How I Found a Hardcoded RSA Private Key in a Major Crypto Exchange’s Frontend -And What I Learned the Hard Way A Bug Bounty Story About Recon, Excitement, and Harsh Reality It started like any …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A bug bounty researcher shares a detailed postmortem of finding a hardcoded RSA private key in a major crypto exchange's frontend JavaScript bundle. After validating the key with OpenSSL and successfully forging JWT tokens, the researcher submitted a report — only to have it rejected. The key turned out to be used only for logging, not authentication, and the researcher had guessed non-existent API endpoints rather than capturing real traffic. The writeup breaks down four key mistakes: guessing endpoints instead of discovering them via traffic interception, misreading HTTP 200 responses with error bodies as token acceptance, reporting theoretical impact without demonstrated proof, and over-engineering the report. Practical lessons include always capturing real API traffic before testing, proving impact with screenshots before reporting, and keeping reports concise.

How I Found a Hardcoded RSA Private Key in a Major Crypto Exchange’s Frontend -And What I Learned the Hard Way

Phase 1: JavaScript Recon (Where the Gold Hides)

Phase 3: Can I Forge JWT Tokens With This?