Thursday, August 30, 2012

How I made $740 in ten minutes for reporting vulnerability

Two months ago I read in a popular blog that the bank (where I have my account) is extending their vulnerability reward program. "Why not?" - I thought and started to google the bank's sites to find the target for the attack. In ten minutes I found that one of the sites is leaking customers data. Probing specially crafted URLs with sequential ID and omitted security token allowed me to download the large portions of the database with sensitive data. No further actions were needed, so I just filled the report. The banks employee mailed me back and told me that they need time to confirm it. Today I got the mail notifying me that the vuln was confirmed, patched and evaluated at $740 (the max bounty in this program is $1k). I think it's worth ten minutes of googling, right? :-)