Member-only story
“The Two “Boring” Security Flaws That Just Earned Me $60"
Let me tell you about my most frustrating week as a bug bounty hunter. I’d spent 40 hours testing a major fintech company, finding absolutely nothing. No SQLi, no XSS, no business logic flaws. I was ready to give up.
Then I remembered: when you can’t find the fancy bugs, find the stupid ones.
Two hours later, I’d submitted two reports that earned me $60. Here’s exactly what I found.
The Password Reset Token That Wouldn’t Die
I was testing a popular project management tool. Like any good hunter, I went straight for the password reset flow.
The Process:
- I requested a password reset for my test account
- Got the email with a link like:
https://app.com/reset-password?token=abc123def456 - Used the link, changed my password — success
But then I got curious. What if I used that same link again?
I copied the URL from my browser bar, opened an incognito window, and pasted it. The page loaded with a “Enter new password” form. I held my breath and typed password123.
It worked. The same token worked a second time.
