I found a 2fa bypass recently in a responsible disclosure program — pickmycareer.in . The vulnerability allows an attacker to register any mobile number with his account bypassing OTP verifications. The process is very simple during registration process, attacker gives his own mobile number and receives OTP, enters correct OTP…

First of all, I am not a complete beginner in infosec/cyber security community. I have been doing bugbounty for past 3 years and also my current job role is related to security engineer. So, I haven’t prepared much as I already use most of the tools frequently at my workplace/CTFs/BugBounty. …

I was looking for blogs on GoogleVRP reports as well as noting down it’s popular aquisitions. Then I found a blog (https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html ) which talks about unauthenticated Jira instance leaking dashboard name ,project title and user profile picture by applying filters. It also mentions ,the website supports only logging in…

This is one of the easiest bug that I have found in a private bugbounty program. The program had two of it’s browsers in it’s scope. I was testing for RTLO related bugs,I found that the downloads section of the browser was rendering the rtlo characters in the improper way. …

This is a story of CORS bug that I found in one of Google’s aquisition -Kaggle,Where I got rewarded for CORS bug in 404 page. One fine day I was looking at one of the aquisitions of Google-(Kaggle),Kaggle is used worldwide by Machine Learning community and is pretty famous. I…

If You think WhatsApp is totally safe and your Profile Picture is visible to people only in your contacts or depending on your privacy settings then you are totally wrong. I found a bug in WhatsApp through which any 3rd Party App with only read Storage Permission can access your…

This is a low hanging bug ,I discovered in Google ,This blog is going to be to short and to the point. I followed the usual Recon process after enumerating subdomains , I selected https://datastudio.google.com.I tried to check for popular vulnerabilities XSS,CSRF,SSRF and What not!!! But couldn’t find anything .Then…

PART 2: So If you have read the part 1, You would have seen that I found a stored-self Xss in manager.skype.com which was getting escalated in the option(“make the USER as admin of group_name”) as group_name was not properly sanitized there. Here’s what I did to affect other users,You…

PART 1: To keep it simple ,I want to make this blog to the point ,instead of writing a script for MahaBharath !!! How It all started? I was thinking of services provided by microsoft, Skype came to my mind. I tested out skype but couldn’t find anything ,Then after…