Scribd
Upload
210 views123 pages

Bug Bounty Hunting Insights

Arne Swinnen presented vulnerabilities found during a bug bounty hunt of Instagram. He began with an introduction and setup that included using man-in-the-middle attacks and signature key phishing. Vulnerabilities found included infrastructure issues like subdomain hijacking, web vulnerabilities such as profile tabnabbing and directory enumeration, and mobile app issues. Rewards ranged from $500 to $2500 depending on the vulnerability. Facebook responded thanking him for the reports but many did not qualify for the bounty program.

Uploaded by

José Francisco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
210 views123 pages

Bug Bounty Hunting Insights

Arne Swinnen presented vulnerabilities found during a bug bounty hunt of Instagram. He began with an introduction and setup that included using man-in-the-middle attacks and signature key phishing. Vulnerabilities found included infrastructure issues like subdomain hijacking, web vulnerabilities such as profile tabnabbing and directory enumeration, and mobile app issues. Rewards ranged from $500 to $2500 depending on the vulnerability. Facebook responded thanking him for the reports but many did not qualify for the bounty program.

Uploaded by

José Francisco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 123

THE TALES OF A BUG

BOUNTY HUNTER

ARNE SWINNEN
@ARNESWINNEN
HTTPS://WWW.ARNESWINNEN . NET
WHOAMI
• Arne Swinnen from Belgium, 26 years old
• IT Security Consultant since 2012
• Companies I have directly worked for:

Currently Past

One packer to rule them all Cyber Security Challenge


Belgium

2
AGENDA
• Introduction
• Setup
• Man-in-the-Middle
• Signature Key Phishing
• Vulnerabilities
• Infrastructure: 1
• Web: 2
• Hybrid: 4
• Mobile: 2
• Conclusion
• Q&A

3
INTRO

4
INTRODUCTION

Motivation

• Intention since 2012


• CTF-like, with rewards
• Write-ups

Timing

• Since April 2015


• Time spent: +-6 weeks
• Vacations sacrificed 

5
INTRODUCTION

• “Facebook for Mobile Pictures”: iOS & Android Apps, Web


• 400+ Million Monthly Active Users in September 2015
• Included in Facebook’s Bug Bounty Program 

6
INTRODUCTION
Public account Private account

7
SETUP

8
MAN-IN-THE-MIDDLE

9
MAN-IN-THE-MIDDLE

10
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings

11
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings (ctd.)

Instagram v6.18.0
25/03/2015
12
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings (ctd.)

Instagram v6.18.0
25/03/2015
13
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point

Personal Android device Personal Macbook Pro Android Test Device


USB Tethering ON Internet Sharing via WiFi ON Connected to Ad-hoc Network
14
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Instagram v6.18.0
25/03/2015
15
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Instagram v6.18.0
25/03/2015
16
SIGNATURE KEY PHISHING

17
SIGNATURE KEY PHISHING
signed_body=
0df7827209d895b1478a35a1882a9e1c8
7d3ba114cf8b1f603494b08b5d093b1.
{"_csrftoken":"423d22c063a801f468f2
1d449ed8a103","username":"abc","gu
id":"b0644495-5663-4917-b889-
156f95b7f610","device_id":"android-
f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}

HMAC
SHA256
18
SIGNATURE KEY PHISHING
signed_body=
0df7827209d895b1478a35a1882a9e1c8
7d3ba114cf8b1f603494b08b5d093b1.
{"_csrftoken":"423d22c063a801f468f2
1d449ed8a103","username":"abc","gu
id":"b0644495-5663-4917-b889-
156f95b7f610","device_id":"android-
f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}

HMAC
SHA256
19
SIGNATURE KEY PHISHING

20
SIGNATURE KEY PHISHING

HMAC
SHA256
Key

21
SIGNATURE KEY PHISHING

22
SIGNATURE KEY PHISHING

23
SIGNATURE KEY PHISHING

24
SIGNATURE KEY PHISHING

25
SIGNATURE KEY PHISHING

26
SIGNATURE KEY PHISHING

27
SIGNATURE KEY PHISHING

28
VULNERABILITIES

29
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

# python subbrute.py instagram.com

30
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
# python subbrute.py instagram.com
instagram.com
www.instagram.com
blog.instagram.com
i.instagram.com
admin.instagram.com
mail.instagram.com
support.instagram.com
help.instagram.com
platform.instagram.com
api.instagram.com
business.instagram.com
bp.instagram.com
graphite.instagram.com
...
31
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

32
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

33
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

34
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

How to exploit?

