Identified a hidden GraphQL endpoint in a popular app iOS version, allowing user ID swaps (IDOR) to access 20M+ users’ PII data (emails, names, photos). Reported via @Hacker0x01 & secured a $2200 bounty! 🛠️🔐 #DataBreach #BugBounty #appsec Tweet added by Lohith Gowda M @lohigowda_in

Lohith Gowda M

3 months

Identified a hidden GraphQL endpoint in a popular app iOS version, allowing user ID swaps (IDOR) to access 20M+ users’ PII data (emails, names, photos). Reported via @Hacker0x01 & secured a $2200 bounty! 🛠️🔐 #DataBreach #BugBounty #appsec

10

5

109

Shakti_

@shakti_sec

3 months

@lohigowda_in @Hacker0x01 congratulation

1

0

1

Lohith Gowda M

@lohigowda_in

3 months

@shakti_sec @Hacker0x01 Thank you😊🙌🏻

0

bugoverflow

@bugoverfl0w

3 months

@lohigowda_in @Hacker0x01 Congrats bro How can you found this hidden api? Thanks

1

0

1

Lohith Gowda M

@lohigowda_in

3 months

@bugoverfl0w @Hacker0x01 Thanks! I found this feature only on their iOS app, not on the web, because the feature has been deprecated.

1

0

1

plastic

@Subrama92965151

3 months

@lohigowda_in @Hacker0x01 ❤️💪

1

0

1

Lohith Gowda M

@lohigowda_in

3 months

@Subrama92965151 @Hacker0x01 ❤️🙌🏻

0

Smilehacker

@_smile_hacker_

3 months

@lohigowda_in @Hacker0x01 How can a triager has your profile picture?

1

0

2

Lohith Gowda M

@lohigowda_in

3 months

@_smile_hacker_ @Hacker0x01 Actually its not a triager. The company rewarded and the logo was there. That’s why did.

0

Freedom Noah

@AnonGray45

3 months

@lohigowda_in @Hacker0x01 Write up please

2

0

2

Lohith Gowda M

@lohigowda_in

3 months

@AnonGray45 @Hacker0x01 Sorry. Program is not allowing to share the write-up🙂

1

0

1

Freedom Noah

@AnonGray45

3 months

@lohigowda_in @Hacker0x01 Congratulations

1

0

1

Lohith Gowda M

@lohigowda_in

3 months

@AnonGray45 @Hacker0x01 Thanks😊

0

1

allen

@alll60616

3 months

@lohigowda_in @Hacker0x01 you deserve more than 2200

1

0

1

Lohith Gowda M

@lohigowda_in

3 months

@alll60616 @Hacker0x01 I agree. But it depends on the program. It is a private program and there is no amount mentioned for each severity.

0

Marcos Ortiz

@marcosluis2186

3 months

@lohigowda_in @Hacker0x01 First congratulations on the finding. Second: this should be higher than just $2.200. The minimum could be $10k, even higher.

1

0

1

Lohith Gowda M

@lohigowda_in

3 months

@marcosluis2186 @Hacker0x01 Thanks @marcosluis2186 😊🙏 Yeah but I don’t know how much bounty assigned to each severity. Let me check with them. Thanks again😊

1

0

1

Ashutosh Barot

@ashu_barot

3 months

@lohigowda_in @Hacker0x01 Leak of PII not treated as ' Critical ' @scarybeasts ?

1

0

1

Replies