NahamSec Uncovers Critical Vulnerability in Multibillion-Dollar Financial Giant's Domain

In this video, NahamSec shares a fascinating discovery about a critical vulnerability in the domain of a multibillion-dollar financial giant. The domain, active since 2012, had escaped the attention of many hackers until NahamSec discovered and began exploring it. Initially, the login page seemed ordinary, but a search on GitHub revealed an API that was leaking user data. However, HackerOne classified this vulnerability as medium severity because it required knowledge of the username to be exploited. To bypass this limitation, NahamSec used artificial intelligence and automation to identify a pattern in the usernames. By analyzing existing usernames, he discovered that the system assigned usernames based on the initial of the first name and the last name, with a number added if the username was already taken. This number seemed to correspond to the user's year of birth. Using ChatGPT to generate a list of popular Hispanic last names and automating the requests, NahamSec was able to identify many valid usernames and access their personal data. This approach turned a medium-severity vulnerability into a critical one, potentially capable of leaking sensitive data such as phone numbers, email addresses, postal addresses, and national identification numbers. NahamSec emphasizes that while AI and automation facilitated the process, it would have been possible to manually code a similar solution using languages like Bash or Python. The video highlights the importance of creativity and a different approach in vulnerability research. NahamSec demonstrates that even obvious and widely explored domains can still hide critical vulnerabilities. He encourages hackers not to be discouraged and to continue looking for bugs, even in well-known public programs. In conclusion, this video offers a valuable lesson on the importance of perseverance, creativity, and the use of modern tools like AI to discover vulnerabilities. It also shows that critical vulnerabilities can still be found in seemingly simple and well-explored domains.