You Can Find This Bug in ANY Website (How I Changed P5 to P1 Using Chain Vulnerability)

medium.com · Tamilselvan A K · 15 days ago · research
quality 9/10 · excellent
0 net
Tags
bug-bounty
You Can Find This Bug in ANY Website (How I Changed P5 to P1 Using Chain Vulnerability) | by Tamilselvan A K - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original You Can Find This Bug in ANY Website (How I Changed P5 to P1 Using Chain Vulnerability) Security today is supposedly ironclad. Multi-factor authentication, SSL certificates, advanced firewalls… But what if I told you that all… Tamilselvan A K Follow ~5 min read · March 28, 2026 (Updated: March 28, 2026) · Free: Yes Security today is supposedly ironclad. Multi-factor authentication, SSL certificates, advanced firewalls… But what if I told you that all these layers can crumble because of one tiny misconfiguration? What if I told you that the professional email you received from Amazon or Google yesterday could have been sent by a 16-year-old kid from his bedroom? Sounds crazy, right? (Don't worry, Amazon and Google are secure… or are they? Security is just a myth after all.) Let me show you how I discovered this vulnerability and how it escalated into something much scarier than I ever imagined. The Discovery: When Email Authentication Fails It started with a simple recon on a target website. Nothing fancy, just basic enumeration. Step 1: Subdomain Discovery I fired up my favorite subdomain finder: https://subdomainfinder.c99.nl/ The website was mostly static — not much attack surface for traditional bugs. But that's when I decided to check something most bug hunters ignore: email security . Step 2: The SPF Investigation What is SPF? Sender Policy Framework (SPF) is like a bouncer at an exclusive club. It's a DNS record that tells email servers: "Hey, only these specific servers are allowed to send emails on behalf of our domain." Think of it this way: If someone tries to send an email claiming to be from [email protected] , the receiving email server checks the SPF record. If the sender isn't on the approved list, the email gets rejected or marked as spam. But what happens when there's no bouncer at all? I used Kitterman's SPF validator: https://www.kitterman.com/spf/validate.html Result: No SPF record found. Translation: Anyone, anywhere, could send emails pretending to be from this company. Step 3: The First Attempt (That Failed) My first instinct was to use online email spoofing tools like https://emkei.cz/ I crafted emails from: [email protected] [email protected] [email protected] But here's the thing — these online tools are hit or miss. Maybe you've experienced this before: sometimes the emails never reach the inbox because many SMTP servers have already blacklisted these tool domains. I needed something more reliable. Step 4: The SMTP Struggle I tried setting up my own SMTP server. I tried PHP scripts. Everything required domain verification or complex setup. This is where I got stuck for a week. But persistence pays off in bug hunting. Step 5: The Game Changer After a week of frustration, I discovered this repository: https://github.com/karthi-the-hacker/SocialEngineer Option 4 in this tool was exactly what I needed. Within minutes, I had successfully sent spoofed emails from the target company's domain. The proof-of-concept was complete. But this wasn't the end of the story. This was just the beginning. The Plot Twist: When P5 Becomes P1 Remember my previous blog post about certificate template leakage? If not, here's the core concept: How I Found a Business Logic Flaw in a Growing EdTech Website (P1 Bug) These days, finding a bug in top websites isn’t easy. Sites like Google and Amazon have strong, layered security… medium.com I had discovered that a company was using Django to automate certificate generation. Upload data, auto-fill names, generate certificates — simple and efficient. But there was a critical flaw. The company had no certificate verification system. Each certificate had a "unique ID," but it was completely meaningless. It wasn't backed by any database or verification mechanism. What did this mean? Anyone with the template could generate fake certificates I could put any name on a certificate (mine, yours, or even Elon Musk's) Create any random ID and boom — an "authentic" certificate The company would never know This was already a serious business logic flaw affecting their core offering, trust, and brand reputation. But then the lightbulb moment hit me. I wasn't just a bug hunter anymore. I had become the company. I could now: Edit the certificate templates with ANY information I wanted Generate certificates for courses that never existed Send them via spoofed emails from official company addresses Create entire educational programs out of thin air Issue employment letters, recommendations, anything Make it all look 100% legitimate The company was literally MINE now. Final Thoughts Finding a vulnerability in a website is common. But chaining small flaws together is what turns it into real impact. To every student interested in cybersecurity: "Individually, bugs are harmless — but together, they can shake an entire system. What you choose to do with that power defines you." — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — https://coff.ee/tamilselvanak Watch My other blogs ! How I Found a Business Logic Flaw in a Growing EdTech Website (P1 Bug) These days, finding a bug in top websites isn’t easy. Sites like Google and Amazon have strong, layered security… medium.com How I (Ethically) Hacked My College Portal with a JWT Token — and Reported It Responsibly 👋 Hey readers, I’m Tamilselvan A K, a 2nd-year student in AI & DS at Rajalakshmi Engineering College and an aspiring…m medium.com How I Built a Python Virus That Bypasses Antivirus and Hacks Windows — Step-by-Step Guide Disclaimer: The post is of educative nature. Abusive interpretation of the information presented here should not be… medium.com — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — ✍️ Written by: Tamilselvan A K 🎓 3rd Year Student 🛡️ Cybersecurity Enthusiast | Ethical Hacker | AI & DS Student 🔗R Lt's connect on LinkedIn #cybersecurity #security-misconfiguration #bug-bounty #bug-bounty-writeup #ethical-hacking Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories