| Tale of a Misconfiguration in Password Reset |
Shuaib Oladigbolu (@_sawzeeyy) |
– |
Password reset flaw |
– |
12/30/2018 |
| Bypassing Access Control in a Program on Hackerone !! |
Sahil Tikoo (@viperbluff) |
Hackerone |
Authorization flaw |
– |
12/30/2018 |
| How I was able to delete Google Gallery Data [IDOR] |
Yogesh Tantak |
Google |
IDOR |
– |
12/30/2018 |
| Abusing ACL Permissions to Overwrite other User’s Uploaded Files/Videos on s3 Bucket |
Armaan Pathan (@armaancrockroax) |
– |
Unrestricted file upload, Authorization flaw |
– |
12/30/2018 |
| How I Takeover WordPress Admin fiiipay.my |
Syahrul Akbar Rohmani (@sahruldotid) |
FiiiPay |
Account takeover, Default CMS files |
S$ 300 (~ $408) |
12/28/2018 |
| How I Was Able To Takeover All User Account And Admin Panel |
Dipak kumar Das (@d1pakdas) |
– |
IDOR, Account takeover |
$1,500 |
12/28/2018 |
| Reflected XSS on ws-na.amazon-adsystem.com(Amazon) |
ssid (@newp_th) |
Amazon |
Reflected XSS |
– |
12/27/2018 |
| From Hunting for a Laptop to Hunting down Remote Code Execution |
Anil Tom |
Asus |
RCE, WebDAV flaw |
$0, HoF |
12/27/2018 |
| RCE in nokia.com |
Sampanna Chimoriya |
Nokia |
RCE |
$0, HoF |
12/27/2018 |
| Unauthenticated user can upload an attachment at HackerOne |
Ahamed Morad (@Modam3r5 |
Hackerone |
Authorization flaw |
$0 (Duplicate) |
12/24/2018 |
| Tokopedia Account Takeover Bug Worth 8 Million IDR |
Ironfirst (@ironfisto) |
Tokopedia |
Password reset flaw, Account takeover |
– |
12/24/2018 |
| Server-side Request Forgery in OpenID support |
Putra Adhari |
Liberapay |
SSRF |
– |
12/24/2018 |
| Client side validation strikes again: PIN code bypass ! |
Davy (@RandoriSec) |
Netflix, Linxo |
Client-side validation bypass, Authentication bypass, Authorization flaw |
– |
12/22/2018 |
How I accidentally found a clickjacking “feature” in Facebook
|
Lasq (@lasq88) |
Facebook |
Clickjacking |
$0 |
12/21/2018 |
| XSS worm – A creative use of web application vulnerability |
Nicolas Heiniger (@NicolasHeiniger) |
Swisscom |
XSS |
– |
12/21/2018 |
| Facebook BugBounty — Disclosing page members |
Nirmal Thapa (@tnirmalz) |
Facebook |
Information disclosure |
– |
12/20/2018 |
| Story of my two (but actually three) RCEs in SharePoint in 2018 |
Soroush Dalili (@irsdl) |
Microsoft |
RCE |
$0 |
12/19/2018 |
| Exploiting Two Endpoints to get Account Takeover |
Hritik Sharma |
– |
Authorization flaw, Privilege escalation |
– |
12/19/2018 |
| Asus’S Admin Panel Auth Bypass |
Mustafa Khan (@samwcyo) |
Asus |
Authentication bypass |
– |
12/18/2018 |
| WordPress Privilege Escalation through Post Types |
Simon Scannell |
WordPress |
Privilege escalation, Stored XSS, Object Injection |
– |
12/17/2018 |
| Subdomain Takeover — New Level |
Valeriy Shevchenko |
– |
Subdomain Takeover |
– |
12/17/2018 |
| Reading ASP secrets for $17,000 |
Sam Curry (@samwcyo) |
– |
Local file disclosure (LFD) |
$17,000 |
12/16/2018 |
| Accessing VoIP Internal service via Port 8009: Routing traffic through local Apache proxy |
Ahmed A. Sherif |
– |
Information disclosure |
– |
12/16/2018 |
| Self XSS to Interesting Stored XSS |
rohan aggarwal (@nahoragg) |
– |
Stored XSS |
– |
12/15/2018 |
| How i hacked help desk of a Company |
Ali Razzaq (@AliRazzaq_) |
– |
Ticket Trick |
– |
12/15/2018 |
| Remote Code Execution on a Facebook server |
Daniel Le Gall |
phpMyAdmin |
LFI, RCE, CSRF |
– |
12/14/2018 |
| XSSing Google Code-in thanks to improperly escaped JSON data |
Thomas Orlita (@ThomasOrlita) |
Google |
XSS |
– |
12/14/2018 |
| $3k Bug Bounty – Twitter’s OAuth Mistakes |
Terence Eden (@edent) |
Twitter |
OAuth flaw |
$2,940 |
12/14/2018 |
| Unremovable Tags In Facebook Page Reviews |
Max Pasqua |
Facebook |
Logic flaw, DoS |
$500 |
12/14/2018 |
| Chaining Two Vulnerabilities to Break Facebook Appointment Times For the Second Time |
Max Pasqua |
Facebook |
Logic flaw, DoS |
$500 |
12/14/2018 |
