Part ONE: The discovery
It was a Sunday afternoon. I was tired but didn't want to sleep, so I went for a drive with a friend and kept my laptop with me. To stay awake I decided to do some casual hunting.
I found a target, a login page, and at first I only planned to check rate limits. I opened the source code, skimmed the JS files using some tools, and didn't expect much. Then, while inspecting a minified bundle, I found this:
var ivString = "3f1b************"; // Initialization Vector (IV)
var string2 = "N@***************************"; // Symmetric AES keyI Found AES KEYS and IV on a client side JS file
PART TWO: THE EXPLOIT
I was just going to report it directly which would be okay but then i thought i should check and first show them how i am able to use this.
The next thing i do is start making a script that uses this and also find some encrypted thing on website that makes it easy to demonstrate impact.
I did both found a encrypted text and made a script and it actually worked and now i was ready to show them the impact and i went on with the report.
PART THREE: THE REWARD
After i reported the vulnerability as P2 but they downgraded it to P3 which okay but i guess this should have been P2
But its fine atleast they recognized that this. Sometimes Companies just deny it and get away with these kind of things but this one actually cared.
Then i got a message after sometime for the reward and i was happy
Stay curious. Stay dangerous. 💻
👉 Follow me on LinkedIn 💼