Hi Hackers, I’m Saransh Saraf and today I’m gonna expose upstox fraud. (Note: I’ve read the NDA of Upstox bug bounty program and it is not against the policy)
Scenario: Suppose You’ve found a bug in upstox and you’re gonna report it. Few Months ago when everyone was hunting on upstox, they were collecting bug reports with google form and the reporter receives 2 Emails 1 From google form submission copy and 2nd From upstox confirming that they got your report. (with the report title and name)
On Jan 28 friday, Me and Harsh Banshpal were sitting together to discuss few things and he asked me if I’m hunting on upstox or not and I said let’s hunt.
I’ve previously hunted on upstox so I knew they’ll send us to emails on bug submission (Clearly I was looking for critical bugs) but still they were collecting data from G-Forms.
I knew, Google Doesn’t do any encoding it just blocks actions with Sandbox and browser policies.
So I thought let’s see if upstox is encoding data which is coming from G-forms or not (I should say I was checking if upstox team is smart or not… )
I submitted a bug report with temp mail using html injection payloads in the title and name fields (because these were reflected in the Email) and after 10–30 Seconds I got an Email from email@example.com and I was right they were not that smart :) I successfully Exploited Email HTML Injection in upstox. (BTW if you’ll do some recon you’ll find that rksv.in is upstox old domain it was used before the rebranding.)
Yeah I know it was easy finding but from here the weird things started to happen : I reported it on Jan 28 but I never got a follow-up, and I tried multiple times and finally when replied on some other ticket and threaten them to report them to the ciso, they replied me this and meanwhile they stop using this email notification system….
Clearly from the upstox side someone deleted my ticket and stopped the service :( but after explaining them everything this is what I got :|
Honestly Do I look like a moron or something? you deleted my ticket, you fixed the bug and now what Google is responsible for your mistakes !!
Well I know how things works, I know someone from the development or Security team did this to cover their mistakes but I’m Not gonna get away with this, I will never suggest using upstox and after seeing this video POC you’ll also never gonna suggest upstox to anyone. I hope you’re with me :)
I hope you know not how poisonous companies are out there in the world and UPSTOX is Nothing but JUST a Fraud.
Similarly, Saumya Agarwal found SQL injection in upstox but they didn’t considered it a bug but they fixed it and Amit Pathak found jwt manipulation leads to Full Account takeover but they didn’t considered it a bug but they fixed it.
Now the truth is Exposed :)
Saransh Saraf - Information Security Analyst - Codewits Solutions Pvt. Ltd. | LinkedIn
I am a student of B.Sc and pursuing my adventures in the field of Cyber Security and Information Security. In my free…