This is the silliest and strangest 2FA bug I found (so far): The application generates the same TOTP key for every account. By obtaining a TOTP key for one account it's possible to obtain the current TOTP code for all other accounts.

Thank you Zerocopter !! Vulnerabilities - 3X SSRF leads to Port scanning ultimately creating DOS . (127.0.0.1:[PORT] - API endpoint leaking users email and name. #bugbounty #infosec

Yay, I was awarded a $$$ bounty on HackerOne! #TogetherWeHitHarder #bugbounty

Got a SSRF bypass via URL Shortener. 1. Got AWS metadata by supplying http://169.254.169.254/latest/meta-data/ in the vulnerable endpoint 2. Issue fixed 3. Bypass- Shorten the URL with bit.ly and used the shortned URL in the vulnerable endpoint. #bugbountytips

x.com/FbBanterPage/s…

Thank you Sachin Kumar 🤣 Yay, I was awarded a $$$ bounty on HackerOne! #TogetherWeHitHarder #bugbounty

You're getting better at bug bounty when you know what things to not try

I just published a blog post for the people that want to get into bug bounties. I hope it helps people that are thinking about doing bug bounties, but haven't started yet. It explains what to expect and how to deal with common problems / situations: shubs.io/so-you-want-to…

Video of my talk at Security BSides Ahmedabad is finally out!🌟 🟥 Watch it on youtube: youtu.be/xnx0IQMQD3o 🟥 Slides available at webimmunify.com/bsides Thank you for your support. I'm looking forward to giving back more to the community soon 🎉 #bugbounty #cybersecurity

LinkedIn disclosed a bug submitted by Tushar Sharma: hackerone.com/reports/1716300 - Bounty: $2,500 #hackerone #bugbounty

LinkedIn disclosed a bug submitted by anandpingsafe: hackerone.com/reports/337755 - Bounty: $10,000 #hackerone #bugbounty

LinkedIn disclosed a bug submitted by Tushar Sharma: hackerone.com/reports/1691603 #hackerone #bugbounty

LinkedIn disclosed a bug submitted by Tushar Sharma: hackerone.com/reports/1675674 #hackerone #bugbounty

Program: All authenticated XSS will be considered Low severity. Me: No Problem! 😆😆 #bugbounty #infosec #hackerone

I just published a write-up about an account takeover where I abused reverse proxy to hijack the OAuth Code. blog.voorivex.team/hijacking-oaut…

Curious about how a $20,000 OAuth bug I discovered at a Live Hacking Event last year looks like? Today you can dive into an exact replica and see for yourself! I've collaborated with Ben Sadeghipour & HackingHub to create walkthrough video + demo lab 🧪 youtube.com/watch?v=VLgB2f…

VDP bug hunters:

Finished in the Top 10 of the Q1 India Leaderboard on HackerOne! Really hard with a full-time job 😅😥 Best quarter in terms of bounties earned on HackerOne Reported some quality bugs. Some of them, coming in collaboration with Yash Sharma #hackerone #bugbounty

Thanks zomato security team for the great event! ❤️

In June, I submitted 42 vulnerabilities to 14 programs on HackerOne . #TogetherWeHitHarder hackerone.com/last-month Reached 5000 reputation on HackerOne and finished in the Top 10 in the Quarterly Leaderboard (Apr-June). #bugbounty #hackerone