Secret Key Exposure in API Config Directory

  • I used Github to search for the Secret Key inside the target program Github Repositories. Sadly no positive results were found.
  • I used Google Dorks trying to find any info related to the secret token. Also got negative results.
  • I also checked WaybackUrls and Javascript Files and sadly got negative results.
  • Feb 4, 2021: I sent the report describing the issue that I found.
  • Feb 5, 2021: HackerOne Triage Closed the Report as Informative. Stating that an app is “leaking” these secrets doesn’t necessarily mean that there’s a security risk. And asking me to provide more details if I want my report to be reconsidered.
  • Feb 5, 2021: I provided additional details about my recon process in determining why the Key is Secret to the Program proving how I didn’t find any information related to it based on my second assumption.
  • Feb 5, 2021: HackerOne Triage Forwarded the report to the internal team.
  • Feb 22, 2021: Report got Triaged by HackerOne Triage Team.
  • Feb 26, 2021: Severity Updated to High. Bounty Awarded ($800). Report Resolved & Fix Confirmed.

--

--

--

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Gladiator: Rise of Legends Hack Free Resources Generator

Early Adopter Distribution Program

Shift Your Settings

The top 5 Pentesting tools you will ever need [ updated 2021]

6 easy steps to create a blog with bluehost

Daily links of Fernand0 — Enlaces diarios de Fernand0 — Issue #455

How Malware Affects Your Phone Through Google Play Store?

NFTLaunch KYC Process

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec

More from Medium

Scrummage — The Ultimate OSINT And Threat Hunting Framework

Miniseries: XSS to the core — Pt.1

[CTF] 1337up CTF writeup- Mirage

CNAME Cloud Subdomain Takeover [advanced]