Accessing deleted comment for $$: A Bug Bounty Writeup

3 min readJan 17, 2024

Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how I was able to access deleted comments on a community thread of a website. I will be using as the main domain.

* is in the scope. As usual, I started with subdomain enumeration and found 500+ live subdomains. I took screenshots of all subdomains using tool aquatone and started reviewing them. One of the screenshot having subdomain name caught my eyes.

Community website at where authenticated user can create a thread, interact with other thread and can interact with other users. I started exploring the website and capturing every request in the proxy tool burp suite.

After exploring the website, I started reviewing all the requests and responses from the There is one GET endpoint which is used to fetch comment from the thread based on the parameter id=comment_id&tid=thread_id . Both comment_id and thread_id is long numeric string. I open the GET endpoint in the browser and found that all the comment from my thread is visible in the JSON response.

What i did next is I deleted the comment from my community thread and in UI no comment is visible in my thread as i deleted it.

I reopened the same GET endpoint in the browser and found that the deleted comment is still visible in JSON response. Thread comment is only deleted from the UI but not actually deleted from the backend/database so anyone or thread owner can access the deleted comment of the thread.

The bug is not having too much of impact because of long numeric comment_id and thread_id. Anyone can access the deleted comment if comment_id is know or they captured the comment_id of a thread before deletion of comment. I sent report to the security team as this is violation of privacy of the user. Security team accepted the report as Low and fixed it.

Security Team to Me


Nov 09, 2021 — Reported

Nov 24, 2021 — Triaged

Dec 8, 2021 —$$ Rewarded

Dec 24, 2021 — Fixed.

To schedule a one-on-one session with me, please make a booking through the Topmate platform.

Thanks for reading, hope you learned something new. Do clap and share if you like it. Happy Hacking and Try Harder!.

Twitter: 7he_unlucky_guy
Topmate: Vijeta