heavenly's blog

software engineering, reverse engineering, and bug bounties

powered by hellish technology

500k users, series a funding, and the cto

published on august 27, 2025 • edited on september 9, 2025 • • 159 views

in this post, i will explain my journey on finding a data leak on a pretty well known food related app, with 100k+ downloads and 700k+ on insta

tools used

postman, http toolkit and proxyman

what happened?

the main bug: this app had a leak in their django auth system, leading to a small db leak of 1,000 emails. i'm cutting straight into the action because i explained ratelimits in my previous post. side bug(s): public django admin page, put request fields not enforced properly.

bug tags

db leak bug: cwe-359 (exposure of private personal information to an unauthorized actor)
admin page bug: cwe-16 (security misconfiguration)
put bug: cwe-915 (mass assignment); cwe-20 (improper input validation)

the action

my setup

i loaded up http toolkit on my macbook, then i proxied my requests from my phone over to my macbook. i clicked around through the requests to see what was going on. my main curiosity was for the username availability api, as well as some other apis. i wanted to write a username checker (i succeeded). however, it looks like my account got autobanned (my fault for sending too many requests and not bothering to emulate the user, lol).

what i noticed

their django setup is publicly visible? so i was able to see their expected post/put requests and fiddle with that. however, this same django page also leaked ~1k user emails due to a misconfiguration. 1k user emails were visible at /api/user/login/, without any login details required, due to a referrer column leak. unfortunately, this isn't enumeratable, as this was just a django misconfiguration and not really an exploit. also, their django admin page is in the default location (/admin/login/). the admin page didn't seem to be vulnerable however (maybe bruteforceable). in addition, put request fields aren't enforced too well. i was able to make a put request and overwrite my referral link to my own page, and i was able to overwrite my username with invalid characters (non alphanumeric).

results

what i learned

django when misconfigured can be abused, django admin pages are hard to fiddle with. also, i learned that i should probably stop fiddling with stuff if i'm not going to emulate the requests properly.

bounty

$0.00 - i landed with 3 banned accounts, my device banned, and the cto calling my report an "unsolicited security report". they fixed the bugs mentioned in this report and didn't unban my accounts, while reading my email responses and fixing stuff i mention.


cto-email