Shazam — First Hacking Bug Bounty!

Shazam — First Hacking Bug Bounty!

It was the end of my Grade 12th Preboard exams and I needed something to destress, and what better way to destress by bug hunting (atleast after doing something as awful highschool exams).

Typically, I just browse through the apps on my phone and start looking for my next target everytime I bug hunt. This time I thought it should be something different than the Facebook family of apps.

Instead of reverse engineering their app, I took different approach this time. I decided to take a look at their corp servers instead. I recently came across shodan.io which is a database of connected devices.

shodan.io homepage

That's cool and all, but one of the coolest part about Shodan is that they also let you apply pretty specific filters. These filters even work to search for metadata within SSL certificates. I used this to filter by "Common Name" as *.shazam.com and shazam.com and happened to find a couple servers on their network.

My first instinct was to test these for heartbleed - one of the most trending vulnerabilities from 2014. To my surprise, they turned to be vulnerable to heartbleed - even in 2017!

I sent out this report to Shazam and within a couple days got a response from the team with the bug bounty notification.

Incredibly grateful to Shazam for this bug bounty, even though they didn't have an established bounty program at that time (this is all before the Apple acquisition).

Timeline:

Initial Report – Jan 23, 2017

Initial response from Shazam – Jan 24, 2017

Bounty Awarded – Jan 26, 2017

Did you find this article valuable?

Support Ananay Arora by becoming a sponsor. Any amount is appreciated!