Ghost in the Payroll Machine // DELETING DOCS

>> NODE: ctrlaltcorp.dev

>> AUTHOR: HOTCHIP

>> TIME: [20251003-1100]

Some bugs feel like cheat codes. You prod the edges and the whole façade crumbles. I found a way to delete payroll and tax records without ever logging in. No credentials. No tokens. Just raw requests straight to the machine. Call me a virus.

The Setup

The system lived in two halves:

Public gateway exposed to the internet.
Internal application servers behind the curtain.

Both were meant to be locked down. Both were not.

The Vulnerability

On the public side, anyone could enumerate and destroy documents W2s, invoices, payroll packets - one SOAP call away from vanishing. On the internal side, any network user (vendors, temps, guest Wi-Fi) could pull full PDFs like tax forms and fingerprint records. No authentication anywhere.

In short:

Public internet = delete everything.
Internal network = download everything.

A system designed for auditability instead shipped a self-destruct button. Operators should never press the button.

Proof of Concept (abridged)

High-level attack flow (non-actionable):

Query document metadata to enumerate document IDs.
Request document pages, extract and decode base64 payloads → valid PDFs.
Issue delete request for a document ID → document removed.

No session. No special headers. No authentication checks between discovery, retrieval, and deletion.

The Bug Bounty Wall

I reported this via a bug-bounty channel expecting normal triage. Instead the first submissions were closed with “can’t reproduce” and “not sensitive.” Closed. Twice.

 >> "Not sensitive." >> "Can’t reproduce."

I kept pushing. Escalated internally. Eventually the right people looked and confirmed it was a P1. Persistence turned “unproven” into the severity it deserved.

Confirmation screenshot showing P1 status

Short scoreboard:

 >> STATUS: PATCHED >> IMPACT: P1 | AUTH: NONE | TRIAGE: FAILED | CORP®: FAST

The Corp’s® Response

Credit where it’s due - the Corp® moved quickly once its engineers verified the issue. They blocked anonymous service calls at the service layer and queued deeper fixes for the next release. No theatrical delays: patch, test, deploy.

Lessons Learned

Authentication isn’t optional. Delete and download endpoints are crown jewels - treat them like it.
Bounty triage can fail hard. Gatekeepers are fallible; persistence matters.
Impact beats replication. Don’t let “can’t repro” be the end of the conversation - measure what an attacker could do.
P1s don’t award themselves. Sometimes you must fight to make the system admit it’s broken.

Final Thoughts

This wasn’t an edge case. It was the ability to wipe or steal payroll history across entire organizations. In a world where trust is currency, that’s catastrophic. The Corp® got lucky this time - someone else might not have reported it.

 >> END OF TRANSMISSION

- HotChip