Clio is a top legal software for clients, cases, billing, and more.
I went through all the features of the web application. There was 2-factor authentication in place for user accounts as extra protection. Another feature was changing the emails of the clients of a legal firm.
I found a neat trick to break the access control policy on email changing functionality. This resulted in hacking 150k+ legal professional accounts and their client accounts. It also bypassed the 2-factor authentication of user accounts.
I got a special appreciation from the security team for finding the best security issue on the Clio platform.
Secured 150k+ lawyers' accounts from cyber-attacks.
Identified an account takeover vulnerability.
Got a special acknowledgment from the team for discovering the best critical finding in Clio API.
Built a comprehensive security report for a serious security vulnerability in their API