Hey everyone, I’d like to share how I found a stupid misconfiguration (No password confirmation on account Delete functionality) and relate it with Clickjacking. I was looking for something to hunt meanwhile I got a new invite on HackerOne. I express like wow, it’s time to earn something with low hanging. I always try to find Low Hanging, I have a small list of Low Hanging Issues that can test everywhere no information required about the target. I always attempt before going to recon.
No password confirmation on account Delete functionality is also somewhere in my testing list, the only reason existence of this issue in my list, it’s mostly triaged in BugCrowd. Hahaha
I found it on a private program so the policy is not allowing me to disclose the program name. When I visited the program I didn’t get anything of my testing list but when I create an account and visited
My Profile I found account delete functionality, accidentally I trigger the button and shit account deleted.
I’m so lazy like an
Alligator to create another again so close the target (Generally like “Kaun Mennat Kare”) and go to watch Youtube stuff.
Next day, I created an account again tried to find privileges and IDOR issues but didn’t get anything. I knew that the discussing issue will surely be addressed as N/A. I though like let’s make a forge game page having a button to Start so when the Victim clicks on that button his/her account will be wiped out.
I create an HTML game page having a button and write a simple report.
They marked it as N/A 4 times because of Clickjacking and No password confirmation generally out of scope in the
Managed program. In the last comment before locking the Submission, I attached a POC showing the real impact of the reported issue. They again mark it as N/A 5 times and locked the submission.
After 3 days HackerOneStaff unlocks the submission and mark it as Triaged.
Bingo!!!! After one month 750$ credited.
Thanks for Reading!
I’m an Entrepreneur, Freelance Security Consultant, Bug Hunter having years of experience with a deep interest in InfoSec Industry. I love to speak and write about web and mobile application pen-testing, bug bounty. You can reach me at