While checking Detectify Lab, I came across XSS Vulnerability on MEGA.CO.NZ which was found by Frans Rosen so I though of doing some test on MEGA but I ended with none. I didn’t give up ! after a while I thought of scanning & looking into sub domain of both mega.nz and mega.co.nz and found out eye catching sub-domain.
And it was https://stats.admin.mega.nz/
I just entered the random logins credential,
POST / HTTP/1.1 Host: stats.admin.mega.nz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://stats.admin.mega.nz/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 37 username=admin&password=admin
But no luck and then I added ( ‘ ) to the parameters and it was like :
Without any delay, I reported it to the MEGA at firstname.lastname@example.org
I sent the email at 3:10 PM and after a few minutes I got a reply with :
It was so surprising to see that before receiving mail ( at 3:43 PM ) the bug was fixed and I was like :
— NȺɌɆSĦ ŁȺMǤȺĐɆ (@nlamgade) March 10, 2016
IT REALLY WAS THE QUICKEST BUG FIX BY MEGA. THEY REALLY ARE VERY GOOD AT FIXING. 😉
And later :
Nice, Mega fixed it in just 30 minutes! and they rewarded me 400 EUR as a bounty.
That was the fastest fix I have ever seen and I am really thankful for bounty. 🙂 and all I can say is GOOD JOB MEGA !
Cheers for MEGA !
UPDATE : Again I checked that site for the bug after few months and still it was there and again I reported and again another bounty. :v
SO ANOTHER 400 euro