35
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

Domain=instagram.com httponly

36
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

37
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver of
http://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
while being authenticated to https://www.instagram.com
c) Copy session cookie & hijack session

38
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

Thank you for your reply. This issue has been discussed at great lengths with the
Facebook Security Team and while this behavior may be changed at some point
in the future, it is not eligible for the bug bounty program.

39
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

Thank you for your reply. This issue has been discussed at great lengths with the
Facebook Security Team and while this behavior may be changed at some point
in the future, it is not eligible for the bug bounty program.

40
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network

41
INFRASTRUCTURE

42
INFRASTRUCTURE

Source: https://exfiltrated.com/research-Instagram-RCE.php 43
INFRASTRUCTURE

$2500
Source: https://exfiltrated.com/research-Instagram-RCE.php 44
WEB
2. Public Profile Tabnabbing

45
WEB
2. Public Profile Tabnabbing

46
WEB
2. Public Profile Tabnabbing

47
WEB
2. Public Profile Tabnabbing

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-
window-opener-location-replace/

We have previously been made aware of this issue and are in the process of
investigating it. Thank you for submitting it to us. Please send along any
additional security issues you encounter.

48
WEB
2. Public Profile Tabnabbing

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-
window-opener-location-replace/

We have previously been made aware of this issue and are in the process of
investigating it. Thank you for submitting it to us. Please send along any
additional security issues you encounter.

49
WEB
3. Web Server Directory Enumeration

https://instagram.com
50
WEB
3. Web Server Directory Enumeration

https://instagram.com/?hl=en 51
WEB
3. Web Server Directory Enumeration

https://instagram.com/?hl=./en 52
WEB
3. Web Server Directory Enumeration

53
WEB
3. Web Server Directory Enumeration

54
WEB
3. Web Server Directory Enumeration

https://instagram.com/?hl=../locale/en 55
WEB
3. Web Server Directory Enumeration

https://instagram.com/?hl=../wrong/en 56
WEB
3. Web Server Directory Enumeration

57
WEB
3. Web Server Directory Enumeration

42 hits for
../<GUESS>/../locale/nl/

58
WEB
3. Web Server Directory Enumeration

Thank you for sharing this information with us. Although this issue does not
qualify as a part of our bounty program we appreciate your report. We will
follow up with you on any security bugs or with any further questions we may
have.

59
WEB
3. Web Server Directory Enumeration

Thank you for sharing this information with us. Although this issue does not
qualify as a part of our bounty program we appreciate your report. We will
follow up with you on any security bugs or with any further questions we may
have.

60
WEB
3. Web Server Directory Enumeration

My apologies on my previous reply, it was intended for another report.



After reviewing the issue you have reported, we have decided to award you a
bounty of $500 USD.

61
WEB
3. Web Server Directory Enumeration

My apologies on my previous reply, it was intended for another report.



After reviewing the issue you have reported, we have decided to award you a
bounty of $500 USD.

62
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy
{
"status": "ok",
"media": {
"organic_tracking_token":
"eyJ2ZXJzaW9uIjozLCJwYXlsb2FkIjp7ImlzX2FuYWx5dGljc190cmFja2VkIjpmYWx
zZSwidXVpZCI6IjYxNGMwYzk1MDRlNDRkMWU4YmI3ODlhZTY3MzUxZjNlIn0sIn
NpZ25hdHVyZSI6IiJ9",
"client_cache_key": "MTExODI1MTg5MjE1NDQ4MTc3MQ==.2",
"code": "-E1CvRRrxr",
(...SNIP...)
"media_type": 1,
"pk": 1118251892154481771,
"original_width": 1080,
"has_liked": false,
"id": "1118251892154481771_2036044526"
},
"upload_id": "1447526029474"
}
63
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

Private
account

64
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

Private
account

65
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

Private
account

66
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1


Host: i.instagram.com

HTTP/1.1 200 OK
(…SNIP…)

