Education

Hunting for cyber bugs

Just how safe are you when surfing the Ne   | Photo Credit: Freepik

As a third year B.tech student in Computer Science from Lovely Professional University (LPU), I am a cyber-enthusiast and passionate about bug hunting. A few months ago, Microsoft announced the launch of a new version of the chromium-based Edge browser, which includes new features and the sync support for passwords, history, users’ favourites, and settings across Windows, MacOS, iOS, and Android. So my friend and fellow student, Shivam Kumar Singh, and I decided to bug hunt together and chose Microsoft Edge, as it was running a bounty programme. We thought we could earn credits if we found something.

We found that the Microsoft Translator has a vulnerability code involving uXSS (Universal Cross Site Scripting). As soon as we translated a page on the Edge browser, we began getting multiple pop-ups. When we this on Chrome, we found no such irregularity. This alerted us to the fact that there was a vulnerability in Edge, which was a threat to the privacy of users’ data. Due to this, if a user browsed any website on Edge and selected the translation tool to change the language, an arbitrary code would generate, thus giving hackers access.

What we did

We created an account on Facebook with a name in a different language and XSS payload. We sent a request to a friend who uses Edge for browsing. As soon as he checked our new Facebook profile, we hacked his account. With the vulnerability, we could hack the users’ YouTube, Google and Windows store application as well. We reported this flaw to the Microsoft Edge Bug Bounty programme, after which the security flaw we reported was reviewed and fixed in the latest release of the Microsoft Edge Stable Channel. We also won the $20K bounty.

Over the years, Shivam and I have reported bugs in more than 100 companies including Apple, Ebay, Udemy, Quora, NordVPN, and others. I have also founded a company called CyberXplore, a cybersecurity-focused learning and solution provider. So far, I have bagged more than $35,000 as bug bounties.

The writer is a third-year B.Tech student, Lovely Professional University


Our code of editorial values

This article is closed for comments.
Please Email the Editor

Printable version | Oct 18, 2021 8:09:52 AM | https://www.thehindu.com/education/how-two-students-from-india-found-a-bug-on-a-popular-browser-and-won-a-reward-by-reporting-it/article36376843.ece

Next Story