Skip to content

Full disclosure of facebook bugbusters app security vulnerabilities

A bit of overview about BugBusters

BugBusters is a facebook app launched by uTest which is a crowd-sourcing community for software testing. This game is a flash game and to look at the game or play the game please visit


This game was launched as a contest which had 3 prizes being first prize as iPad and other 2 prizes as Digital Cameras.


What happened after I discovered the security vulnerabilities?

This game was already live and I could see lot of activity from the users around the globe. Once I found this, I quickly documented the report with the necessary details which could help uTest or the development vendor to fix it.


Once the report was ready, I contacted VP of Marketing Mr. Matt Johnston and Mr. Peter Shih who is a community manager via e-mail. They responded quickly with interest to look into the details. Thanks to Matt for introducing the development company to whom I reported these bugs (The development company name is: Blonde20 –


Those security vulnerabilities were fixed within the same week I reported them. Thanks to Blonde20 folks for fixing it very soon. The fix was not including the details like Score, Profile ID, profile Name etc. in the POST_DATA form. Once they fixed it I tried reproducing it and could not reproduce the same however, I did not explore for more vulnerabilities for the new fix if there were any because I got busy for the BugDeBug conference and other tasks.


This is all good but, where is full disclosure? Well, I have it for you here.


I did not win the game but, at least for me I am the top most winner and have a feeling of winning billion dollars. I wish all the security testers, researchers, newbie (ethical) hackers to learn from my findings and help the web community to protect from the bad guys out there.


I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)



  1. Deepak KJ wrote:

    Hi Santhosh,

    Its nice to see because you have helped the actual gamers to play and win in the game. Testing rocks!!!!!


    Tuesday, March 27, 2012 at 12:32 am | Permalink
  2. Badhurudeen wrote:

    I have gone through your bug report. It is shows how hacker’s(ethical:))would think. Really it is awesome.

    Tuesday, March 27, 2012 at 2:37 am | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *