Unveiling the Hidden Gems: A Bug Bounty Journey of Multiple Discoveries

Delbert Giovanni Lie
4 min readMay 23, 2023

--

Hi there! It’s been a while since the last time I posted something on this platform, so I’ve made up my mind to share a unique story that I found a while ago.

Disclaimer, these findings was not done by a professional, so there might be many unnecessary steps involved.

Episode One: How it all started

This story started when my friend, Clario Johan, and I wanted to do something with our spare time. We ended up trying one of the public bug bounty programs provided by one of Indonesian’s cyber security company called Redstorm. Unfortunately, I couldn’t specify which program we participated in, but I believe it’s not necessary as I want the reader to focus on the story itself rather than the program name or the reward they offered.

The program we chose had a scope that specifically focused on their mobile app. However, what made it interesting was that their app was built on Flutter, which posed a challenge for us since we didn’t have much experience in mobile pentesting.

Such challenges didn’t make us back down; instead, we tried various approaches and even sought guidance from our seniors regarding such apps.

Episode Two: The Ugly Truth

After conducting some research and engaging in numerous Q&A sessions with our seniors, we discovered that Flutter comes with its own traffic encryption method. To bypass this protection, we needed to do a reverse engineering techniques on the Flutter app. This involved utilizing a tool called Reflutter.

The story about how we successfully reversed the app and intercepted the network will be covered in another article (link to be announced).

Episode Three: The Downfall of Security Through Obscurity

In the realm of cybersecurity, there has long been a debate surrounding the concept of “security through obscurity”. This principle suggests that by keeping the inner workings of a system or application secret, it will be inherently secure. However, our story reveals the flaws and the ultimate downfall of relying solely on this approach.

After successfully inspecting the network and API calls utilized by the app, we discovered numerous vulnerabilities within it. However, we faced a minor setback as we had to submit separate reports, as Redstorm did not provide an option to submit reports as a team. Personally, I found multiple findings ranging from informational to critical severity.

Here is a list of the findings I discovered:

  1. No rate limit on OTP request (Duplicate)
  2. OTP bypass on phone registration (Duplicate)
  3. Insecure file upload (P4 Low)
  4. No rate limit on email verification request (Duplicate)
  5. Phone number enumeration through error message (P5 Informational)
  6. Exposed windows layout lead to information leakage (P5 Informational)
  7. Existed email validation bypass (P4 Low)
  8. Failure to invalidate email link verification (P4 Low)
  9. Hardcoded OTP key lead to authorization bypass (P1 Critical)
  10. Weak root detection bypass (Duplicate)

Based on those findings, would you still stand by the concept of “security through obscurity” ? I will leave this decision up to the readers.

Episode Four: Revelations and Reflections

After discovering those vulnerabilities, I made the decision to create a report and submit it to the program owner. However, the plot twist unfolded when I realized that the report had been pending for approximately four months. Adding to the excitement, it was revealed that the program owner had abandoned the project without notifying the Redstorm team.

As a result, the reports were labeled as “triaged” but no rewards were awarded to me and my friend, the researchers. Fortunately, Redstorm took a wise course of action by assuming responsibility for the program and conducting their own analysis of the findings.

What an unexpected plot twist, right? Despite the unfavorable actions and terms from the program owner, we have gained valuable knowledge and experiences from this incident. Undoubtedly, this story will remain as one of the most memorable and significant chapters in our cyber security journey.

Episode Five: A chapter closes

In conclusion, my story serves as a reflection of a beginner navigating the vast realms of true cybersecurity. Hence, I’m really open to receiving new opinions and perspectives, whether they pertain to technical or non-technical terms. Feel free to slide into my DMs on my social media platforms to engage in further discussions.

--

--

Delbert Giovanni Lie
Delbert Giovanni Lie

Responses (1)