Finding bugs should be rewarded

How I got blocked from Ricardo.ch

I’m currently working on a side project to find your stolen bike on marketplace websites such as Ricardo (stay tuned for updates). Doing so meant digging through some public facing APIs they expose. Often when I’m having a “look under the hub” I will try entering things like this into the search fields:

"><script>alert('hello :)')</script>

If a pop-up with text hello :) shows up, it means I can execute any javascript on the client side if I form a malicious link to the page like https://www.website.com/search?q="><script>alert('hello')</script>. This is called an XSS (X-Site-Scripting) vulnerability and can potentially be used to steal cookies from users.

It didn’t work on Ricardo. Instead I got a screen telling me I was blocked and that I should reach out to customer service to get unblocked. They also provided the email address to theit platform security team and mentioned they have a bug bounty program!

Bug bounties

Bug bounty programs give rewards to people finding bugs and/or vulnerabilities on a website. Intrigued, I reached out to the Ricardo security team:

Hope my little XSS attempt didn’t wake anybody up ;) I just stumbled around on your page and tried some JS as an input value. Of course I’d notify you if you were vulnerable. Sorry about that! PS: didn’t know you had a bounty program, would love to give that a try!

And less than 12 hours later I had a response in my inbox:

Hi Chris, no worries! If you are interested in joining our bug bounty program, please register at bugcrowd.com and send me your bugcrowd email address. I’ll invite you to our program then.

Pretty neat! I followed their instructions and am now registered as a “security researcher” on bugcrowd 👍

Bad bug handling

The whole experience felt great. I was informed why I was blocked, how I could get unblocked and best of all how I can make some money with their bug bounty program. They noticed my interest and want to put my skills to use. This stands in stark contrast to some other companies whose websites are buggy or vulnerable.
When I worked as a research assistant for ZHAW, I was crawling and scraping many websites for a corpus linguistics project. I found many bugs on many websites. From XSS attacks as described above to SQL Injections which allowed me to bypass admin logins. When I found these bugs I always alerted the owners of the website about the potential danger they’re in.
910 times this was the response:

Dear sir
Stop hacking us or we will sue you!!!1

- Company

Which made me stop looking for bugs and definitively made me stop report bugs if I found them.

So, here’s to you Ricardo! Keep the nice bug bounty program ✌️ You can expect to hear more from me once I digged a bit deeper on your page ⛏

PS: If anyone from ricardo is reading this: hit me up to discuss if my app is allowed to use your GraphQL API!

so long

comments powered by Disqus