the gist of the vulnerability was an expectation that nobody would ever find their origins if they had some crazy hostname:
"asuhdfo8a7ys8dfas.website.com" type of setup. In front of this origin they had a server that did auth and auth only. If your auth worked at the edge, the request was sent to origin. The problem is I found a specific input that caused an error dumping a stack trace that contained the origin hostname. I took the original request and replayed it directly at the origin. To my surprise the response was the same as going through the auth server. Then I changed the user id some integer that wasn't mine and got information back. Then I quit playing with it and sent an email.
This leaves me in a weird spot because I was fuzzing them looking for details when I was fully aware they did not have a bug bounty program. Why did I do this? Because I was using the app myself, I'm a security guy, and had read about a cool exploit with the uber app. It only took about 5 minutes of setting up burp proxy for my phone with ssl and 5 more minutes of auditing to find an input that dumped the stack trace.
"asuhdfo8a7ys8dfas.website.com" type of setup. In front of this origin they had a server that did auth and auth only. If your auth worked at the edge, the request was sent to origin. The problem is I found a specific input that caused an error dumping a stack trace that contained the origin hostname. I took the original request and replayed it directly at the origin. To my surprise the response was the same as going through the auth server. Then I changed the user id some integer that wasn't mine and got information back. Then I quit playing with it and sent an email.
This leaves me in a weird spot because I was fuzzing them looking for details when I was fully aware they did not have a bug bounty program. Why did I do this? Because I was using the app myself, I'm a security guy, and had read about a cool exploit with the uber app. It only took about 5 minutes of setting up burp proxy for my phone with ssl and 5 more minutes of auditing to find an input that dumped the stack trace.