{"status":"ok","permalink":"https:\/\/2.zoppoz.workers.dev:443\/https\/instagram.com\/p\/-E1CvRRrxr\/"}

67
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

Private
account

68
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

@Kevin @MikeyK @BritneySpears @msvigdis


Pk: 3 Pk: 4 Pk: 12246775 Pk: 12246776
1pJ1DhgBD- 159sxaABXG 16jJhVG8HU iV93JDG8Ue
1kHzf_gBLp 1onIDogBf3 1yFoqcm8D9 XMUVDFm8X8
0-pshJgBAg 0yi-hjgBaE 1tejnLm8Co VuWAQam8Xv
09pY_OgBPX 0k_oZWABSU 1r59lSm8GX Vj81GHm8W9
0l1GTXABDo 0gboKEgBYr 1qrMPRG8AB UEoTBAG8Sy
0k_apGABDm 0UDrVFgBVJ 1ghW7RG8B2 TfpmTGm8QP
0f5P_6ABOe z-maEDgBWK 1T3KHhm8N2 TWbKzfm8f-
0GEiJKABAC z5HB2BgBbj 1Q2H_WG8LX TVOOKEm8To
0BuHO9ABOx zxeRSGgBaL 1OywdMm8Lf TThPzXm8cm
z-9x5aABEq zSqgd5ABco 1H2JvGG8DL TS3Swlm8dZ
z8QVuXABD6 zQ6VkUABdH 08dtcTG8Hb TOtd3tm8Ve
z4vsirABO4 zJDzvRgBbR 00exOYm8Br TOfRfAm8aZ
z2KV0OgBIE zBrTlsABXv 0yXTU6m8MN TJikVLm8W9

69
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

70
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy
Private victim account Public attacker account
(monitored by attacker) (generated right after monitor hit)
1yCwjTJRnk 1yCwodpTlC
1yC05mJRnq 1yC0_ApTlL
1yC5PqpRnu 1yC5UopTlX
1yC9nTJRnw 1yC9repTlk
1yDGULpRn9 1yDGaDpTl1
1yDKrvpRoB 1yDKvtJTl8
1yDPCCpRoI 1yDPHVpTl_
1yDTZGpRoO 1yDTdvpTmH
1yDXxRpRoW 1yDX1fJTmP
1yDgdBpRol 1yDgj6JTmb
1yDk1qpRop 1yDk6ypTme
1yD6mjpRpT 1yD6sCpTnL
1yEDSqpRpn 1yEDXYJTnU
1yEHpNJRpt 1yEHuTpTnc
1yEQWTpRqD 1yEQb3pTnw
1yEUtCJRqL 1yEUyJJTn5
1yEZEKJRqU 1yEZI3pToI
1yEdaxpRqe 1yEdfEpToO
71
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

Final entropy: 2 * 64^4 = 33.554.432 possibilities


 Feasible!

72
WEB + MOBILE
4. Private Account Shared Pictures Token Entropy

After reviewing the issue you have reported, we have decided to award you a
bounty of $1000 USD.

73
WEB + MOBILE
5. Private Account Shared Pictures CSRF

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1


Host: i.instagram.com
User-Agent: Instagram 7.10.0 Android (19/4.4.4; 320dpi; 768x1184; LGE/google;
Nexus 4; mako; mako; en_US)
Cookie:
sessionid=IGSC0098a4bee11b593953fd4a3fe0695560f407a103d8eef9f5be083ff2
1e186673:PEVejQeSkS2p8WYxAEgtyUWdXz9STvKM:{"_token_ver":1,"_auth_us
er_id":2036044526,"_token":"2036044526:7DcRpg1d0ve5T0NkbToN5yVleZUh0Ifh
:571e05df8ecd8de2efc47dca5f222720233234f6f0511fb20e0ad42c1302ea27","_au
th_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last_refre
shed":1447525940.04528,"_platform":1}

HTTP/1.1 200 OK
(…SNIP…)

{"status":"ok","permalink":"https:\/\/2.zoppoz.workers.dev:443\/https\/instagram.com\/p\/-E1CvRRrxr\/"}
74
WEB + MOBILE CSRF

5. Private Account Shared Pictures CSRF

75
WEB + MOBILE CSRF

5. Private Account Shared Pictures CSRF

a) Find Private Account pictures image_id

b) Find permalink of Shared Private Account picture

76
WEB + MOBILE
5. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id

77
WEB + MOBILE
5. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture

78
WEB + MOBILE
5. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture

After reviewing the issue you have reported, we have decided to award you a
bounty of $1000.

