I wanted to put out a warning for anyone currently testing or using the Neptune App (the “creator-first” TikTok alternative). I recently did some tests on their API and found a critical BOLA (Broken Object Level Authorization) vulnerability that effectively allowed for a platform-wide Account Takeover.
The Exploit:
The createVideo endpoint had zero backend validation. By simply swapping the userId in the JSON request, I could generate a signed upload URL for any account on the platform.
I demonstrated this by successfully uploading videos to the Founder’s (Moody’s) account while logged in as a random user. I could have scripted this to flood every verified account with gore, scams, or phishing links.
Instead of thanking me for reporting it, they closed my ticket, removed my messages and banned me off their discord server
What’s with all these startups and silencing anyone who finds vulnerabilities in their app (reminds me of drime cloud cough cough)
I also found more vulnerabilities and I’m glad I didn’t send them, seeing how they treated me!
Out of curiousity, what discussion(s) did you have with the developers before effectively hacking the company account
Ive learned (the hard way) - folks really, really, really dont appreciate any demonstrations of their digital vulnerabilities before all stakeholders are 1000% explicitly on-board with conducting one under extremely controlled circumstances
I discovered the vulnerability and immediately went to their discord to report it, one of the devs literally told me to “report it right here” in a ticket
I didn’t “hack” the account to be malicious but to provide a PoC that the /createVideo ` endpoint isn’t secure
After I gave them the python code and explained what it does, they just closed the ticket, the dev claimed he “responded” to me in the ticket but why would you immediately close the ticket without even waiting for my response if it’s solved or not?
Anyway, it’s still very funny they’re telling people in their discord to buy a “invitation/access code” for $8 to use an entirely vibe coded app that barely works.
Lol was Moody the owner of the Neptune App? If I were you, I wouldnt have hacked his (or anyone’s) account but instead created a dummy account. Doesn’t matter if its for a proof of concpet. I will not rob a bank to prove it is insecure.
They closed the ticket without saying a word(they claim they did but that I didn’t see it, so if you responded why wouldn’t you wait to hear back from me before closing it?). No “thanks” no reward, nothing.
Maybe he did actually respond to that specific ticket..? I see no reason to go on thinking otherwise. It just doesn’t seem relevant to me, but who knows.. Idk how their ticketing system works.
What does seem relevant is the follow up to closing that ticket. I understand why they would delete your messages in gen chat since it is a public chat and they have reason to not reveal that their app has active exploits. Did you try to communicate to them in DMs? Sounds like there was absolutely zero follow up on their end? That’s kind of weird.
The first time I tried it was on the owner’s account and I didn’t know if it would work(common sense is that it shouldn’t have), but it did.
And like I said I don’t know if he responded or not because when I checked the server for the ticket it was gone, I was gonna send more vulnerabilities that I found but they decided to just close the ticket. Normally you’d at least wait for me to respond/test it again to see if it was actually fixed or not. Still had 0 reason to close the ticket and shut me out & ban me
And I did try to dm them, but all of the developers have their DMs off
Create two test accounts and upload to one using the other’s credentials, after asking the company for permission to do so. Exploiting a vulnerability against someone else’s account without consent is not only irresponsible and unethical vulnerability disclosure, it is a crime, regardless of intentions. @Freminet is lucky they are only being ignored.
This will be unpopular but sorry, the alternative is completely untenable. You can’t steal a stranger’s car, drive it down the block, then tell the owner you were simply trying to show they should secure their garage better.
However, I will say they should take the vulnerability seriously, and this could easily be a “both sides are wrong” situation.
Apparently it wasn’t neglected, if you read the Github repo @Freminet linked they say there that it was “silent patched”.
@Freminet What exactly did the devs do wrong here? You unethically exploited a vulnerability, reported it publicly before it was fixed, they deleted your messages about it to keep it private before it could be fixed, and then they fixed it. You seem to have handled this extremely unprofessionally and unethically and they tried to handle the circumstances you handed them as best they could.
you’re claiming i posted the vulnerability before they fixed it, that’s simply false, i even said on the github repo that you didn’t take 10 seconds to read that “They "silent patched" the bug and acted like it never happened. If you’re a developer and you treat people who find your mistakes like this, you don't deserve a successful app.”, they fixed the vulnerability and CLOSED my ticket without me even seeing what they said to it, and without even waiting for a response back from me, that’s not how you handle vulnerabilities and I REALLY don’t know why I have to explain this when it’s really common sense
the app is in beta > beta means you’re looking for bugs and security flaws, that’s exactly what i provided, being in beta isn’t a “get out of jail free” card for a BOLA vulnerability, if they can’t handle a critical security report now, the app is gonna be a disaster at scale
you need an invitation code to get access to the app, how would you expect me to get another invitation code to test vulnerabilities that i don’t even know exist?
you’re probably gonna say to “ask them”, seeing how they treated me AFTER i found an actual vulnerability, i think you can guess what they would’ve said to that one.
telling me i’m “lucky” for being ignored when they don’t know how to handle properly a vulnerability report is wild, maybe you still don’t realize i could’ve went around posting any video i wanted on all accounts on neptune(around 12.4k users registered) and destroyed everyone’s feed, so no, i did not “exploit” any vulnerability, it just so happened the first time i tried it was on the owner’s account.
so yeah, next time i hope you’ll take 10 seconds to read what the post is actually about instead of shilling, and for neptune, hopefully they hire an actual engineer that can do proper authorization checks(bare minimum) instead of chatgpt with 300 vulnerabilities
And more importantly an app being in beta isn’t a get of jail free card for the violations of the Computer Fraud and Abuse Act, unethical vulnerability disclosure, or penetration testing without consent.
