R·D Intel

🕵️ This Vulnerability Was Sitting in Front of Everyone — But No One Noticed | by Sukhveer Singh - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original 🕵️ This Vulnerability Was Sitting in Front of Everyone — But No One Noticed Most bugs are hidden. Sukhveer Singh Follow ~3 min read · March 31, 2026 (Updated: March 31, 2026) · Free: Yes Deep logic flaws. Complex bypasses. Weird edge cases. But this one? It was sitting right there… in a normal feature… used by thousands of users every day. And somehow — no one noticed it. Until I did. 🚀 The Target: A Clean, "Secure" Web App I was testing a modern SaaS platform (let's call it): https://dashboard.clientaxis-app[.]com Everything looked solid: JWT-based authentication Clean UI Proper API structure No obvious low-hanging bugs At first glance, it felt like: "Yeah… this one's going to be tough." But I wasn't looking for complex bugs anymore. I was looking for missed logic . 🔍 The Feature Everyone Uses (And Trusts) Inside the dashboard, there was a very common feature: "Share Project" When you click it, you get a link like: https://dashboard.clientaxis-app.com/share?project_id=88421&access=viewer Nothing unusual. Users share this link with teammates. That's it. 🧠 The Thought That Changed Everything Most hunters would move on. But I paused and asked: "What actually controls access here?" Is it: The access parameter? The project_id ? Or server-side validation? Because if the backend blindly trusts this… 👉 That's a problem. 🧪 Step 1: Testing the Obvious (That Everyone Ignores) First, I changed the role: https://dashboard.clientaxis-app.com/share?project_id=88421&access=admin Opened the link. Result: ❌ Still viewer access Okay — so the access parameter is ignored or validated. Good sign. 🧪 Step 2: Changing the Project ID Now the interesting part. https://dashboard.clientaxis-app.com/share?project_id=88422&access=viewer I didn't own this project. But the page loaded. And I could see: Project name Team members Internal notes I refreshed. Still accessible. 💥 Wait… What? I double-checked. Logged out → ❌ Not accessible Logged in (any account) → ✅ Accessible That's when it clicked: "This link doesn't validate ownership… it just trusts the ID." ⚔️ The Vulnerability: Broken Access Control (IDOR) This was a classic IDOR — but hidden in plain sight. The application: Did not verify if the user belongs to the project Allowed access purely based on project_id Exposed internal collaboration data 🧨 Why This Was Dangerous This wasn't just viewing random data. Projects contained: Business documents Internal discussions Client-related information With simple enumeration: project_id=88400 → 88500 An attacker could: Map active projects Extract sensitive company data Spy on internal operations 😶 Why No One Found It Because it didn't look like a bug. There was: No error No crash No alert Everything worked "normally." And that's the problem. The most dangerous bugs don't break the app. They quietly break security. 📩 Reporting It Properly I documented everything: Included: 📌 Vulnerable endpoint 🔁 Repro steps (clean + simple) 🎯 Impact explanation (realistic, not exaggerated) 📊 Example of data exposure 🛠 Fix recommendation (authorization check) No fluff. No noise. Just clarity. ⏳ The Response Within a day: "This is a valid access control issue. Thanks for reporting." A few days later: 💸 Bounty awarded: $1,000 🧠 What This Bug Taught Me 1. Bugs don't hide in complexity They hide in assumptions 2. If a feature "just works"… question it Especially: Sharing Exporting Viewing 3. IDs are attack surfaces Anytime you see: user_id project_id invoice_id 👉 Test it. 4. Most hunters overcomplicate things You don't need: Crazy payloads Advanced exploits You need: Better questions 🚀 How You Should Think Instead Next time you see a feature, don't ask: ❌ "Where can I inject payload?" Ask: ✅ "What is the app trusting here?" That one shift changes everything. 🔥 Want to Actually Find Bugs Like This? If you're tired of: Running tools with no results Copy-pasting payloads Getting ignored Start learning the real approach : 👉 Free community & resources: https://t.me/bugitrix 👉 Deep XSS + Web Vulns Guide: https://www.bugitrix.com/blog/fundamentals-basics-4/cross-site-scripting-xss-guide-45 👉 Cybersecurity learning platform: https://bugitrix.com 🎯 Want Faster Growth? 👉 1:1 Clarity Session: https://docs.google.com/forms/d/1jthyuqt8XEmnAyUylsgcT8J0XCf8XLDTf5yt9IegW9Y/edit 👉 Build / Fix Resume & LinkedIn: https://docs.google.com/forms/d/1aAxZ1V88fcE0iDLT_w9ZZlNEyjA0WGWU_5dJCxzhERY/edit 🧩 Final Thought That $1,000 bug? It wasn't hidden. It wasn't complex. It wasn't even protected. It was just… ignored. #cybersecurity #bug-hunting #bug-bounty #bug-bounty-tips #bug-bounty-writeup Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).