Mike ShewardJul 23, 2025
Have some more testing to do to 100% confirm it, but I am pretty sure I have accidentally stumbled across a stupidly devastating security/privacy bug in one of the most commonly used enterprise SaaS products on the market. If my remaining tests play out as I’m expecting, it’d be a stalkers / identity thief’s dream.
Show threadMike ShewardJul 25, 2025

Confirmed this today and reported it.

Essentially, the vulnerability in the tool is that *in a specific circumstance* - which is that person has an existing account in the product from a previous employer (which many people do, since its so widely used), all you need is their personal email address.

With that you can address, without any further interaction from the victim, the tool will give you their:

- date of birth
- ssn
- last known street address
- phone number

Show threadMike ShewardJul 25, 2025
Oh and any banking info on file
Show threadMike ShewardJul 26, 2025
Good response from the vendor security team on this, got a reply in less than 12 hours, treating it as a valid critical bug.
Show threadMike ShewardAug 23, 2025
Since it’s been a month, a quick update on this one: the confirmed “valid critical bug” that was acknowledged by this vendor within 12 hours is still present, still exposing all the things….
Show threadMike Sheward

It’s been 5 months now.

I submitted this issue through a managed bug bounty program.

The vendor acknowledged it pretty quickly (within 12 hours), but I’ve had little info since then. It sits open in the queue. The labels “P1” “Critical” and “Unresolved” adorn the bug bounty tracker UI.

The company that manages the bug bounty has been unable to get them to respond.

A reminder that if you are going to do a bug bounty, you should do it properly.

Dec 28 at 6:22pmWeb
Show threadMike ShewardJan 12

so i get daily emails from Bugcrowd on this now.

Basically they are saying, “we have been unable to get a response from the customer - we’ll keep trying.”

so i suggested that they just cut off their customer from receiving further submissions if they aren’t responding and seemingly just want free pen testing. simple.

ah but then they wouldn’t get paid…

Show threadMike ShewardApr 7

8 months after i reported this, the vendor is due to push a fix this week (they eventually got back to me)

vuln has been there this whole time

will they actually fix? who knows

Show threadMike ShewardApr 9

Wow, they got back to me and confirmed the fix had been pushed! Yay for them!

But, let's recap a few things.

1) This took 9 months to fix, though they confirmed it was critical within 48 hours.
2) It exposed banking/SSN/Mailing Addresses in exchange for an email address.
3) The company in question is big and widely used.
4) They have a bug bounty program this was submitted through.

What was the reward for said bug bounty submission?

A nice note that said, 'thank you for helping secure $vendor'.

Lol. I'll give em a day to reconsider that before I name them.

Show threadMike ShewardApr 16

Disclosure: This was Rippling (rippling.com)

Essentially, the flaw I discovered was that if you use their platform to send someone a job offer via email, shortly after sending said offer (no interaction required on the part of the recipient, such as, say, actually looking at or accepting the offer), if that person already had a Rippling account, such as from a prior employer, a Rippling process would run that would populate their information from what was already in the Rippling backend from another tenant.

This info includes all the PII, including SSN, banking, address etc.

That info would automatically become visible to the Rippling user who had sent the job offer email.

So, all you needed was a rippling tenant, and if your target had previously used Rippling ever - you could exchange their email address for all the info.

Timeline: reported in July 2025 to the Rippling Bugcrowd bug bounty program, accepted as a critical issue within 48 hours, only fixed last week (9 months).

No bounty was offered.

Just a data point for anyone else who considers submitting to this program. Probably the least impressive bug bounty experience I’ve had in the last 15+ years.

#infosec #bugbounty

Show threadMike ShewardApr 16
@SecureOwl new rule proposal - if a human baby can be conceived and born in the time it takes you to address to a self declared “critical” issue, then your vuln response process needs some introspection
Show threadtyzbitApr 16
@SecureOwl i like it. we could call it the "three trimester rule", or something like that lol
Show threadLeeRaylApr 16
@SecureOwl no surprise, stupid HRIS. Next up, Ramp. They are on my list of stupid SaaS tools that need to go away.
Show threadHashbangperlApr 9
@SecureOwl short hello shortened male name or haircut? Came to mind immediately
Show threadandymaloDec 28
@SecureOwl does the bounty program have documented SLAs (service level agreements)? Having previously worked at a saas company in the support department I recall past bounty reports threatening to go public on reports that exceed sla. Hate to suggest it if they are working on it and are just poor communicators, but need some way to keep them honest.