How I made 200$ in 2 Minutes on Hackerone - Zomato Bug Bounty Program - POC

Introduction

In the vibrant world of bug bounty hunting, opportunities can arise when least expected. One day, while exploring the HackerOne platform, I discovered a bug bounty program for Zomato—an online food delivery service. Intrigued, I decided to target their main domain, zomato.com, as it was within the program's scope. Here’s how I made $ 200 in just two minutes by discovering a significant vulnerability.

Step 1: Subdomain Enumeration

As any diligent bug bounty hunter would do, my first step was to conduct thorough subdomain enumeration. Utilizing tools like Subfinder, Sublist3r, and MassDNS enabled me to gather an array of subdomains associated with Zomato. Meanwhile, I also deployed a custom tool to examine the domain for any broken links.

Unfortunately, my initial scans revealed no broken links on the Zomato domain that day. However, I was determined to explore further.

Step 2: Investigating Third-Party Links

Next, I shifted my focus to identifying any third-party links present on the main Zomato website. While sifting through the links, one stood out—a Google Drive link. My curiosity led me to explore this link, which directed me to a folder named "Recordings."

Upon opening the folder, I was shocked to find numerous customer call recordings. More alarmingly, these recordings contained sensitive personally identifiable information (PII) of customers, including names, addresses, and phone numbers. The exposure of such critical information constituted a serious PII leak.

Step 3: Reporting the Vulnerability

Realizing the potential impact of this vulnerability, I promptly drafted a report detailing my findings and submitted it to Zomato through the HackerOne platform. Within just 30 minutes, I received confirmation that Zomato had resolved the issue, and as a token of appreciation for my responsible disclosure, they awarded me a bounty of $ 200.

This is an example of how quickly and effectively one can make a meaningful impact in the world of cybersecurity—and earn a modest payout in the process! My report regarding this vulnerability has since been disclosed, and I'll include a link to it in the description for those interested in detailed insights.

As I continue on my journey in bug bounty hunting, I look forward to sharing more tutorials and experiences. Don't forget to subscribe for upcoming content!

Keyword

• Bug bounty
• HackerOne
• Zomato
• Subdomain enumeration
• PII leak
• Report
• Vulnerability
• Customer call recordings

FAQ

Q1: What is a bug bounty program?
A1: A bug bounty program is an initiative offered by organizations to encourage ethical hackers to find and report security vulnerabilities in their systems. Participants are rewarded for their contributions.

Q2: How did you discover the PII leak?
A2: After conducting subdomain enumeration and examining third-party links, I found a Google Drive link that contained sensitive customer call recordings with personally identifiable information.

Q3: What tools do you recommend for subdomain enumeration?
A3: Some effective tools for subdomain enumeration include Subfinder, Sublist3r, and MassDNS, which help gather a list of subdomains associated with a target domain.

Q4: How quickly can one get paid for finding vulnerabilities through bug bounty programs?
A4: Payout times can vary by organization, but in my case with Zomato, I received the payout within 30 minutes after reporting the vulnerability.

Q5: Are all bug bounty reports publicly disclosed?
A5: Not all reports are publicly disclosed. It depends on the organization's policy and the nature of the vulnerability. In my case, the report was disclosed after the issue was resolved.