Hello hackers I hope you are doing well, it’s been few months since I wrote my last blog. Well I discovered this bug very long time ago and I’m writing this today. Sorry for that 🥲
For those of you who don’t know what is Hotstar platform.
Hotstar, now known as Disney+ Hotstar, is a popular Indian over-the-top (OTT) streaming service. It offers a vast library of content including movies, TV shows, live sports (including Indian Premier League cricket), and original programming. It’s owned by JioStar, a part of Disney.
As always the story begins.
One of my friend
who discovered bug in hotstar and got awesome swag. The next day he wore hotstar T-shirt at office. T-shirt looks good for me.
I thought why not give it a try to hotstar and earn swag 🤔
Immidiatly searched for hotstar bug bounty and started digging into its scope.
Within a few hours I was surprised that I found the High severity bug 😁
So the bug was easy to find but I think overlooked by other researcher.
Here the catch was when you visit that vulnerable subdomain it shows nothing like blank white page, then I started looking into js file. But still got nothing 🙁
Then my gut feeling kicked and a voice in my mind whispered, “Fuzz…”
Then I fuzz the domain and got leaderboard word.
When I put leaderboard at the end of the url below was the screen I saw.
Immidiatly I fire my burp suite and visit on user profile.
In client side it was showing nothing however when you visit burp suite and look into the same request’s response there was email id of that user 😅
Immidiatly I reported this vulnerability. And within few weeks below was the response from hotstar team.
I was over the moon by that response 😀😀
Thanks for reading this blog till end 😊. I hope you gained some knowledge from this blog.
If you liked my blog you can show me some love by hitting clapp button 👏👏👏for as many times as you wish.
Have a good day. Happy hacking🙌🙌❤️❤️.
Here is my Linkedin feel free to connect me.