79
WEB + MOBILE
6. Email Address Account Enumeration

80
WEB + MOBILE
6. Email Address Account Enumeration

81
WEB + MOBILE
6. Email Address Account Enumeration

82
WEB + MOBILE
6. Email Address Account Enumeration

83
WEB + MOBILE
6. Email Address Account Enumeration

84
WEB + MOBILE
6. Email Address Account Enumeration

After reviewing the issue you have reported, we have decided to award you a
bounty of $750 USD.

85
WEB + MOBILE
7. Account Takeover via Change Email Functionality

86
WEB + MOBILE
7. Account Takeover via Change Email Functionality

Spot the difference

87
WEB + MOBILE
7. Account Takeover via Change Email Functionality

88
WEB + MOBILE
7. Account Takeover via Change Email Functionality

89
WEB + MOBILE
7. Account Takeover via Change Email Functionality

90
WEB + MOBILE
7. Account Takeover via Change Email Functionality

91
WEB + MOBILE
7. Account Takeover via Change Email Functionality

User Email address(es) Instagram account


victim [email protected] pentestingvictim
attacker [email protected]
[email protected]

92
WEB + MOBILE
7. Account Takeover via Change Email Functionality

Scenario: Assume temporary access for an attacker to victim session

Man-in-the-Middle Cross-site Scripting Physical access to


(before SSL Pinning) Vulnerability unlocked phone

93
WEB + MOBILE
7. Account Takeover via Change Email Functionality

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/ https://instagram.com/accounts/disavow/xjo94i/


OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
FAZ21haWwuY29t/ AZ21haWwuY29t/

Currently owns
victim account
94
WEB + MOBILE
7. Account Takeover via Change Email Functionality

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/ https://instagram.com/accounts/disavow/xjo94i/


OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
FAZ21haWwuY29t/ AZ21haWwuY29t/

Currently owns
victim account
95
WEB + MOBILE
7. Account Takeover via Change Email Functionality

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/ https://instagram.com/accounts/disavow/xjo94i/


OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
FAZ21haWwuY29t/ AZ21haWwuY29t/

Wins!

96
WEB + MOBILE
7. Account Takeover via Change Email Functionality

After reviewing the issue you have reported, we have decided to award you a
bounty of $2000 USD.

97
MOBILE
8. Private Account Users Following

98
MOBILE
8. Private Account Users Following

99
MOBILE
8. Private Account Users Following

GET /api/v1/discover/su_refill/?target_id=2036044526 HTTP/1.1


Host: i.instagram.com
Connection: Keep-Alive
Cookie:
sessionid=IGSCd064c22cd43d17a15dca6bc3a903cb18e8f9e292a859c9d1289ba26
8103ee563%3A1WJvjHstqAnPj0i5dcjVRpgcn3wCRQgk%3A%7B%22_token_ver%
22%3A1%2C%22_auth_user_id%22%3A2028428082%2C%22_token%22%3A%2
22028428082%3AYeZzCYWQLGD8D7d3NzFIbBiWlYJVVa7G%3A078ae8d72b728
46a6431945fd59c38f1b04b8f93dd6ec4b20165693e65b21915%22%2C%22_auth_u
ser_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22
%2C%22last_refreshed%22%3A1441031445.81182%2C%22_platform%22%3A1%
7D; ds_user=pentestingvictim

100
MOBILE
8. Private Account Users Following
HTTP/1.1 200 OK
(…SNIP…)
{
"status": "ok",
"items": [
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "springsteen",
"has_anonymous_profile_picture": false,
"profile_pic_url": "https:\/\/2.zoppoz.workers.dev:443\/http\/scontent-ams2-1.cdninstagram.com\/hphotos-
xfa1\/t51.2885-19\/11370983_1020871741276370_1099684925_a.jpg",
"full_name": "Bruce Springsteen",
"pk": "517058514",
"is_verified": true,
"is_private": false
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": ["https:\/\/2.zoppoz.workers.dev:443\/http\/scontent-ams2-1.cdninstagram.com\/hphotos-xfa1\/t51.2885-
15\/s150x150\/e35\/11373935_872054516217170_419659415_n.jpg?"],