| #BugBounty — “User Account Takeover-I just need your email id to login into your shopping portal account” |
Avinash Jain (@logicbomb_1) |
– |
OAuth flaw, Authentication bypass, Account takeover |
– |
12/13/2018 |
| Exploiting XXE with local DTD files |
Arseniy Sharoglazov (@_mohemiv) |
– |
XXE |
|
12/13/2018 |
| Pilot Into Facebook Group Support |
Jane Manchun Wong (@wongmjane) |
Facebook |
Logic flaw, Authorization flaw |
$0 |
12/13/2018 |
| [Open redirect] Developers are lazy(or maybe busy) |
KatsuragiCSL (@ZuuitterE) |
– |
Open redirect |
$150 |
12/12/2018 |
| Second bite on GitLab, and some interesting Ruby functions/features |
Nyangawa |
Gitlab |
RCE |
$10,000 |
12/12/2018 |
| From blind XXE to root-level file read access |
Pieter Hiele (@honoki) |
– |
Blind XXE |
– |
12/12/2018 |
| How i was able to pwned application by Bypassing Cloudflare WAF |
gujjuboy10x00 (@vis_hacker) |
– |
WAF bypass |
– |
12/12/2018 |
| Microsoft Account Takeover Vulnerability Affecting 400 Million Users |
Aviva Zacks |
Facebook |
Subdomain takeover, OAuth flaw |
– |
12/11/2018 |
| How I could have stolen your photos from Google – my first 3 bug bounty writeups |
Gergő Turcsányi (@GergoTurcsanyi) |
Google |
Parameter tampering, Authorization flaw, IDOR |
$4,133.7 |
12/11/2018 |
| How I was able to generate Access Tokens for any Facebook user. |
Samm0uda (@Samm0uda) |
Facebook |
IDOR, Information disclosure |
– |
12/11/2018 |
| Bruteforcing Instagram account’s passwords without limit. |
Samm0uda (@Samm0uda) |
Facebook |
Bruteforce, Lack of rate limiting |
– |
12/11/2018 |
| A Misconfiguration in techprep.fb.com REST API allowed me to modify any user profile. |
Samm0uda (@Samm0uda) |
Facebook |
Authorization flaw |
– |
12/11/2018 |
| How i was able to upload files to api.techprep.fb.com |
Samm0uda (@Samm0uda) |
Facebook |
Unrestricted file upload, XSS |
– |
12/11/2018 |
| Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over |
Plenum (@plenumlab) |
– |
Account takeover, Privilege escalation, Bruteforce |
– |
12/10/2018 |
| My first bug bounty writeup |
Sampanna Chimoriya |
Indeed |
XSS, HTML injection |
– |
12/10/2018 |
| Change Anyone’s profile picture-Exploiting IDOR |
Rupika Luhach |
– |
IDOR |
– |
12/09/2018 |
| Proof Of Concept Nokia Cross Site Scripting |
Adesh Kolte (@AdeshKolte) |
Nokia |
XSS |
$0, HoF |
12/09/2018 |
| How I was Able To Bypass Email Verification |
Muzammil Kayani (@muzammilabbas2) |
– |
Information disclosure |
$200 |
12/08/2018 |
| RCE in Hubspot with EL injection in HubL |
Fyoorer (@ƒyoorer) |
Hubspot |
RCE |
– |
12/07/2018 |
| Billion Laugh Attack in https://sites.google.com |
Antonio Sanso (@asanso) |
Google |
Billion laugh attack, DoS |
$500 |
12/05/2018 |
| XSS to XXE in Prince v10 and below (CVE-2018-19858) |
Corben Leo (@hacker_) |
– |
XSS, XXE |
– |
12/05/2018 |
| Taking over Google calendar of a company |
Daniel V. |
– |
Subdomain takeover |
– |
12/04/2018 |
| How to accidentally find a XSS in ProtonMail iOS app |
SecuNinja (@secuninja) |
ProtonMail |
XSS |
– |
12/04/2018 |
| GitHub Desktop RCE (OSX) |
André Baptista (@0xACB) |
Github |
RCE |
– |
12/04/2018 |
| Digging in to SCP Command Injection |
Dylan Katz (@Plazmaz) |
JSch |
Command injection |
$0 |
12/03/2018 |
| [BBP系列三] Hijack the JS File of Uber’s Website |
Chaobin Zhang |
Uber |
JS file hijacking |
$6,000 |
12/03/2018 |
| Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account) |
Logical Bimboo |
– |
Host header injection |
– |
11/30/2018 |
| Story about my first bug bounty |
Sudhanshu Raj |
Alibaba |
XSS |
$100 |
11/30/2018 |
| Exploiting post message to steal and replace user’s cookies |
Yasser Gersy (@yassergersy) |
– |
postMessage flaw |
– |
11/30/2018 |
| Broken Authentication — Bug Bounty |
Vulnerables |
– |
Improper session management |
$50 |
11/28/2018 |
| IRCTC — Millions of Passenger Details left at huge risk! |
Avinash Jain (@logicbomb_1) |
IRCTC |
Information disclosure, Lack of rate limiting |
$0 |
11/28/2018 |
