Blog 3: My First Bug and a new LinkedIn Friend
I am an avid LinkedIn reader. I find opportunities, enjoy supporting people and clapping on their successes, and knowing more about their journeys to connect better with my juniors, peers & seniors.
During one such scrolling in the later half of 2021, I found Piyush Singh’s post on his new project of a Quiz App using TypeScript. It was a beginner’s web-app for a quiz on our favourite superheroes and other fictional characters!
Eager to find how I score with my limited knowledge of superheroes and animated characters, I went to the deployed live link of the project. (https://quiz-1997.netlify.app/).
While logging in as a guest, I discovered that it was implemented using default credentials. This set my curious mind into a pentesting mode.
Expected response: the default credentials are hidden and cannot be seen by the user. The login takes place.
Discovered response (bug and steps to replicate it):
- In case “Login as Guest” is chosen, there is a minor time where the credentials can be seen in the HTML code itself by “Inspecting element”.
- In case some erroneous login credentials are provided, the login page gets stuck after notifying the error to the user. In such a scenario, if the user presses “Login as guest” (technically, the instruction on button is replaced by a revolving circle of eternal waiting!), the default credentials appear in the text boxes, and give the user an ample time to check them using Inspect element.
Severity: Low impact (due to the nature of the Quiz app)
I commented on his post about my findings and he was eager to connect with me. After we discussed it on LinkedIn messages, he thanked me for my careful interaction with his project and set himself up on the patching process.
So, this is how an inquisitive mind led to me finding a LinkedIn Friend!
“We work in the dark to serve the light, we are the Hackers!”