a Subdomain as the following https://accounts.redacted.com/redacted/login but I found that there is no Login Form in the page, And there is an error stating No client id found
.
Then I did some recon steps and I found the Login endpoint with a client id
value in the URL as the following https://accounts.redacted.com/redacted/redacted?client_id=hashvalue. Then I found a Low Severity bug in the target URL and I reported it.
Turning The Bug From Low to High Severity ::
- Feb 16, 2021: Submitted the Initial Report as stated above.
- Feb 18, 2021: HackerOne Team Triaged The Report.
- Feb 24, 2021: Internal Team Reviewing the Report and Investigating the Submitted Issue.
- Feb 26, 2021: Internal Team Want to Know How I Discovered The Endpoint.
HackerOne Triage Team Commented as below:
The team would like to know how were you able to discover the endpoint:
Our understanding is while accessible, it’s not easily discoverable — so insights into how it was discovered would be helpful.
Here Where Fun Begins ::
So I submitted my Methodology on How I found the target endpoint. And From that comment I realized that the Client ID
is a secret value should not be exposed to public since the Login Form is not for Public Users.
I commented as below::
The whole game is in the recon process.
Discovering Login Endpoint & client_id value :
- If you navigate to https://accounts.redacted.com/redacted/login you will get an error message stating
No client id found
. - From the above error I resulted that there should be a parameter named
client_id
orclientid
. - Simple Google Dorking:
site:accounts.redacted.com inurl:client_id
. - Found the login endpoint and the client_id value: https://accounts.redacted.com/redacted/redacted/redacted?client_id=1111111111122222222222test222223333111
By exposing this client_id
value, I chained my old bug reported with this value and then I found multiple tokens that seems secret and are exposed as well and reported them all in the same report.
Feb 26, 2021: HackerOne Team Forwarded the comment to the Internal Team.
Mar 3, 2021: Bounty Awarded ($700).
Lessons Learned ::
- If you found an Endpoint hiding the Login form and then you managed to find the hidden Login Form then this is highly possible to be a valid bug. Try identifying additional bug in the discovered Login form and report it.
- At first, I didn’t know that the
client_id
that I discovered is secret until I saw the internal team’s comment. So try to be creative and curious about any word commented by the internal team. - Notice the power of Google Dorks. I found the hidden login page by using a Google Dork to search for the
client_id
value.
If you didn’t read my article yet about how I started bug bounty hunting, how I ranked 1st at U.S. Dept Of Defense (2019) and how I reached top 100 hackers on hackerone, You can find it below.
The article also contains all needed resources to start learning and a lot of valuable tips.
Good Luck :)
Thanks For Reading !