Hacking LINE’s bucket.
I’m Muhammad Julfikar Hyder, a newbie at Bug Bounty hunting. This is my first writeup about Bug Bounty hunting. Today I’m going to share something about my recent findings.
Last week, I was hunting for bugs at one of the biggest social media sites, LINE. There, I saw an AWS S3 bucket called “line-example.” Here, “example” is just a keyword I’m using instead of the real bucket name. Let me first explain what AWS is and what it is used for. Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery, and other functionality to help businesses scale and grow. Running web and application servers in the cloud to host dynamic websites
Okay, let’s get back to my story. I just stopped there. I fired up my terminal and put in a command with my AWS cli like this: “aws s3 ls s3://line-example.”
The outcome surprised me! The bucket directory was open! I just smiled like this!
Then I thought, what if I can upload or delete something there? I fired up my terminal again. I tried to upload something with this command. “aws s3 cp ‘julfikar.txt’ s3://line-example”
Then I tried to delete this file with the command “aws s3 rm s3://line-example/julfikar.txt.”
I was surprised again! It was accepting my requests to upload files! Also, I used my external command to delete files from the bucket!
This was a High severety issue! I was so excited about this. I also reported the problem to LINE with @Hackreone.
But maybe that was my good luck because it had already been submitted by another researcher! I accepted this as my good luck because I always think positively. This will push me to learn more; this is a kind of lesson. Getting a bounty is unimportant. I believe I have the ability to make or break those systems; I believe they are more important right now. Bounty is just like a gift! And we should never expect gifts! Let’s learn first! And then remove he ‘l’.
I’m ending the story here. Thanks for your time, guys.
“About the author: Muhammad Julfikar Hyder is a bug bounty hunter and cybersecurity enthusiast. You can follow them on Twitter at @thejulfikar for more security tips and updates on their latest findings.”
