You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**July 2022**while working on my open-source project, [seedrcc](https://github.com/hemantapkh/seedrcc), I made an unexpected discovery. The python package, which is designed to interact with [Seedr’s](https://www.seedr.cc) API, allowed me to explore its functionalities. This exploration unexpectedly led to the discovery of a critical bug, resulting in my first bug bounty.
15
+
**July 2022**While working on my open-source project, [seedrcc](https://github.com/hemantapkh/seedrcc), a Python package for interacting with [Seedr’s](https://www.seedr.cc) API, I stumbled upon a critical bug that earned me my first bug bounty.
16
16
17
17
## Uncovering the Bug
18
18
19
-
While testing the seedrcc package, I was examining different functionalities of the site using the Python package. One of these was the rename function. I attempted to rename the root folder itself, expecting an error or denial. Interestingly, the system allowed me to rename the root folder of my account.
19
+
While testing the seedrcc package, I was examining different functionalities of the site using the Python package and one of them was the rename function. I attempted to rename the root folder itself, expecting an error or denial. Interestingly, the system allowed me to rename the root folder of my account.
@@ -25,11 +25,13 @@ While testing the seedrcc package, I was examining different functionalities of
25
25
{'result': True, 'code': 200}
26
26
```
27
27
28
-
After renaming the root folder, I noticed something strange. When I checked the account's content again, a new folder with ID "222549919" had been automatically created. This folder contained a new item, "Charlie Chaplin Cruel Cruel Love (1914)" - a file Seedr automatically downloads for new accounts. What was more unusual was the parent ID of this new folder was set to "-1", while it should have been the root folder's ID "222549572".
28
+
After renaming the root folder, I noticed something strange. When I checked the account's content again, a new folder with ID "222549919" had been automatically created. This folder contained a new item, "Charlie Chaplin Cruel Cruel Love (1914)" - a file that Seedr automatically downloads for new accounts. What was more unusual was the parent ID of this new folder was set to "-1", while it should have been the root folder's ID "222549572".
29
29
30
30
31
31
32
-
This anomaly provided access to both the original root folder and a new one. Unlike typical folders that are inside the root folder of the account, this new folder stood alone. Interestingly, files added to this folder did not count against my storage limit because it wasn’t technically part of my root folder. Now, I could download as many items as I wanted inside this new folder, effectively bypassing storage restrictions.
32
+
It seemed that the server may have misinterpreted my root folder is missing and attempted to create a new one. However, when trying to set this new folder as the root, something might have gone wrong, as my original root folder still existed.
33
+
34
+
Unlike regular folders, which reside within the account's root folder and contribute to the account's storage, this new folder existed independently. This meant I had access to a folder outside my root structure, where files didn't count against my storage limit. This allowed me to download as many items as I wanted within this new folder, bypassing the storage restriction.
0 commit comments