Railto LLC: Administrator access to staging.railto.com

ID H1:686015
Type hackerone
Reporter kira_deathnote
Modified 2019-10-03T00:36:05



Hey team,

While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege.


  1. Go to https://staging.railto.com/admin url.
  2. Set username as admin and password as password to login the admin page. Since password is too easy to guess, i was like what... after finding this bug.
  3. If unauthorized people has got this bug then he could use it in a bad way. I didn't want to move forward because i am not an admin of this page and i dont want you guys in trouble. If it is not enough then i will provide a detail poc


Admin of the page is simple enough.