| Pwning eBay – How I Dumped eBay Japan’s Website Source Code |
David (@slashcrypto) |
Ebay |
.git folder disclosure, Source code disclosure |
$0, HoF |
11/28/2018 |
| How I Managed to Create Unauthorized Comments on Facebook Live Stream- part 1 |
Binit Ghimire |
Facebook |
Authorization flaw |
$750 |
11/27/2018 |
| Instagram Multi-factor authentication Bypass |
Vishnuraj KV |
Facebook |
2FA bypass |
– |
11/27/2018 |
| XSS on Facebook’s acquisition Oculus CDN |
Amol Baikar (@AmolBaikar) |
Facebook |
XSS |
$1,500 |
11/27/2018 |
| XSS on Facebook-Instagram CDN Server bypassing signature protection. |
Amol Baikar (@AmolBaikar) |
Facebook |
XSS |
$1,500 |
11/27/2018 |
| Facebook Source Code Disclosure in ads API |
Amol Baikar (@AmolBaikar) |
Facebook |
Sourc code disclosure |
– |
11/26/2018 |
| From CTFs to Bug Bounty Booty |
Benji Tobias |
Tailor Store |
Information disclosure |
$200 |
11/26/2018 |
| XML XSS in *.yandex.ru by Accident |
Oktavandi (@0ktavandi) |
Yandex |
XSS |
$160 |
11/26/2018 |
| My Journey To The Google Hall Of Fame |
Abartan Dhakal (@imhaxormad) |
Google |
Open redirect, XSS |
– |
11/25/2018 |
| Stored XSS Vulnerability in Jotform and H1C Private Site |
Anas Mahmood (@AnasIsHere) |
– |
Stored XSS |
$1,000 |
11/23/2018 |
| Bypassing Scratch Cards On Google Pay |
Pratheesh P Narayanan |
Google |
Logic flaw |
$0, Duplicate |
11/22/2018 |
| Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read! |
Zain Sabahat (@Zain_Sabahat) |
– |
SSRF, LFI |
– |
11/22/2018 |
| An interesting XXE in SAP. |
Zain Sabahat (@Zain_Sabahat) |
SAP |
XXE |
– |
11/22/2018 |
| How i Found Information Disclosure on Scribd.com |
Zerb0a |
Scribd.com |
CSRF |
$0 |
11/22/2018 |
| How I Hacked Netflix users & Use it free forever |
Blueberryinfosec (@bbinfosec) |
Netflix |
Cookie injection, Privilege escalation |
$0 |
11/19/2018 |
| XS-Searching Google’s bug tracker to find out vulnerable source code |
Luan Herrera (@lbherrera_) |
Google |
XS-Search attack, Information disclosure |
$9,400 |
11/19/2018 |
| Authentication bypass in NodeJS application — a bug bounty story |
bl4de (@_bl4de) |
– |
Authentication bypass |
– |
11/19/2018 |
| XSS bypass using META tag in realestate.postnl.nl |
Prial Islam Khan (@prial261) |
post.nl |
XSS |
$0, HoF, Swag |
11/18/2018 |
| From Security Misconfiguration to Gaining Access of SMTP server |
Daniel V. |
– |
Phpinfo file disclosure |
– |
11/18/2018 |
| Edmodo XSS Bug |
Sameer Phad (@sameerphad72) |
Edmodo |
XSS |
– |
11/18/2018 |
| Bypassing “How I hacked Google’s bug tracking system itself for $15,600 in bounties.” |
Gopal Singh (@gopalsinghcse) |
Google |
Logic flaw |
$3,133.70 |
11/17/2018 |
| Microsoft BingPlaces Business – (url) Redirect Vulnerability |
Benjamin K.M. |
Microsoft |
Open redirect |
– |
11/16/2018 |
| XSS in hidden input fields |
Portswigger |
– |
XSS |
– |
11/16/2018 |
| [POC] Cross-Site Scripting on Garuda Indonesia Website |
Arif-ITSEC111 |
Garuda Indonesia |
XSS |
– |
11/16/2018 |
| HackenProof Customer Story: Uklon |
HackenProof (@hackenproof) |
Uklon |
XSS, IDOR, Blind XSS, Account takeover |
– |
11/16/2018 |
| Most common security vulnerabilities in npm static server modules |
bl4de (@_bl4de) |
Node.js third-party modules |
Path traversal, LFI, HTML injection, XSS |
– |
11/16/2018 |
| [email protected] Account Takeover via Cross site request forgery |
Adesh Kolte (@AdeshKolte) |
[email protected] |
CSRF |
– |
11/16/2018 |
| Spoofing file extensions on HackerOne |
Anurag Jain(@csanuragjain) |
Hackerone |
Unrestricted file upload |
– |
11/16/2018 |
| Disclose Page Admins via Gaming Dashboard Bans |
Philippe Harewood |
Facebook |
Information disclosure |
– |
11/15/2018 |
| Facebook Vulnerability: Hiding from the view of Business Admin in the Business Manager |
Ritish Kumar Singh |
Facebook |
Logic flaw, Authorization flaw |
$500 |
11/15/2018 |
| How I Discovered XSS that Affects around 20 Uber Subdomains |
Fady Othman (@Fady_Othman) |
