When exploring the website https://redacted.redbull.com/, I came across an admin login page, which got me curious. After some poking around, I found a file called “Readme.md” that spilled the beans on how to access the admin panel with provided login details.
Discovery
The story begins when RedBull officially launched their bug bounty program on Intigriti. Given the wildcard scope, I was immediately intrigued, knowing the scope would be vast and teaming with potential vulnerabilities. Like many others, I began my reconnaissance using tools such as Censys, Cert.sh, Amass, and others, gathering numerous subdomains. While I did report some low-severity issues, I wasn’t satisfied. The expansive scope held the promise of more significant findings, and I was determined to uncover them.
Feeling a surge of determination, I decided to double down on my reconnaissance efforts. I spent additional hours meticulously gathering as many subdomains as possible. During this phase, I turned my attention to FOFA.info. For those unfamiliar, FOFA.info is an advanced cyber intelligence search engine that provides detailed information about internet-connected devices and services, a treasure trove for security researchers and bug bounty hunters.
As I combed through FOFA, a peculiar subdomain caught my eye. It was just a simple login page, but something about it seemed off. My curiosity piqued and I began to delve deeper. I inspected the source code of the application, meticulously scanning the JavaScript files for any overlooked clues.
After a long scroll to the bottom of one JavaScript file, I struck gold. There was a commented-out line instructing the developer to delete a README.md file after configuration. Intrigued, I quickly navigated to the specified link. There it was – the README.md file, untouched and full of sensitive information, including login credentials.
With these credentials in hand, I returned to the main login page, my heart pounding with anticipation. I entered the credentials and hit enter. Success! I was logged in with admin privileges. The interface laid bare before me, allowing me to edit forms and access functionalities I hadn’t expected to reach.
This find was a game-changer. Not only did it validate my enhanced reconnaissance efforts, but it also underscored the importance of thoroughness and curiosity in bug bounty hunting
In the end, this experience taught me that persistence and a keen eye for detail are invaluable assets in the world of bug bounty hunting. Every overlooked comment, every unused file, could potentially lead to a major discovery. And this time, it certainly did.
Exposed admin credentials
Admin panel takeover
Impacts
- Admin Privileges: Full control over the web application.
- Data Exposure: Access to sensitive information, including login credentials.
- Operational Risks: Potential for downtime and operational issues.
- Security Posture: Indicated lapses in security practices.
- Regulatory Compliance: Risk of non-compliance with data protection regulations.
Conclusion
This experience serves as a valuable case study for both security professionals and bug bounty hunters. It highlights the critical role of extensive reconnaissance and meticulous attention to detail. A seemingly insignificant detail, like a commented-out line in code, can unlock a major vulnerability.
For Red Bull, this incident serves as a wake-up call. The presence of unredacted credentials and an exposed admin panel signifies a need to strengthen security practices and internal procedures. By implementing code reviews, fostering a security-conscious culture, and conducting regular penetration testing, Red Bull can prevent similar incidents in the future.
