This is my first blog post — excited to start sharing bug bounty write-ups and security lessons from the field. Please ignore any small mistakes as I'm still a debutant in writing blogs. If you find this useful, please follow for more posts!

Whoami

None
Photo by Felicia Buitenwerf on Unsplash

I am Ankit Rathva and i am a student of MCA 1st year, I am ethical hacker and security researcher with a passion for finding logic, authorization, and data-integrity flaws in web applications. As a bug bounty hunter and red teamer, he combines hands-on testing, forensic analysis, and careful disclosure to help teams fix impactful issues while protecting users. He publishes clear, developer-friendly writeups and practical mitigation advice — connect to follow his work or collaborate on security research.

Connect with me: https://linkedin.com/in/ankitrathva

Summary:

I discovered a vulnerability in a chat application where a normal user could cause messages authored by a room owner to disappear for everyone by submitting an invalid emoji reaction. The root cause is insufficient server-side validation and error-handling when processing reaction payloads. Impact: message integrity is broken, role-based permissions are bypassed, and conversations can be disrupted. I responsibly disclosed this to the vendor; they acknowledged it and have committed to a fix.

Why this matters

Chat systems rely on strong role-based controls and data integrity. Owners and admins should be able to trust that their messages remain intact and visible to participants unless explicitly removed by authorized actions. A flaw that allows ordinary participants to corrupt or remove owner content undermines trust, can enable targeted disruption (for example hiding announcements or moderation actions), and may be abused to create confusion or denial-of-service inside rooms.

What I found (high level)

  • Vulnerability class: Privilege escalation / data integrity issue
  • Component affected: Chat message rendering + emoji reaction handling
  • Severity: Medium → High (depends on context and how critical the affected chat is)
  • Impact: Any normal user in the room can cause an owner's message to show an error instead of its content for all participants, effectively removing or corrupting it.

Steps to reproduce:

  • Create two accounts: one for the owner and another for a normal user.
  • As the owner, create a room and invite another user as a normal user
  • As an owner sent a message in the room.
  • Go to the normal users account and Locate a message posted by the room owner
  • React to the message with any valid emoji and intercept the request in burp.
None
  • Modify the request payload, changing the emoji parameter from e.g.: "emoji": ":kissing_heart:" to "emoji": ":hello123:"
None
  • Forward the modified request
  • Observe that the owner's message disappears and shows an error instead of its content.
None

I write bug bounty write-ups, security research notes, and practical advice for developers and security teams. Connect with me for more findings and write-ups.

I was rewarded with a $$$ bounty.

None
Photo by Nimi Diffa on Unsplash

I share my bug bounty report on every Saturday so follow me to read blogs.

#BugBounty #InfoSec #Cybersecurity #PrivilegeEscalation #BugReport #ResponsibleDisclosure #WebSecurity