Today I am going to publicly disclose a vulnerability that I have found at Instabug company.
I was able to swap my own normal registered unpaid account with the demo’s highly paid account removing the restrictions on the demo’s account to be placed on my own free account so that gaining full features of the highest plan cost(349$/month) without payment in addition to manipulating normal users to access my account when they are trying to access the demo one.
Started when a great company(Instabug) which tests bugs found in android and IOS apps opened positions for hire.
As a job seeker, I was interested to apply as a penetration tester until I found they are launching a bug bounty program.
After thinking for a while the question was “Could I find a bug at the company that works on hunting application bugs?”
The challenge started
By creating an account I started to test their backend for any unusual actions focusing on XSS vulnerabilities after I recognized that their main website is connected to a secured API that is connected to the database and manages all the user interactions and processes.
After hours of no result, I was about to quit before I noticed that Instabug has a demo account to test their services so “mmmmm let’s try”
The demo logged in automatically after pressing the button “demo account” and as I have noted their entire web application is connected to an API so I fired up the burp suite to intercept the demo request and see what happens behind the scenes. and guess what!!