Uber |
XSS |
$2,500 |
11/14/2018 |
| Breaking Appointments and Job Interview Schedules With Malformed Times |
Max Pasqua |
Facebook |
DoS |
$500 |
11/14/2018 |
| Spoof All Domains Containing ‘d’ in Apple Products [CVE-2018-4277] |
Tencent’s Xuanwu Lab |
Apple |
Browser flaw |
– |
11/13/2018 |
| OOB XXE in PrizmDoc (CVE-2018–15805) |
Nik srivastava |
PrizmDoc |
OOB XXE |
– |
11/13/2018 |
| [DOM based XSS] Or why you should not rely on Cloudflare too much |
KatsuragiCSL (@ZuuitterE) |
– |
DOM XSS |
– |
11/13/2018 |
| Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends |
Ron Masas |
Facebook |
CSRF, Information disclosure |
– |
11/13/2018 |
| Chain exploitation of XSS |
Mikhail Klyuchnikov (@__Mn1__) |
– |
DOM XSS, Clickjacking, CSRF |
|
11/12/2018 |
| Clickjacking on Google MyAccount Worth 7,500$ |
Anurag Jain(@csanuragjain) |
Google |
Clickjacking |
$7,500 |
11/11/2018 |
| #bugbounty How I Takeover Microsoft Store. |
Sadiq West |
Microsoft |
Subdomain takeover |
$0, HoF |
11/08/2018 |
| Object name Exposure — ING Bank Responsible Disclosure Program |
Rohit kumar (@rohitcoder) |
ING Bank |
Information disclosure |
– |
11/08/2018 |
| How I earned 5040$ from Twitter by showing a way to Harvest other users IP address |
Prial Islam Khan (@prial261) |
Twitter |
Information disclosure |
$5,040 |
11/07/2018 |
| Vine User’s Private information disclosure |
Prial Islam Khan (@prial261) |
Vine |
IDOR, Information disclosure |
$7,560 |
11/07/2018 |
| WordPress Design Flaw Leads to WooCommerce RCE |
Simon Scannell |
WordPress |
RCE |
– |
11/06/2018 |
| XSS in Dynamics 365 |
Tim Kent (@__timk) |
Microsoft |
XSS |
– |
11/06/2018 |
| Hacking a Company Through help desk – Ticket Trick | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
Ticket Trick |
– |
11/05/2018 |
| Evernote For Windows Read Local File and Command Execute Vulnerabilities |
TongQing Zhu |
Evernote |
Stored XSS, LFI, RCE |
– |
11/05/2018 |
| Duplicate but still cool |
Plenum (@plenumlab) |
– |
IDOR, Account takeover |
– |
11/05/2018 |
| Unauthenticated RSFTP to Command Injection |
Nicodemo Gawronski |
– |
Path traversal, RCE |
– |
11/03/2018 |
| Full Account Takeover via Referer Header (OAuth token Steal, Open Redirect Vulnerability Chaining) |
M.Asim Shahzad |
– |
Open redirect, OAuth token theft, Account takeover |
$1,200 |
11/03/2018 |
| How Outdated JIRA Instances suffers from multiple security vulnerabilities? |
Yeasir Arafat |
Visma |
XSS, SSRF |
– |
11/03/2018 |
Archived content |
| Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone) |
Kunal pandey (@kunalp94) |
Hackerone |
Imagemagick GIF |
$500 |
11/02/2018 |
| Finding hidden gems vol. 3: quick win with .sh file |
Mateusz Olejarka |
– |
Information disclosure, Github leak |
– |
11/01/2018 |
| P1 Like a Boss | Information Disclosure via Github leads to Employee Account Takeover | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
Information disclosure, Github leak |
$1,500 |
11/01/2018 |
| Stored XSS in Bug Bounty |
KatsuragiCSL (@ZuuitterE) |
– |
Stored XSS |
– |
11/01/2018 |
| [Open Redirect] When your PoC doesn’t work because of the server load balancers |
tololovejoi (@tolo7010) |
– |
Open redirect |
$300 |
11/01/2018 |
| Bypass HackerOne 2FA requirement and reporter blacklist |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw, 2FA bypass, Authentication flaw |
$10,000 |
10/31/2018 |
| It’s all in the detail: Email leak & Account takeover thanks to WayBackMachine & extensive knowledge about the program |
Zseano (@zseano) |
– |
Information disclosure, Authentication bypass, Account takeover |
– |
10/30/2018 |
| IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”} |
Plenum (@plenumlab) |
– |
IDOR |
$1,500 |
10/30/2018 |
| Journey through Google referer leakage bugs. |
KL Sreeram (@kl_sree) |
Google |
Information disclosure, Referer leakage |
$4,633.7 |
10/28/2018 |
