From Exploitee.rs
Jump to navigationJump to search


The Discord bot "ORP_APK" iterates through applications in the Google Play store looking for instances of insecure cloud storage, open real time databases, and private keys. After manual verification of the finding, a user can then report the finding to the affected app developer through the use of bot commands.


  • Amazon AWS S3 Buckets
  • Linode Objects Buckets
  • Digital Ocean Spaces
  • DreamHost Buckets
  • Azure Blobs
  • BackBlaze S3
  • IBM Cloud Buckets
  • Wasabi Object Buckets
  • Vultr Objects Buckets
  • FireBase Database
  • FireBase Cloud Storage
  • Rackspace Cloud Drive Buckets
  • AliBaba Cloud Storage
  • E2E Networks Buckets
  • Google Cloud Buckets
  • RSA Private Keys
  • AWS Creds


Command Description
!start Starts the bot in the specified channel.
!scan <app_id> Scans the provided app id (ex: com.google.play)
!get_findings <app_id> Gets previously found findings for a specified app id
!update_notified <finding_id_num> Used to set the finding (based on the finding id) as reported (for reports handled outside of bot).
!get_email <finding_id_num> <researcher_name> Create a report for the specified finding with the specified researchers name (submission is previewed before sending).
!add_note <Not to application developer here> Adds a note to a finding submission (used after !get_email)
!cancel_email Cancels an email after being previewed through !get_email
!send_email Sends an email after being previewed through !get_email