Journey With Lithium Bugs

This is a Journey which started at 2016 when I first found the Vulnerability in one of the Bugcrowd Program’s Community sites. That time I was not realized that these Vulnerabilities which I found on bugcrowd Program would going to applicable to many sites like ATT, Paypal, Ubnt, SqquareUp, SONY, Spotify and many, and would help me in enumerating total of 8000$ from various companies and sites. The journey is Still ON. In 2016-17 I found 5 Vulnerabilities in one of the Bugcrowd Program. Those are

Vulnerability 1) XXE after uploading SVG file,

Vulnerability 2) Delete Any User Account permanently

Vulnerability 3) Change and Delete anyone’s profile Image

Vulnerability 4) Delete Videos of other users

Vulnerability 5) Lithium-Forum-Server-Side-Request-Forgery

Later soon I realized that it is in Lithium Community Platform. I reported to Lithium, for two months no replies .Usually Lithum has a bad way to mitigate its vulnerability in their product and also no proper response to researcher who provides vulnerability disclosure to them.Also they donot care whether the vulnerability is critical ,they used to fix there vulnerability quarterly not immediately.Later I Asked to CIRT to provide CVE-ID but they told that for SAAS product they do not provide CVE-ID. At last I decided to report it to all of the Lithium Clients who have Bug bounty. I have found that around 400+ organisation uses Lithium product but very few around 10 has bug bounty program. I reported to all the above 5 Vulnerability to 10 Organisation like ATT, Spotify, Ubnt, Paypal and some private program. I came up with the Collection of 8000$ for those bugs not from Lithium but from Lithium clients.

Now we are in 2019 and I again found one Critical Vulnerability and soon will come up with write-up and disclosure.

About Lithium proprietary community platforms Product:–

Lithium technologies have SAAS business for Lithium’s proprietary community platforms .Go to   for more information of using this product.

Leave a Reply

Your email address will not be published. Required fields are marked *