Bug Bounty Write-ups

How I hacked LINE!

Hello there,
I’m Muhammad Julfikar Hyder, doing cyber security research for last 2 years. This is one of my write up about Bug Bounty hunting. Today, I going to share something about one of my finding at LINE.
Last year, I was hunting for bugs at one of the biggest social media LINE.

I discovered a aws s3 bucket there named ‘line-example’. Here ‘example’ is just a keyword I’m using instead of the real bucket name.

Now let me clear first what is AWS and what AWS used for. Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Running web and application servers in the cloud to host dynamic websites. Amazon S3 or Amazon Simple Storage Service is a service offered by Amazon Web Services that provides object storage through a web service interface. Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its global e-commerce network.

Okay, let’s back to my story, I just stopped there, I fired up my terminal and put a command with my aws cli like this ‘aws s3 ls s3://line-example’.
Image for post
I got surprised in result! the bucket directory was open! I just smiled like this!
Image for post

The bucket was vulnerable! It was possible to read files inside the bucket which should be Forbidden with status code 403!

Then I thought what if I can upload or delete something there? Is this vulnerable to write data too? I fired up my terminal again. I tried to upload something with this command. “aws s3 cp ‘julfikar.txt’ s3://line-example”.

Note: The file julfikar.txt file was in the same location where from my terminal was running.

Image for post
Then i tried to delete this file with the command ‘aws s3 rm s3://line-example/julfikar.txt’
Image for post
I surprised again! it was accepting my requests for upload files! And also deleting files from the bucket with my external command!

This was a critical issue! I was so exited about this. Reported the issue to LINE with @Hackreone.

But maybe that was my good luck that because it was submitted previously by another researcher! I accepted this as my good luck because I always think positive. This will push me to learn more, this is a kind of lesson. Getting Bounty is not important at all. I think I can do or I can break those words are more important for now. Bounty is just like a gift! And we should never expect for gifts!
I’m ending the story here, Thanks for your time guys.
Find me at
Twitter: TheJulfikar
Facebook: TheJulfikar

2 thoughts on “How I hacked LINE!

  1. Welldone Brother
    আমি আপনার কাছথেকে শিখতে চাই,আমি বাগ বাউনটি করতে চাই

Leave a Reply to shoumik hasan Cancel reply

Your email address will not be published. Required fields are marked *