0

I was surfing on a big company's website, and I tried to make an account on it. I found that the account registration was quite buggy so I checked the page source. I found that there were error logs generated by an index.js file. The index.js file was publicly accessible with a very easy url addition (assets/index.js). The js file contained API endpoints to the backend. I clicked on one of the API urls and found out that the backend was using django framework, and was running on debug mode.

I was able to access the server's /admin login page.

I tried putting in admin for username and admin for password and it worked. I got access to the django admin portal, which had all the user data, also was able to find out the AWS tokens which were being used to upload/download data from the database.

What should I do? I know that password guessing is illegal so I can keep my mouth shut about it, but if I, as a newbie was able to access it, I am pretty sure that it'll be a piece of cake for experienced hackers. How do I report it?

Edit: Is there any way I can ask for a bounty or some kind of reward :D

pjmathematician
  • 101
  • 1
  • 1
    Does this answer your question? [Reporting vulnerable sites](/questions/807/reporting-vulnerable-sites), [How to report a vulnerability in a site that wants to call the FBI?](/questions/183583/), [Found security vulnerability, what should I do?](/questions/13760/), [How can I report an ecommerce site in violation of security practices?](/questions/14098/). *"Edit: Is there any way I can ask for a bounty or some kind of reward :D"* - off-topic. – Steffen Ullrich Nov 05 '22 at 11:46
  • I find the edit not off-topic, since it falls into the field. The answer would be whether the corresponding company has a bug bounty programme, which is probably not the case judging by their take on cybersecurity in their development process... Unless you're a beta tester or similar... – Sir Muffington Nov 05 '22 at 12:22
  • 1
    is trying the known default combination (which should've been changed) considered password guessing or cracking? (i don't agree, however, i don't know what "the law" says in your or their jurisdiction) - responsible vulnerability disclosure and public sha... eer, "academic criticism" are not mutually exclusive! in my opinion it's about giving them a reasonable amount of time to fix their buggy shyte, and possibly giving them a chance to respond, before you publish your write-up - some people make (an academic) living doing this – brynk Nov 05 '22 at 17:44

0 Answers0