My first Hall of Fame (HoF) | Bug Bounty Journey.
How you can get yours too.
A Brief Intro about me
My name is Rivek Raj Tamang and i am a security researcher, and an upcoming Bug Bounty Hunter. *WoW sounds real nice XD*
I have been learning about CyberSecurity, Ethical hacking and penetration testing for few years had been doing Tryhackme for 365 days straight. Learning various courses and getting EC-Council’s CEH as well. However I really wanted to pursue bug bounty hunting, But due to a job offer as a Penetration Tester by ranking top 100 pan India via a CTF competition I got busy with it. (You can find my writeup on it as well)
Eventually I had to resign due to some unforseen circumstances, But was enrolled and had been continuing my Masters in Computer Application with a specialization in Cybersecurity as well, and currently in my final year.
So with the time I had in my hand, what else could I do ? But learn more in depth about real world bug hunting and cybersecurity right ?
Obviously Yes ! So i went at it, with all my might !
So lets start the tale …
How did i find my target ?
I simply found my target via google dorking. You can look it up online to know how to use google dorking.
There are tons of Private Programs which provide Hall of fames, swags, and bounties as well.
My target was Autoglam.pk
Finding the bug ?
So after searching for so many programs for this bug i could not get any luck, i kept on searching for days and days until finally. i Stumbled upon something.
While checking the social media button links on Autoglam.pk on specifically twitter page it was redirecting to twitter/autoglampk which should be working as intended, however …
I clicked on it and guess what ? The page said error “This account does not exist”.
So guess what ? I quickly used a temporary email to create a twitter account with the same username and tried to hijack the broken link.
Note: Keep the credentials properly i had nearly lost it lol.
Guess what ? I was able to create it.
Then like the Big Bang Theory fan i was, i quickly set up a page with Sheldon’s favourite word.
So now whenever someone tried to click on the autoglampk twitter handle it redirected to my twitter account page.
“Broken Link Hijacking” successful.
Broken Link Hijacking happens when a website links to a page or account that no longer exists. An attacker can claim that abandoned link, redirecting users to their own content.
Impact: This can harm the brand’s reputation, mislead users, or be used for phishing and spreading harmful content.
Reporting and honour
Then i quickly made a Video POC showing the same thing in detail along with a well structured and written bug report with screenshots as well.
After few days later, I got a reply back saying
I was very happy with the reply and hopeful. I released the username and after few days later i got a reply again.
Quickly checked the hall of fame list and my name and my linkedin profile was added and they were even kind enough to send a certificate as well.
So that’s the tale of my first Hall of Fame and a really fun one.
Tips and Tricks
- To find broken link hijacking check the social media pages of your target.
- You can even use a website to check for broken links https://www.deadlinkchecker.com/ .
- Further you can also find shortened urls used by the target organization and check if it is valid or not and can be hijacked.
- If you are able to successfully hijack the broken link, hold it for a while until they respond and write a proper bug report with impact and detailed description for a fruitful outcome.
Stay tuned for more tips and tricks on my bug bounty journey, and don’t hesitate to reach out for advice or collaboration!. I will be writing more in the future for sure and sharing my findings, tips and tricks to contribute to the community i learn from everyday.
We also have a community of hackers and bug bounty hunters on whatsapp group feel free to join: https://chat.whatsapp.com/DD3NTchIGlF9Fg1tRMSpPs
Feel Free to connect with me on linkedin: https://www.linkedin.com/in/rivektamang/
Support me to write more content like this by buying me a coffee at buymeacoffee.com/RivuDon
