Hi Bug Bounty community, this is my first write up for a bug I found in a private HackerOne program. Let’s call it redacted.com for this article.
So there was a subdomain for redacted.com which was something.redacted.com for people could post queries and answer then via comments.
One interesting thing that I noticed was there was a markdown editor as well. I uploaded a image and I attached it to the comment and after attaching the image in the comments what I noticed was the markdown editor was phrased like this [IMAGE]ID[IMAGE].
Upon changing the image ID and posting the…