Hey Google Lets submit bug from Victim Account !
Hello friends, This is Prasanth Elangovan (aka Virtuvil) , a security researcher & an ethical hacker from India. This is the story of how my bug bounty journey helped me to pay for my college fees.
Let’s get started by explaining how I can submit a bug report using another user’s account without their authentication on bughunters.google.com.
While scrolling through LinkedIn, I noticed numerous posts about people receiving Huge Google rewards for their findings. So I decided to hunt on Google.
After spending 7–8 hours, I discovered privilege escalation on a Google domain, and I made a report to submit via bughunters.google.com.
The thought “Harey bhai, Why you didn’t check the bughunter.google.com?” suddenly occurs as I type the report on bughunter.google.com.
What if we discovered a bug during the submission process? Come on! Simply give it a shot.
Let’s Fired up the burp and then submit the privilege escalation bug. After submitting the report, I review each and every request and response from the burp that we captured from bughunters.google.com.
One of those requests caught my attention. That is what follows.
What if we changed the mail address?
Its time to give a shot! So I sent that request to repeater and changed the email address to firstname.lastname@example.org. In this case, I used my secondary email address.
Guess what ? I received 200 OK responses. And the bug was submitted to Google using the victim’s account.
I got more excited !😁
And here, HTML, content, and text injection are also possible by modifying the request’s other details. So quickly, I submitted the bug and am waiting for a response.
The status was updated three-seven days later. Yes ! My report was triaged by Google.
Like everyone else, I am also excepting the reward.😁
I received the update from Google after a few days. :(
I got another duplicate from Google.
Story behind the this bug :)
I was studying M.Sc. cybersecurity in October 2021. On one Thursday, I received notice that I needed to pay third semester fees. There are only two months left to pay fees. I have some knowledge of networking and cloud-related technologies so I started looking for different freelance jobs , the day after I got the notification. :(
Even though I was a noob in the security field at the time, I was still doing bug bounties. At the initial time I got 100+ duplicates. 😌
At the time, I received a duplicate from Google as well. It is common for me to receive duplicates and informative messages.😐
But, luckily, I received $400 from another program for discovering a privilege escalation bug and I paid my college fees without Any delay. :)
Thank you for reading this far. Please DM if you have any questions.
I’ve written other articles as well. I will describe how I discovered complete account takeover without user interaction (how I paid my final semester fees) and other bugs as well.
Contact : Linkedin