After months of bug bounty hunting with no valid reports, I was close to giving up. So I changed my approach . I picked a new platform I hadn’t tested before.
That one small shift led me to a high-impact IDOR vulnerability in a public contact form.
🔍 What I Found
While testing a basic file upload form, I uploaded a document and saw this in the request:
fileUploadIdentifier=abc123xyzI changed a few characters in the identifier and it worked. I got access to another user’s file. No login, no authentication just full access.
Each slight variation revealed more files uploaded by other users.
🫣 What Was Exposed
Private user photos
All accessible by guessing or modifying the fileUploadIdentifier
This was a classic IDOR (Insecure Direct Object Reference), and it had serious privacy risks.
🛠 How I Found It
Burp Suite to intercept requests
Manual testing —no tools, no automation
A bit of logic and curiosity
💰 The Result
I reported the issue via their bug bounty program. It was accepted quickly and I received a $500 bounty.
This was one of the simplest bugs I’ve ever found, but also one of the most valuable