What’s up bros? End of another week. Hello β here I am with another chapter, written in case someone reads this stuff one day. Actually, even if nobody reads it, I will write. Every week I scribble something here, and I want to see if the energy adds up to something. Gemini probably killed SEO by now anyway. It’s all AI mode now, nobody goes into real sites heheh. Whatever. I keep going.
Last week I told you I found a serious financial bug on one of the biggest e-commerce sites in TR. If you didn’t read it, go look first, bro β I say this because without it, this part won’t make sense. So yeah, I found a kind of storefront bypass there, and I was buying a 100-lira item for like 10 Guinean Franc. (I’m making the numbers up of course.. there was this one prick screaming “disclosure forbidden, buddy!” in my earπ€£) Anyway, let’s get to what happened after. This post is harsh and angry. Then the anger pushes me somewhere else, and we’ll get there next week. We got a whole storyline here, bro. You think we watched all that Prison Break for nothing? We’re just in the pilot episode.
I Wanted Us to Have Each Other’s Backs
After getting slapped with an ‘Informative’ on the last finding, half angry and half with new hope, I picked a TR program to join. My thinking was β my report makes it obvious I’m from TR anyway (screenshots, SMS, etc), and I had this dream that the guys in Turkish cybersecurity would back each other up. Dumb, right? But there is this thing in me. In countries like ours, fields like this are still small, and they need effort to grow. So if we back each other up, it grows faster, everyone wins. Makes sense. And it’s not like I wanted to find some dumb thing, get a favor, and take a bounty. I was never that guy. Give me what I’m owed and I’m gone. Justice. Anyway, I’m making the intro long, because I still don’t want to accept that this assholery is a pattern. My anger is not so fresh anymore, but it’s still there…
The second I sent the report, a bot ran over and marked it triaged. I went, what is this? Then I saw β they set up a system on H1, reports get triaged right away. And I got happy, like, I think I break the streak this time. A few days pass, I go to school in the morning. I take out my phone, a notification from proton mail. Something about the program. I got excited. You know my expectation β couldn’t get the 20 grand, let’s at least get the 2 grand hehe. I open the notification from the top, and one thing catches my eye. There’s this joke, “this is not a bug, it’s a feature,” you know it. So I go, well, there goes my 2 grand π (I’m already on edge.) Then I look closer β that was the triager’s name. Okay, I’ll just call this guy Mr. Feature. So nobody sues me later β because later we’ll find out these guys built a real racket. I found a lot of people’s complaints about them, quietly fixing bugs and giving informative.
Mr. Feature’s first message was this short: what’s the order id, bro? Can you believe it? A guy breaks price integrity on your site with a clean bypass. The 3D screen even sent an SMS, and he sent you the screenshot of it. And he said he stopped there because he tests systems, he doesn’t abuse them. And the guy just asks for an order id from memory. I mean, I want to curse at him, but whatever. My answer was clean. Brother, there is no order id. If you can’t find it, there are tons of timestamps and my user id on top of that, but maybe you can’t find it β so give me written permission and I’ll create an order. Then you get your order id.
Chasing the Video Like a Dog
Bro, this guy reads neither the report nor what I write. He pasted his reply: need a video, a video. Now from this point, the one still looking for a good-faith answer, the one who thinks going along with the guy is some smart move β is me, damn it heheh. Because right there I should have read his real intent and stopped. No video, go read the report if you want, if not, don’t waste my time. Look, this is the language these guys understand, I’m almost sure. But what did I do? I started chasing the video like a dog. And the funny part, man β I can’t reproduce it. I mean, I know what I found, but I can’t do it again, bro. I gave it hours, one day, two days.. nothing. And right away my weak little imposter starts talking inside. See? Told you. There was no bug, you dreamed it. And I go, come on β if there was no bug, how did the SMS hit my bank? And he goes, eh, where is the PoC then? And while fighting this guy, I agreed with him, bro. I went, yeah, it’s on me too, I give this prick too much room heheh. And I said, fine, let me just drop it here, no PoC, no repro.
So I wrote to Mr. Feature, all small and meek. Brother, sorry, I can still break the price but I can’t reach the bank SMS screen, I can’t reproduce it. But there is a problem here and it could be serious. I’d understand if you close it informative, etc. Yeah, like that heheh.
A few hours later, Mr. Feature reads my sentence and slams down the reply: bro, we didn’t see any security impact here, I think you imagined it. (there’s my imposter again) Your report deserves informative. You’re the master of informatives anyway, it suits you, here’s a kiss heheh. Prick π And he did some charity too β bro, look, I didn’t drop your score, so know my worth, he added.
The Breaking Point
And this is the real breaking point. Like, are the hacking gods messing with me now? Or is it a “turn back while you can” message, I don’t know β but the system runs solid. After I wrote that pathetic little report, I couldn’t take it. No way, this is impossible, I didn’t imagine anything β I have an SMS from my bank, a charge in a different currency, clear as day. This will work, man, I said. I sat down at the machine with a clear head and started digging. I changed one thing. Just one. Everything else the same. Boom β second SMS from the bank drops. This time I’m ready, OBS recording, I caught a solid PoC. I went, now you’re done, you bastards heheh. I ran to H1’s report section, added the comment, attached the PoC, sent it. We’re good, I said, no escape this time. A notification drops. Report closed as informative. What? Bro β one minute. One minute.. like a joke. One minute after he closed it, my video landed. You see my luck? My luck can go to hell, really. But I went, no problem, man. I beat him by one minute with the video. He can’t take it back now. Right? He can’t, right? He did, bro. Hahahah.
