🔐 From Zero to $8k: How I Stumbled Into a Critical Bug (And You Can Too!

🌟 Intro: The Day I Accidentally Became a Hacker

Picture this: I was a broke college student, binge-watching cybersecurity tutorials, when I stumbled across a bug bounty program. Fast-forward 3 weeks, and I’d bagged $8,000 for finding a critical flaw. No, I’m not a genius — I just got curious. Here’s my story, the mistakes I made, and how you can replicate this win. 💸

🕵️ The Target: A Fintech App’s “Secure” Payment Portal

I chose a mid-sized fintech company with a public bug bounty program. Their pitch? “Unbreakable encryption!” 🛡️ My goal: Test their payment flow. Little did I know, their “secure” system had a gaping hole.

🚨 The Discovery: How a Simple Click Unlocked $8k

While testing their checkout page, I noticed something odd:

1. Strange URLs: The order ID looked like ?order_id=1234.
2. Manual Tampering: I changed 1234 to 1235… and BOOM—I accessed someone else’s order. 😱

Turns out, it was an Insecure Direct Object Reference (IDOR) flaw. The app didn’t check if I owned that order ID. Attackers could’ve: