1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What to do if you find a security vulnerability in mobile application?

Discussion in 'BlackHat Lounge' started by nikhil79, Mar 13, 2016.

  1. nikhil79

    nikhil79 Registered Member

    Joined:
    Aug 5, 2011
    Messages:
    92
    Likes Received:
    19
    So there's an android application with over a million downloads and it has a security vulnerability by which you can login to any user's account and make changes in their account, get there email id's, alternate contact numbers, physical address, etc. There is no debit card or credit card details but I can activate some points which will cause monetary loss to the user.

    My question is how can I benefit this without getting into any legal actions or getting into any problem.
     
  2. nSnoopy

    nSnoopy Registered Member

    Joined:
    Jun 8, 2013
    Messages:
    65
    Likes Received:
    22
    Report it to the developers and hope they will reward you with some cash.
     
  3. gavinshew

    gavinshew BANNED BANNED

    Joined:
    Jan 26, 2016
    Messages:
    32
    Likes Received:
    3
    You have proof of it?
     
  4. gavinshew

    gavinshew BANNED BANNED

    Joined:
    Jan 26, 2016
    Messages:
    32
    Likes Received:
    3
    Sorry double post.
     
  5. nikhil79

    nikhil79 Registered Member

    Joined:
    Aug 5, 2011
    Messages:
    92
    Likes Received:
    19
    Yes, I can give a full demo to prove.
     
  6. nikhil79

    nikhil79 Registered Member

    Joined:
    Aug 5, 2011
    Messages:
    92
    Likes Received:
    19
    I am also thinking that contacting the developers is the best option.
     
  7. THUNDERELVI

    THUNDERELVI Elite Member

    Joined:
    Sep 12, 2009
    Messages:
    2,399
    Likes Received:
    2,074
    Gender:
    Male
    Location:
    W3
    Get every single user's email first and then contact the developers. Trust me, 9 times out of 10, they will just thank you for it, but won't give you any money or maybe too little. But if you have a super targeted list of 1 million emails, it's worth at least 7 figures if you know what to do with it of course. Nobody will know if you play it safe and don't spam the users too hard.
     
    • Thanks Thanks x 1
    Last edited: Mar 13, 2016
  8. nikhil79

    nikhil79 Registered Member

    Joined:
    Aug 5, 2011
    Messages:
    92
    Likes Received:
    19
    There's a catch in getting the email ids that I need to have a mobile number to login the application and from there all the information can be retrieved. So getting a million numbers to get million email address won't be possible. Also email-ids won't be targeted.

    And should i contact them with my personal email id or create a fake one? As it is a huge corporation with multiple business across the world so being a bit paranoid about it.
     
  9. zuix33

    zuix33 Junior Member

    Joined:
    Jan 3, 2016
    Messages:
    194
    Likes Received:
    65
    Gender:
    Male
    create fake email and recive payment in bitcoin if you plan contact them
     
  10. THUNDERELVI

    THUNDERELVI Elite Member

    Joined:
    Sep 12, 2009
    Messages:
    2,399
    Likes Received:
    2,074
    Gender:
    Male
    Location:
    W3
    Can't you use the same number to login multiple times and get different email addresses? By targeted, I meant that all emails will have something in common, which is the interest in the kind of app/game you are using. For example, if you found a vulnerability in a chess game and got 1 million chess players' emails, then you can sell them anything related to chess and have a high CR, because they are targeted - if they didn't like the app/game or found it useful, they wouldn't have installed it in the first place. When you contact them, create a fake one and don't use your real name just in case.
     
  11. nikhil79

    nikhil79 Registered Member

    Joined:
    Aug 5, 2011
    Messages:
    92
    Likes Received:
    19
    No, its not possible that way


    Post count does not increase in lounge :p so stop spamming here
     
  12. nikhil79

    nikhil79 Registered Member

    Joined:
    Aug 5, 2011
    Messages:
    92
    Likes Received:
    19
    Anyone else have any other thoughts?
     
  13. nSnoopy

    nSnoopy Registered Member

    Joined:
    Jun 8, 2013
    Messages:
    65
    Likes Received:
    22
    When you report it to the developers you can try to make up a story about you being a freelancer pentester and if you can get a reward for that vulnerability.
     
  14. Boriss

    Boriss Supreme Member

    Joined:
    Nov 7, 2009
    Messages:
    1,427
    Likes Received:
    562
    Location:
    Inside a Monitor
    Contact the developers. Do the right thing!