Bug Bounty

All issues were responsibly reported to eToro through Bugcrowd and have been acknowledged. I wasn’t hunting for AI bugs. I was testing eToro’s trading platform — IDOR on portfolio endpoints, parameter tampering, the usual. Then I noticed the little chat bubble in the corner. Torii, eToro’s AI assistant. It could answer questions about your portfolio, show balances, explain market trends. An AI chatbot on a financial platform. Connected to user data. With tool access. I had to look closer. ...

Disclaimer This blog post is shared for educational and academic purposes only. All issues described here were responsibly reported to the affected company and have since been verified. The intention of this write-up is to raise awareness, improve security practices, and share lessons learned with the community. Since I was back in Korea and looking for my next role, I decided to spend this month fully focused on bug bounties again. It’s always a mix of frustration and small breakthroughs. One of the simple but surprisingly interesting bugs I uncovered was this cross-domain redirect flaw in a bank’s core application. ...

Disclaimer This blog post is shared for educational and academic purposes only. All issues described here were responsibly reported to the affected company and have since been fixed and verified. Permission to publish was granted by the company. The intention of this write-up is to raise awareness, improve security practices, and share lessons learned with the community. Act I — The Setup It all started on a lazy evening in April. I wasn’t trying to hack anything major, just poking around a movie ticketing site which I’m client of with DevTools open. As I added a ticket to my cart, something odd caught my eye: a POST request carrying a mysterious parameter named encInfo. ...