Ask them.
So you admit you understand the proper way to do this.
There is a pretty interesting difference to the two scenarios. In one, you are acting unethically, and in the other, ethically. Call me crazy, that might make a little difference in how they treated you.
You are the one who didn’t properly handle a vulnerability report, and you are lucky because you committed what is a federal felony in the US and the alternative is up to 10 years in prison.
You don’t have a pass to commit crimes to embarrass a company because you don’t like their business model. You clearly had no interest in ethical vulnerability reporting here, you were out to damage their reputation. Maybe rightfully so, they don’t seem like a very good company, but that doesn’t excuse your actions in the pursuit of doing so.
If I’m understanding the order of operations here:
OP found a potential vulnerability
OP confirmed the vulnerability by exploiting
OP reported the vulnerability
Vulnerability was patched
OP was banned from platform
OP begins publicly posting (not whistleblowing)
First of all, you found & reported a vulnerability. Despite all the other noise, this couldve been used to phish grandma to dump her social security into bitcoins & giftcards. So, well done
But as this discussion demonstrates, there were mistakes.
The company has blackballed you for exploiting their platform. And theyre not wrong to do so. You accessed an account without authorization. Nobody is going to respond to that with gratitude. As @lyricism said, youve actually given them legal grounds to press charges. Next time, dont do this
As for the remaining vulnerabilities you mentioned, that’s tricky. The company clearly doesnt want to hear anymore from you. But their platform is potentially putting users at risk. Attempting to publicly whistleblow could now put a target on YOUR back, as youve already given them legal grounds to press charges. Youll likely need to proceed anonymously, if at all
”I discovered the vulnerability and immediately went to their discord to report it”
Exactly, in a ticket, please read my post instead of shilling. Clearly you’re someone sent by Neptune. Not cool.
I think I mentioned it like 5 times that they closed the “TICKET” without waiting to hear back from me.
Also you ignored most of my points, the app is in beta, I found a vulnerability(which is what you do in an app beta) and reported it.
It’s actually not. Gmail was in beta for 5 years. Do you think anyone had a free pass to hack gmail during these 5 years? You don’t understand the field you are attempting to operate in, even remotely.
You didn’t just report it though, you exploited it without permission. If you would take 10 seconds to read, maybe you would understand this is what people are concerned with.
You are clearly too immature to be operating in this space (vulnerability reporting). Delusions don’t help your case.
“just because you can doesn’t mean you should”. What you did is illegal, albeit not with malicious intent (as it appears to be), and you are squarely sitting in a grey zone. Of course exploiting a user without an explicit agreement to do so is going to result in a ban. You can’t just hack systems because you can hack them.
This all comes off as quite rookie. You should read the below.
In your case, I would have recommended a Responsible Disclosure Approach. i.e., you privately disclose the vulnerability to the organization, you say they have 90 days to patch, and then you fully disclose the vulnerability and the report on your own blog or wherever. Even in this approach, you do not hack other people.
Do I think this is likely a bad app? Definitely. Did you need to metaphorically pull down their pants to get the point across? No. If your intent was to hack to show how bad they are and you don’t actually care about the fix, then you’re leaning black hat my friend.
Most importantly, as OWASP says:
Before carrying out any security research or reporting vulnerabilities, ensure that you know and understand the laws in your jurisdiction
From this, if they don’t sue you, its best case scenario, and you’ve learned a valuable lesson in how to report vulnerabilities.
I didn’t really “access” an account, it was just that the /createVideoendpoint wasn’t secured, which let’s you upload videos to any account, it’s not like I was actually logged into the actual account
But as you said, for the remaining vulnerabilities, I will not be doing anything with them & I guess they’ll have to find them themselves since I have no obligation to report it
You clearly have no idea how basic web security or API testing works. You think I can just magically look at some lines of code on a screen and go “this is a vulnerability” without testing it?
To confirm a bug exists, you have to actually send a request and then see if that request goes through or not. That is the definition of a Proof of Concept (PoC). If they had secured their app properly, that request would’ve just triggered an “access denied” or a 403 error. The fact that it didn’t, and instead allowed the upload, is exactly what proves the vulnerability is real.
I didn’t do this to be malicious. Like I said, if I wanted to be malicious I could’ve flooded the whole app with videos, which I didn’t do. Calling it an “exploit” to paint me as the bad guy is just a way to ignore the fact that their backend has zero validation.
You clearly had suspicions or you wouldn’t have tested that specific thing. Next time, insert a step between suspicions and testing and loop in the company first. It’s not hard to understand.
Right. Ask the company first.
Someone failing to secure something properly is not an invitation to take advantage of it.
That is irrelevant to professional ethics and the law.
No, it’s definitionally an exploit. Don’t accuse others of not understanding web security or API testing if you don’t understand what exploit means.
I’m not saying this to be mean, I’m saying it because you clearly don’t understand that you did something incredibly dangerous to yourself and unethical, and hopefully you would want to learn how to improve. If you are unwilling to learn from people who understand this stuff better than you, you can keep doing what you’re doing and one day you might learn the hard way.
However, I am going to still call it out so that others who read this thread don’t think this is an appropriate way to behave and follow in your footsteps.
(reminds me of drime cloud cough cough)