| #BugBounty — How I was able to download the Source Code of India’s Largest Telecom Service Provider including dozens of more popular websites! |
Avinash Jain (@logicbomb_1) |
– |
.git folder disclosure, Source code disclosure |
– |
10/27/2018 |
| Privilege Escalation like a Boss |
janijay007 |
– |
IDOR |
– |
10/27/2018 |
| How Misconfigured API leaked user private information? |
Yeasir Arafat |
– |
IDOR, Authorization flaw |
– |
10/26/2018 |
| A very useful technique to bypass the CSRF protection for fun and profit. |
Yeasir Arafat |
– |
CSRF |
– |
10/26/2018 |
| CSRF account takeover Explained Automated/Manual — Bug Bounty |
Vulnerables |
OpenMenu |
CSRF, Account takeover |
$250 |
10/26/2018 |
| CSRF account takeover in a company worth 1B$ |
Vulnerables |
– |
CSRF, Account takeover |
$100 |
10/26/2018 |
| Subdomain takeover dew to missconfigured project settings for Custom domain . |
Prial Islam Khan (@prial261) |
Flock |
Subdomain takeover |
– |
10/25/2018 |
| DoS on Facebook Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE. |
Rahul Kankrale (@RahulKankrale) |
Facebook |
DoS |
– |
10/25/2018 |
| SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software |
Nik srivastava |
– |
XXE |
– |
10/24/2018 |
| Facebook hidden redirection vulnerability |
Ege Ken |
Facebook |
Open redirect |
$0 |
10/24/2018 |
| XSS with HTML and how to convert the HTML into charcode() |
Arif-ITSEC111 |
Purinar Logistics |
XSS |
– |
10/22/2018 |
| Google sites and exploiting same origin policy |
Raushan Raj (@raushan_rajj) |
Google |
SOP bypass |
$3,133.70 |
10/22/2018 |
| Cookie-based-injection XSS making exploitable with-out exploiting other Vulns |
Utkarsh Agrawal |
– |
XSS |
– |
10/22/2018 |
| Harvesting all private invites using leave program fast-tracked invitation and [email protected] email forwarding feature |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw |
$2,500 & Swag |
10/22/2018 |
| A possibility of Account Takeover in Medium |
Prashant Kumar (@notsoshant) |
Medium |
Account takeover, Logic flaw |
$0 |
10/20/2018 |
| XSS with PUT in Ghost Blog |
Derek (@StackCrash) |
Ghost |
XSS |
– |
10/19/2018 |
| XSS using a bug in Safari and why blacklists are stupid |
Linus Särud (@_zulln) |
Apple |
DOM XSS |
– |
10/19/2018 |
Archived content |
| Add comment on a private Oculus Developer bug report |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR, Authorization flaw |
– |
10/18/2018 |
| Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw |
$12,500 |
10/17/2018 |
| XXE in IBM’s MaaS360 Platform |
Cody Wass |
IBM |
XXE |
– |
10/16/2018 |
| Path traversal while uploading results in RCE |
Harsh Jaiswal (@rootxharsh) |
– |
Path traversal, RCE |
– |
10/15/2018 |
| Brave Browser Script Blocker Bypass Vulnerability |
Xiaoyin Liu |
Brave Software |
Script blocker bypass |
– |
10/13/2018 |
| Microsoft CSRF Vulnerability |
Adesh Kolte (@AdeshKolte) |
Microsoft |
CSRF |
$500 |
10/12/2018 |
| [Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users |
Max (@iSecMax) |
Mail.ru |
Authentication bypass, Blind XSS |
– |
10/12/2018 |
| Magic XSS with two parameters |
Mahmood Shahabi (@m4shahab1) |
– |
XSS |
– |
10/12/2018 |
| Add description to Instagram Posts on behalf of other users – 6500$ |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$6,500 |
10/12/2018 |
| Microsoft Edge Remote Code Execution |
Abdulrahman Al-Qabandi (@Qab) |
Microsoft |
RCE |
– |
10/11/2018 |
| Access to staging environment via User-Agent string |
Yasser Gersy (@yassergersy) |
– |
Authentication bypass |
– |
10/10/2018 |
Archived content |
| Symantec Messaging Gateway authentication bypass |
Artem Kondratenko (@artkond) |
Symantec |
Authentication bypass |
– |
10/10/2018 |
| Facebook Business Takeover |
Philippe Harewood |
Facebook |
Authorization flaw, Logic flaw |
$27,500 |
10/09/2018 |
| Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR) |
Jon Bottarini (@jon_bottarini) |
New Relic |
IDOR |
$2,500 |
10/09/2018 |
| DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More |
