Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
21/02/2017
Blend logo
Thanks
Gift
Hall of Fame
Reward

Reward

150 $ 

In Scope

Scope Type Scope Name
web_application https://knox.beta.blendlabs.com

Out of Scope

Scope Type Scope Name
web_application https://www.blendlabs.com
web_application https://www.blend.com
web_application https://blend.com
web_application https://api.pentest.blendlabs.com/

Blend

The Blend platform makes it easy for borrowers to apply for a mortgage from any desktop, tablet, or mobile device. Also, lenders can work in parallel and follow up instantly with additional requests and information.

Since the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 2 Oct 2018 19:46:53 UTC

Technical severity | Reward range
---|---
p1 Critical | Starting at: $1,500
p2 Severe | Starting at: $1,200
p3 Moderate | Starting at: $500
p4 Low | Starting at: $150

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
https://knox.beta.blendlabs.com | Other

Out of scope

Target name | Type
---|---
<https://www.blendlabs.com> | Website
<https://www.blend.com> | Website
<https://blend.com> | Website
<https://api.pentest.blendlabs.com/> | API

Any domain/property of Blend or its customers not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Background Information

The Blend platform is composed of an AngularJS/Express.js front-end and several Express.js microservices connected to various backend databases. The AngularJS/Express.js front-end contains a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self- registration or an invitation email.

This program has been known to generate a large number of emails - please take a moment to set up a filter that will likely help in mitigating the noise created by these messages. Please visit https://researcherdocs.bugcrowd.com/docs/email-filter if you need help with this.

API Documentation

  • Please view the public API docs here

Focus Areas

  • Authentication bypass
    • Vertical (e.g. obtain lender privilege from borrower account, or admin privilege from lender account)
    • Horizontal (e.g. obtain other borrower session from one borrower session, or lender-lender)
  • Sensitive data exposure (unauthorized disclosure of loan information or other sensitive user data)
  • “root” access to underlying server(s)
  • Multitenancy exploits
    • Multiple tenant exist within the pentest environment
    • Exposing data or access from one tenant to another
  • API endpoint access controls: https://api.pentest.blendlabs.com/

Non-Focus Areas

  • Brute-force DDoS

Security Findings vs. Intended Functionality

The relationship between a lender and a borrower is unique in that lenders are privy to a great deal of sensitive financial information relating to a borrower. Furthermore, lenders within a single organization may need access to the data of the borrowers under other lenders within the same organization. What might initially appear to be a security finding of inappropriate data disclosure may actually be intended functionality when it comes to a lender’s access of borrower data.

Access

  • Create a borrower account by going to the target and clicking Sign Up.
  • The Blend platform allows you to connect to third party bank accounts. Use these credentials to test the behavior.
    • Bank account credentials:
    • user/pass: blend_test / blend_good
    • Two Factor Auth: 1234 or “tomato”
    • SSN:
    • any 9-digit number.

Scanning

Scanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices