Hey. I want to share a cool and uncommon vulnerability I found in one of bug bounty programs.
By the way, it is also reasonable to look into SessionStorage along. The difference between them is that LocalStorage keys are not expiring, while SessionStorage keys expiring after tab closing. In case of XSS it is possible to get SessionStorage keys, if XSS is stored.
So, basically I was looking for something like api keys or tokens if they were saved there. Once I opened it in browser (F12 -> Storage -> LocalStorage | SessionStorage), I saw only one row and it was log history for marketing purpose.
It is a big json containing any action I did on a website. It also had an object with two fields:
“account.username” : “ruvlol”,
“account.password” : “redacted”
On the moment I saw that I didn’t believe it. This behaviour was constant, giving absolutely same results after I logged in the application via blank browser and looked in LocalStorage.
I reported it immediately and got $1500 bounty which was a High severity according to their policy.
var test = JSON.parse(localStorage.edited);
console.log(‘your username is: ‘ + test.edited.account.username + ‘ and your password is: ‘ + test.edited.account.password);
By the way, I have patreon where I am writing infosec articles. If you are interested you can check it out on https://www.patreon.com/ruvlol , I am working hard to make it a good source of ethical hacking exprience, a lot of articles are coming there including bug bounty writeups.