Medium Email Verification Broken Auth.

01:12 0 Comments

Hey There! It's me harsh here today am gonna tell you lil niggas how i found out first bug and made the fortune out of it ;) i'm a greenback boogie now!!! Fuck yay !!!!

What is Medium ? 

Medium is a blog-publishing platform founded by Twitter co-founder Evan Williams in August 2012,[2] The platform has evolved into a hybrid of non-professional contributions and professional, paid contributions, an example of social journalism.[3] Some of its publications include the online music magazine Cuepoint, edited by Jonathan Shecter, and the technology publication Backchannel, edited by Steven Levy.

Well, The whole furore started when a lil asshole challenged me to found out a bug in Medium and guess what ??? I took the shit out of the medium haha ! I used to be a black hat hacker but that lil asshole made me a white hat hacker :( .

So lets the test of site start, Medium website was something differ from all the other website out there, firstly i tried to have some CSRF in my hand but unfortunately i aint got it then i looked forward for XSS , Open Redirect but i wasnt getting a shit, i was like "I'm gonna lose this challenge" then next day i checked the mails from Medium in my personal email account , i was like "WTF ? i registered with my main email to let them spam ?", I immediately changed the email to my another fake email account after changing it Medium requested me to confirm New Email ( Obviously ) my mind said lets try to confirm new email with that old link on my main email account, i clicked that old link and BOOM it confirmed my new email :O i said yeah got it.

I reported it immediately, and got a fast respond in 36 Hours

Hi Harsh,

We're looking into this. I'll get back to you soon. Thanks for reporting it. 

User Happiness

and in next 48 hours 

Hi root,

Thanks again for reporting this issue. Our engineers have determined that this report meets the following criteria:

Bugs leaking or bypassing significant security controls: $250

as outlined in our Bug Bounty program policy:

We'd would like to send you a Medium t-shirt to say thanks as well. We'd also like to add you to our humans.txt page (

Please let us know where to send a shirt and what size you wear. Also, let me know how you'd like your name to appear on humans.txt.

I'll email you and Cc our accounting team to facilitate the money part of the reward getting to you.

User Happiness

:D :D Got my first bounty + swag + HoF 

Bug Timeline 

Jan 22 ' 2016 : Bug Found and reported 
Jan 26 ' 2016 : Triaged ( Under Investigation )
Jan 27 ' 2016 : Bounty+Swag Rewarded

What about that asshole ? he blocked me :( :( 

Video PoC -