I told you β rookie stuff. When you treat Mr. Feature like a person, you think: okay, maybe the guy sees it, he goes “ah brother, you added the video, let me reopen and check right away.” And β well, you can guess. He didn’t. I waited two days. Dead silence. Now I’m really getting angry. Let me drop one more comment, I said. Bro, look, I missed it by one minute, I sent you a video, here, let me even drop the timeline in case you can’t watch the whole thing, take your time, okay? Dead silence. Two more days pass.
And now it was time to accept it. Angry as hell, I asked uncle Google what people wrote about this program. Man β reddits, linkedins, all talking about the same pattern. These guys close every serious bug as informative and quietly put a silent fix on top. I went, I fell into a full trap here. Let me at least write to support, I said. The mediation part is closed on H1, bro. There is a dropdown but it’s grayed out. At first I didn’t get it, I kept poking at it like what is this β then I researched and found out the noble H1 referees step in for disputes and make sure the system runs fair.. “make sure,” I say, because we never saw such a thing. So I open a support ticket. I explained my case properly. Look, I’m not even asking you for mediation. All I want is β reopen the report that got closed one minute early, or tell the program to. There is a video!! Here is what they said, bro: we can’t reopen the report. You can go to mediation if you want, but first you need Signal, eh? For Signal, 3 reports must be resolved, eh? Informatives and duplicates don’t count, eh? Your Signal is not even calculated yet… go to hell…
Are you kidding me? I have 5 findings on their platform β one dup, one low, one silent-fixed, one getting a $3000 discount, one breaking price integrity. You put 3 informatives on me and walked off, what Signal? Is it even possible to have Signal on a surface like this? It’s a setup. What H1 really says here is “we don’t care. Go cry over there, we’d enjoy it.”
Listen, Little Man
My counter-move comes. To Mr. Feature: brother, since this is nothing, and you didn’t even watch the video for 30 days β let’s at least disclose it, let the outside world see… Bro, the guy who went silent for 30 days wrote back in 12 days, running. “Ohh, how rude, what disclosure, let me pretend I didn’t hear that, this is a private program, hee, I’ll tell the police, hee, no disclosure…” Man, that smugness. This is what evil is, bro. It’s the life of a prick who tries to drink the other guy’s blood the moment he gets the chance. People like you β that’s what I want to tell him β you are the real source of evil. Not the obvious villains, those are movie heroes. It’s the ordinary, average guys who had a chance to be fair and weren’t. A book comes to my mind, Wilhelm Reich’s Listen, Little Man! It lands right here.
And here is the thing that finishes the picture. The guy either didn’t read it, or read it and didn’t understand. Then, in his head, he stopped one more attacker β gave informative, closed the gate, mission done. He probably felt good that day. He defended his company, he pushed away another newbie. But the only thing he really did was this: he didn’t understand the hole in his own system β with a step-by-step report in his hand β and he silenced the man who showed it to him. Silencing was easier than understanding. The little man couldn’t even do his little job, and he stood up from his desk thinking he did it. That’s it. That’s the whole thing.
I went off on him, of course. Thirty days, no answer on the video, but the second I say “disclosure” you start shouting β but I don’t care about your threat, it’s not even on my mind, you’re not that important. Look at the progress, I say. I sent you this report almost 2 months ago, and step by step it all came true β so what, because you closed it one minute early, because your capacity was not enough and you didn’t even understand it, this report has to be buried? Is there not one single person who will just watch the video β rate it informative after, fine, I wouldn’t care at all. But you will choose evil like always, little man, what can you do. And yeah β just like I thought, no reply.
Maybe I Should Hack the Mediation
Around then I’m looking at another program, by the way. We talk in the AI backrooms, you know β these things happen, man. Don’t let it get you down, you keep finding bugs, your luck will turn, gemini and claude gas me up. They both know this is a valid report, down to the bone. But what can you do heheh. When the disclosure rejection lands though, my nerves jump again. I write the reply but it’s not enough, man. I go: screw you guys. Is there a way to hack mediation on H1? Look at the balls on me hehehe.
Who am I even reporting, to who, right? Now I get it β H1 and the rest, it’s this dumb setup, built fully on the idea of “let’s pile on the newcomer, any way we can.” The guys made a calculation. The first-comers are usually idiots. They don’t know anything. They write reports and keep us busy with their pathetic little submissions, and now they want to climb on our heads with mediation too β let’s bury the rookies. And the one who gets hit is the guy who finds valid bugs even as a newcomer β his head gets cut off.
Anyway, with that stubbornness and the feeling of a story worth writing one day (the guy was denied his mediation right, so he went and hacked the mediation β it sounded good), I went into H1’s own program. Digging, JS, analysis, attempts. Everything about mediation. My intent was this: if I find the package where mediation gets triggered, can I trigger it myself? Another auth bypass, basically hehe. I won’t drag this out. Nothing came out, bro. On one of the most-attacked programs in the world, the mediation gate was wired straight to a flag, and it came back from the backend every single time β I couldn’t even send a request there. They shut that door from the very start. And this disappointment brought me to the next step.. What did I hope for, and what did I find, in 6 months of web hacking? I’ll tell that next week. What I learned. If I was running into the same kind of triager across different programs all along, and if maybe it was finally time to change strategy. Because my faith got weaker. And my desire too…
Yeah bro, I closed another week by doing my part. I owe nothing else. The banter ran thin this time because I didn’t have fun writing it β but let this week be like that.
Verdict: the bug was real. The referee was never coming. Some games are rigged at the door.
Leave a Reply