VPN Mentor (@vpnmentor) |
Tinder |
DOM XSS |
– |
10/09/2018 |
| Make any Unit in Facebook Groups Undeletable |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Logic flaw, IDOR, Authorization flaw |
– |
10/09/2018 |
| [Critical] Bypass CSRF protection on IBM |
Mohamed Sayed (@FlEx0Geek) |
IBM |
CSRF |
– |
10/09/2018 |
| Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com |
Jonathan Bouman (@JonathanBouman) |
LinkedIn |
Stored XSS |
$0, HoF |
10/07/2018 |
| My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY |
Ali Tütüncü(@alicanact60) |
– |
Reflected XSS, CSP bypass |
– |
10/07/2018 |
Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study |
Abdelmoughite Eljoaydi |
Paypal |
Blind XXE |
– |
10/05/2018 |
| Clickjacking in Google Docs and Voice typing feature. |
Raushan Raj (@raushan_rajj) |
Google |
Clickjacking |
$2,337 |
10/05/2018 |
| GoogleMeetRoulette: Joining random meetings |
Martin Vigo (@martin_vigo) |
Google |
Bruteforce, Logic flaw |
– |
10/04/2018 |
| An interesting Google vulnerability that got me 3133.7 reward. |
Ebrahem Hegazy (@Zigoo0) |
Google |
CSRF |
$3,133.7 |
10/04/2018 |
| Persistent XSS (Unvalidated oEmbed) at Medium.com |
Jonathan Bouman (@JonathanBouman) |
Medium |
Stored XSS |
$100 |
10/04/2018 |
| Exploiting an unknown vulnerability |
Abhishek Bundela (@abhibundela) |
– |
Logic flaw, Payment tampering |
– |
10/03/2018 |
| Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager |
Rohit kumar (@rohitcoder) |
Facebook |
Logic flaw, Information disclosure |
$3,000 |
10/03/2018 |
| AWS takeover through SSRF in JavaScript |
Gwendal Le Coguic (@gwendallecoguic) |
– |
SSRF |
– |
10/02/2018 |
| Applying a small bypass to steal Facebook Session tokens in Uber |
Samuel (@saamux) |
Uber |
XSS, CSP bypass, OAuth flaw |
– |
10/02/2018 |
| How i found Stored xss on your-domain.redacted.com |
Rudra Sarkar (@rudr4_sarkar) |
– |
XSS |
$0 |
10/02/2018 |
| Collecting Shells by the Sea of NAS Vulnerabilities |
Rick Ramgattie (@RRamgattie) |
Lenovo |
OS command injection, XSS, CSRF |
– |
10/01/2018 |
| Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps |
Mohamed Haron (@m7mdharon) |
Shopify |
Subdomain takeover |
– |
10/01/2018 |
Archived content |
| Google Stored XSS in Payments |
Barış Sağdıç (@brsgdc) |
Google |
Stored XSS |
– |
10/01/2018 |
| How I was able to takeover account’s of an Earning App |
Abbas Wafa |
– |
Information disclosure |
$0 |
10/01/2018 |
| Hacking the Subway Android app |
Wesley Gahr (@wesley_gahr) |
Subway |
Logic flaw, Authorization flaw |
– |
09/28/2018 |
| IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent |
Divyanshu Shukla |
Confluent |
IDOR, Content spoofing, Open redirect |
– |
09/28/2018 |
| Just another tale of severe bugs on a private program. |
Siva Krishna Samireddi (@le4rner) |
– |
Open redirect, SSRF, IDOR, Logic flaw |
$1,623 |
09/28/2018 |
| #BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! |
Avinash Jain (@logicbomb_1) |
– |
RCE, Exposed Jenkins instance |
– |
09/27/2018 |
| Thick Client — Attacking databases the fun/easy way |
Richard Clifford |
– |
Thick client flaw, Credentials sent over unencrypted channel |
– |
09/26/2018 |
| Arbitrary File Read in one of the largest CRMs |
Richard Clifford |
– |
LFI |
– |
09/26/2018 |
| [XSS] survey.dropbox.com |
Kumar |
Dropbox |
XSS |
$0 |
09/25/2018 |
| Weaponizing XSS Attacking Internal System |
Rahul R |
– |
Blind XSS |
– |
09/25/2018 |
| Subdomain Takeover via Unsecured S3 Bucket Connected to the Website |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
Subdomain takeover |
– |
09/24/2018 |
| Responsible disclosure: retrieving a user’s private Facebook friends. |
Riccardo Padovani (@rpadovani93) |
Facebook |
Logic flaw, Authorization flaw, Information disclosure |
3,000 |
09/23/2018 |
| How I XSS’ed Uber and Bypassed CSP |
Efkan (@mefkansec) |
Uber |
Reflected XSS |
2,000 |
09/22/2018 |
| R-XSS -> CSRF bypass to account takeover/ |
Nirmal Dahal (@TheNittam) |
– |
Reflected XSS, CSRF bypass |
– |
09/21/2018 |
| Bypassing Firebase authorization to create custom goo.gl subdomains |
Thomas Orlita (@ThomasOrlita) |
Google |
Logic flaw, IDOR |
– |
09/21/2018 |
| Another XSS in Google Colaboratory |
Michał Bentkowski |
Google |
XSS |
– |
09/20/2018 |
| Shopify Athena Bug |
Uranium238 (@uraniumhacker) |
Shopify |
Authorization flaw, Information disclosure |
– |
09/20/2018 |
| Local file inclusion at IKEA.com |
Jonathan Bouman (@JonathanBouman) |
Ikea |
LFI |
$250 |
09/19/2018 |
| Bypassing Authentication Using Javascript Debugger. |
Mohit Dabas (@mohitdabas08) |
– |
Authentication bypass |
– |
09/18/2018 |
| How i bypassed AKAMAI KONA WAF , XSS in overstock.com ! |
Oktavandi (@0ktavandi) |
Overstock.com |
XSS |
– |
09/18/2018 |
| Facebook $750 Reward for a Simple Bug |
Aman Shahid (@amansmughal) |
Facebook |
Authentication bypass, Logic flaw |
$750 |
09/18/2018 |
| Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution ) |
Armaan Pathan (@armaancrockroax) |
– |
LFI, Unrestricted File Upload, RCE |
– |
09/18/2018 |
| Reflected XSS at Philips.com |
Jonathan Bouman (@JonathanBouman) |
Philips |
Reflected XSS |
– |
09/17/2018 |
| XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites |
Randy Westergren (@RandyWestergren) |
Google |
XSS |
$0 |
09/17/2018 |
| Vertical escalation of privileges Leading to Sensitive Data Exposure |
Umair Ahmed (@u_ahmedofficial) |
– |
Bruteforce, IDOR, Authorization flaw |
– |
09/16/2018 |
| User Account takeover in India’s largest digital business company |
Minali Arora (@AroraMinali) |
– |
Account takeover, OTP bypass |
– |
09/16/2018 |
| IDOR User Account Takeover By Connecting My Facebook Account with victims Account |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Facebook |
IDOR |
$1,200 |
09/16/2018 |
| Persistent Cross-Site Scripting on redacted worth $2,000 |
M.Asim Shahzad |
– |
Stored XSS |
$2,000 |
09/15/2018 |
| How I hijacked your account when you opened my cat picture |
Matti Bijnens (@MattiBijnens) |
– |
Logout CSRF |
– |
09/14/2018 |
| Hacking your own antivirus for fun and profit (Safe browsing gone wrong) |
Martin Thirup Christensen (@Mthirup) |
Bullguard |
Reflected XSS |
$0 |
09/14/2018 |
| Subdomain Takeover worth 200$ |
Ali Razzaq (@AliRazzaq_) |
Netlify |
Subdomain takeover |
$200 |
09/14/2018 |
| Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html |
Daniel Maksimovic |
Silver Gold Bull |
DOM XSS, Clickjacking |
– |
09/13/2018 |
| Subdomain Takeover via Campaignmonitor |
Mohamed Haron (@m7mdharon) |
Campaign Monitor |
Subdomain Takeover |
$900 |
09/11/2018 |
Archived content |
| Open-Redirect Vulnerability in udacity.com |
Anil Tom |
Udacity |
Open redirect |
$0, Swag |
09/11/2018 |
| Hacking a Crypto Debit Card Service |
Muhammad Abdullah |
Plutus |
SQL injection |
– |
09/11/2018 |
| XXE at Bol.com |
Jonathan Bouman (@JonathanBouman) |
Bol.com |
XXE |
$500 (voucher) |
09/11/2018 |
| How to do 55.000+ Subdomain Takeover in a Blink of an Eye |
BuckHacker (@thebuckhacker) |
Shopify |
Subdomain takeover |
– |
09/10/2018 |
| Authentication Bypass Using SQL Injection AutoTrader Webmail – Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
AutoTrader |
SQL injection |
– |
09/10/2018 |
| Stored XSS Vulnerability in H1C Private site |
Anas Mahmood (@AnasIsHere) |
– |
Stored XSS |
$900 |
09/09/2018 |
| Making the Facebook app more secure – $8500 bounty |
Ash King |
Facebook |
Open redirect |
$8,500 |
09/09/2018 |
| ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
ZOL Zimbabwe |
XSS, SQL injection |
– |
09/09/2018 |
| How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website) |
M.Asim Shahzad |
– |
Open redirect |
– |
09/09/2018 |
| Disclosure of Facebook Page Admin due to insecure tagging behavior |
Aj Dumanhug (@ajdumanhug) |
Facebook |
Information disclosure, Logic flaw |
– |
09/09/2018 |
| Stored XSS Vulnerability in Tumblr |
