The time I hacked a Fortune 500 company, but it was out of scope.
Hi :) thanks for taking some time to read my blog post. This is a short post about a bug I found during my testing of a Fortune 500 company. Unfortunately I can’t name the company and the screenshots attached are heavily redacted.
I found this bug in December of 2019 one day before Christmas, I knew the company in question acquired another company so I decided to concentrate my efforts on that. I started by gathering subdomains with Amass. once I had the subdomains I used meg (written by tomnomnom) along with my custom list of paths I like to test for. Meg can request one or multiple paths for a single host(s)/domain(s). You can then see which domains are returning 200’s,302’s etc. I usually just request the “/” root path to see which domains give me a 404 and take screenshots of these domains since 404’s typically hint at a possible subdomain takeover.
One of the sensitive paths in my custom “path” wordlist returned a 200 which I investigated immediately. I came across a open directory listing that contained a bunch of PII. I read the company’s scope again and saw that the domain was out of scope, but I decided to report the issue anyway since its impact was critical.
Instead of immediately closing my report as “informative or N/A” the hackerone team reached out and checked with the client first.
A few days later the triager informed me that the domain no longer belonged to the company.
They were even kind enough to close off my report as informative as to preserve my signal points 😅. Although I wasn’t awarded a bounty for this bug it was a great learning experience.