OVE-20221020-0021: Bypassing triplebyte Direct Booking requirements

While working on an afternoon project to add my own filtering to triplebyte's job search, I discovered a security issue.
Triplebyte had a "direct booking"1 feature which allowed anyone who scored well on triplebyte's assessments to visit a booking site (usually calendly) and set up a call with a recruiter. It was optional, and the company set the required assessment scores.
Triplebyte's initial implementation of this stored it in a 'book_now_link' field inside serialized JSON and included it in the page source.

      "title":"General Coding Logic"

  // This shouldn't be here:
  "assign_to_company_user_name":"Redacted Redacted",


It's a very simple bug. Don't include sensitive information in your page and rely on the client to hide it.


  1. 2021-09-16 - Issue reported by email
  2. 2021-10-05 - Issue reported using zendesk support ticket due to no response
  3. 2021-10-20 - Triplebyte respond saying it's fixed and offer $200

The feature seems to have been removed entirely now.

tagged security bug bounties