It was the end of my Grade 12th Preboard exams and I needed something to destress, and what better way to destress by bug hunting (atleast after doing something as awful highschool exams).
Typically, I just browse through the apps on my phone and start looking for my next target everytime I bug hunt. This time I thought it should be something different than the Facebook family of apps.
Instead of reverse engineering their app, I took different approach this time. I decided to take a look at their corp servers instead. I recently came across shodan.io which is a database of connected devices.
That's cool and all, but one of the coolest part about Shodan is that they also let you apply pretty specific filters. These filters even work to search for metadata within SSL certificates. I used this to filter by "Common Name" as *.shazam.com
and shazam.com
and happened to find a couple servers on their network.
My first instinct was to test these for heartbleed - one of the most trending vulnerabilities from 2014. To my surprise, they turned to be vulnerable to heartbleed - even in 2017!
I sent out this report to Shazam and within a couple days got a response from the team with the bug bounty notification.
Incredibly grateful to Shazam for this bug bounty, even though they didn't have an established bounty program at that time (this is all before the Apple acquisition).
Timeline:
Initial Report – Jan 23, 2017
Initial response from Shazam – Jan 24, 2017
Bounty Awarded – Jan 26, 2017