101
MOBILE
8. Private Account Users Following
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "pentesttest",
"has_anonymous_profile_picture": true,
"profile_pic_url": "https:\/\/2.zoppoz.workers.dev:443\/http\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",
"full_name": "rest",
"pk": "1966431878",
"is_verified": false,
"is_private": true
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": [],
"large_urls": [],
"media_infos": [],
"media_ids": [],
"icon": ""
}]
}

102
MOBILE
8. Private Account Users Following
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "pentesttest",
"has_anonymous_profile_picture": true,
"profile_pic_url": "https:\/\/2.zoppoz.workers.dev:443\/http\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",
"full_name": "rest",
"pk": "1966431878",
"is_verified": false,
"is_private": true
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": [],
"large_urls": [],
"media_infos": [],
"media_ids": [],
"icon": ""
}]
}

103
MOBILE
8. Private Account Users Following

After reviewing the issue you have reported, we have decided to award you a
bounty of $2,500 USD.

104
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

105
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

106
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

107
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

108
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

109
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

110
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

111
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

This is intentional behavior in our product. We do not consider it a security


vulnerability, but we do have controls in place to monitor and mitigate abuse.

112
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

This is intentional behavior in our product. We do not consider it a security


vulnerability, but we do have controls in place to monitor and mitigate abuse.

113
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

This is intentional behavior in our product. We do not consider it a security


vulnerability, but we do have controls in place to monitor and mitigate abuse.

114
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

1 account 100 accounts


$2 / h $200 / h
$48 / day $4.800 / day
$1.440 / month $144.000 / month

115
MOBILE
9. Steal Money Through Premium Rate Phone Numbers

Hello again! We'll be doing some fine-tuning of our rate limits and work on the
service used for outbound calls in response to this submission, so this issue will
be eligible for a whitehat bounty. You can expect an update from us again when
the changes have been made. Thanks!

...

After reviewing the issue you have reported, we have decided to award you a
bounty of $2000 USD.

116
CONCLUSION

117
CONCLUSION
# Vulnerability Category Bounty
1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0
2 Employee Email Authentication Brute-Force Lockout Infrastructure $0
3 Public Profile Tabnabbing Web $0
4 Web Server Directory Enumeration Web $500
5 Private Account Shared Pictures Token Entropy Hybrid $1000
6 Private Account Shared Pictures CSRF Hybrid $1000
7 Email Address Account Enumeration Hybrid $750
8 Account Takeover via Change Email Functionality Hybrid $2000
9 Private Account Users Following Mobile $2500
10 Steal Money Through Premium Rate Phone Numbers Mobile $2000 + 1
Total $9750 + 1
118
CONCLUSION https://www.letuschange.net

# Vulnerability Category Bounty


1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0
2 Employee Email Authentication Brute-Force Lockout Infrastructure $0
3 Public Profile Tabnabbing Web $0
4 Web Server Directory Enumeration Web $1000
5 Private Account Shared Pictures Token Entropy Hybrid $1000
6 Private Account Shared Pictures CSRF Hybrid $2000
7 Email Address Account Enumeration Hybrid $1500
8 Account Takeover via Change Email Functionality Hybrid $2000
9 Private Account Users Following Mobile $2500
10 Steal Money Through Premium Rate Phone Numbers Mobile $4000 + 1
Total $14000 + 1
119
CONCLUSION
SDLC Mapping Summary

8%

Development (6)
50% Design (5)
42%
Maintenance (1)

120
CONCLUSION

Hunting Reporting Disclosing

121
CONCLUSION

# Vulnerability Category Bounty


10 XXXX Mobile ?
11 XXXX Mobile ?
12 XXXX Mobile ?
13 XXXX Web ?
14 XXXX Infrastructure ?
Total ?

122
THANK YOU!
ANY QUESTIONS?

123

You might also like