🎵 New Blog Post: Bandsintown Verification Bypass (Fixed, $200 + Swag)

Found a way to claim any unclaimed artist page on Bandsintown without verification:

• Discovered API endpoint from requesting to join Bieber's team
• Used same endpoint on Rick Astley (unclaimed) - bypassed all OAuth/social verification
• Got full access to 191k followers, their emails, names, locations
• Could send push notifications and post as any unclaimed artist (including diddy xd)

I could have rickrolled 191k people for real. I did not.

Bandsintown handled it well - fast fix, honest about bounty limitations, shipped me swag.

Also found a new bypass while writing this - currently disclosing responsibly.

Full writeup: https://bobdahacker.com/blog/bandsintown

#InfoSec #BugBounty #ResponsibleDisclosure #Bandsintown #Security #Privacy #CyberSecurity #RickAstley #APISecuity #Music

🎵 New Blog Post: Bandsintown Verification Bypass (Fixed, $200 + Swag)

Found a way to claim any unclaimed artist page on Bandsintown without verification:

• Discovered API endpoint from requesting to join Bieber's team
• Used same endpoint on Rick Astley (unclaimed) - bypassed all OAuth/social verification
• Got full access to 191k followers, their emails, names, locations
• Could send push notifications and post as any unclaimed artist (including diddy xd)

I could have rickrolled 191k people for real. I did not.

Bandsintown handled it well - fast fix, honest about bounty limitations, shipped me swag.

Also found a new bypass while writing this - currently disclosing responsibly.

Full writeup: https://bobdahacker.com/blog/bandsintown

#InfoSec #BugBounty #ResponsibleDisclosure #Bandsintown #Security #Privacy #CyberSecurity #RickAstley #APISecuity #Music