I found a secret door into an admin panel — and got paid $750 for it

Let me tell you a story about a locked front door — with the back window wide open.

I was testing a website, redacted.com and noticed a subdomain: pay.redacted.com. It was a dashboard used to manage paying their creators — think YouTubers, influencers, that kind of thing. Full of sensitive stuff: who's getting paid, how much, bank details, the works.

When I visited the login page, there was no "Sign Up" button anywhere. The message was clear: you can't create an account here. This is for our team only.

Most people would close the tab and move on. I opened a tool called Burp Suite — basically it lets you peek under the hood of a website and see exactly what's happening behind the scenes when you click things.

What I actually found

Think of it this way

Imagine a nightclub with a strict "no walk-ins" policy. The bouncer at the front door turns everyone away. But around the back? There's a staff entrance with a keypad — and someone left the code written on a sticky note next to it.

That's basically what was happening here. The website used a service called Supabase to handle user logins — it's a popular tool that thousands of websites use. And while the front door (the website) had no sign-up button, the back door (Supabase's own signup system) was still open and working.

Even better — the key to that back door was sitting in plain sight. When I watched the login request in Burp Suite, I could see an API key just sitting there in the traffic. An API key is basically a password that lets you talk directly to a service. This one let me talk directly to Supabase.

POST /auth/v1/token?grant_type=password HTTP/1.1
Host: supabase.co
Apikey: sb_*****************
Origin: https://pay.redacted.com

POST /auth/v1/token?grant_type=password HTTP/1.1
Host: supabase.co
Apikey: sb_*****************
Origin: https://pay.redacted.com

So I took that API key and sent a signup request directly to Supabase — completely bypassing the website. No sign-up button? Fine. I didn't need one. One command in my terminal later, the server wrote back: "Welcome! You're in."

I verified my email, logged in through the normal login page — instead of landing on a limited new-user page i was looking at the full admin dashboard having complete Creator lists, payment history, system settings, all of it.

Here's the actual command I used

curl -X POST "https://[redacted].supabase.co/auth/v1/signup" \
  -H "apikey: [key found in traffic]" \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"Password123!"}'

# What came back:
{ "role": "authenticated", "email": "test@example.com" }
# Translation: "Welcome! You're in."

curl -X POST "https://[redacted].supabase.co/auth/v1/signup" \
  -H "apikey: [key found in traffic]" \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"Password123!"}'

# What came back:
{ "role": "authenticated", "email": "test@example.com" }
# Translation: "Welcome! You're in."

That was it. Account created. No invite. No approval. Just me, in

In the wrong hands, someone could have read all of that data, messed with payment settings, or quietly sat in there watching everything for weeks. I reported it, they fixed it same day, and paid me $750.

Tips for other hunters from this

• Hiding a button in the UI does nothing. Always test whether the feature still works behind the scenes.
• When you intercept traffic, look for API keys and service URLs — they often lead somewhere interesting.
• The severity of a bug isn't just "I got in" — it's what you can do once you're in. Admin access is a critical finding.
• Always write up the full picture in your report: what you found, how to reproduce it, and what a real attacker could do with it.

If you're still stuck getting nothing from bug bounty, just keep going. The gap between your first Hall of Fame and your first paid bounty is smaller than it feels.

More stories coming. Follow along — and feel free to connect on LinkedIn.