Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

About a year ago, when I started my first forays into HackerOne, I discovered one of the most impactful bugs I’ve ever come across. It was January 2021, when I received a private invitation to a VDP (Vulnerability Disclosure Program), it was from an airlines group. So I decided to try hacking in that program, because at that time I didn’t give much priority to bounties, due I wanted to learn and earn my first points on the platform.

After a few minutes investigating the scope of the page, I realized that they were using a unified login system for most of the companies that were in the scope, mostly airline websites, among others. I decided to analyze the “Forgot your password?” endpoint, first. So I entered my email and waited for the email where I would receive the link to change the password. How I hacked one of the biggest airlines group in the world