Anas Mahmood (@AnasIsHere) |
Tumblr |
Stored XSS |
$1,000 |
09/08/2018 |
| Reflected XSS in Google Code Jam |
Thomas Orlita (@ThomasOrlita) |
Google |
Reflected XSS |
– |
09/08/2018 |
| SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Nutanix |
SQL injection |
$0, Swag |
09/08/2018 |
| Bypassing Hotstar Premium with DOM manipulation and some JavaScript |
OpSecX |
Hotstar |
Logic flaw, Payment bypas |
$0 |
09/07/2018 |
| RCE Unsecure Jenkins Instance | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
RCE |
$0 |
09/07/2018 |
| Write-up – Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app |
@omespino |
Yahoo! |
Stored XSS |
$3,500 |
09/07/2018 |
| Simple Login Brute Force / Current Password Requirement Bypass |
Mandeep Jadon (@1337tr0lls) |
– |
IDOR, Account takeover, Bruteforce |
– |
09/07/2018 |
| #BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk! |
Avinash Jain (@logicbomb_1) |
Naaptol |
IDOR |
– |
09/07/2018 |
| How I could download the source code of an Indian e-commerce website!! |
Minali Arora (@AroraMinali) |
– |
File disclosure, Source code disclosure |
– |
09/05/2018 |
| P1 Vulnerability in 60 seconds |
@Wh11teW0lf |
– |
Information disclosure, File disclosure |
$1,500 |
09/05/2018 |
| Facebook Bug Bounty! {Permission Bug} |
Ali Tütüncü(@alicanact60) |
Facebook |
Authorization flaw, Logic flaw |
$750 |
09/05/2018 |
| Admin Disclosure of Facebook Business all Pages by normal employees: |
Kamal |
Facebook |
Information disclosure |
$0 |
09/02/2018 |
| How I could have launched a spear phishing campaign with Starbucks email servers |
Kyle (@b3nac) |
Starbucks |
Host header injection |
$150 |
09/01/2018 |
| Send request to Martians. Earthlings are already your friends. |
Sagar VD |
Google |
CSRF |
– |
09/01/2018 |
| I Own Your Customers !!! |
Muhammad Abdullah |
– |
Information disclosure, Hardcoded credentials, AWS flaw |
– |
09/01/2018 |
| Pwned Together: Hacking dev.to |
Antony Garand |
Dev.to |
Stored XSS |
$150, HoF |
08/31/2018 |
| $100 Bounty in 300 seconds isn’t bad !!! |
Rohan Chavan (@rohanchavan1918) |
Zoho |
Stored XSS |
$100, HoF |
08/31/2018 |
| Reflected XSS in Django REST Framework Api at MapBox Subdomain |
Mohamed Haron (@m7mdharon) |
Mapbox |
Reflected XSS |
$500 |
08/29/2018 |
Archived content |
| Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file |
Mateusz Olejarka |
– |
Information disclosure, Github leak |
$0 |
08/29/2018 |
| A Infinite Loop Story. |
Ashish Kunwar (@D0rkerDevil) |
– |
DoS |
$100 |
08/29/2018 |
| Reflected Swf XSS at ( https://plugins.svn.wordpress.org ) |
Mohamed Haron (@m7mdharon) |
WordPress |
Swf XSS, Reflected XSS |
$350 |
08/28/2018 |
Archived content |
| How i found a 1500$ worth Deserialization vulnerability |
Ashish Kunwar (@D0rkerDevil) |
– |
Misconfigured JSF ViewState, Java deserialization |
$1,500 |
08/28/2018 |
| IDOR FACEBOOK: malicious person add people to the “Top Fans” |
Jafar Abo Nada |
Facebook |
IDOR |
– |
08/28/2018 |
| Traversing the Path to RCE |
hawkinsecurity |
– |
Path traversal, RCE |
$0 |
08/27/2018 |
| Uber Bug Bounty: 1000$ for two “high severity” issue |
Peuch |
Uber |
Information disclosure, Github leak |
$1,000 |
08/27/2018 |
| Open Redirection |
negative Wibes |
Pleio |
Open redirection |
– |
08/26/2018 |
| My first valid xss(@Hackerone) |
Jatin Aesthetic |
– |
XSS |
$100 |
08/25/2018 |
| Remote Code Execution on a Facebook server |
Daniel Le Gall |
Facebook |
RCE |
$5,000 |
08/24/2018 |
| Privileged Escalation in Facebook Messenger Rooms |
Jafar Abo Nada |
Facebook |
Privilege escalation, IDOR |
– |
08/24/2018 |
| SQL Injection Vulnerability In University Of Cambridge |
Adesh Kolte (@AdeshKolte) |
Cambridge |
SQL injection |
– |
08/24/2018 |
| Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org |
Thomas Orlita (@ThomasOrlita) |
Webcomponents.org |
Stored XSS |
– |
08/23/2018 |
| API key: The real goldmine |
Yumi |
– |
Information disclosure |
– |
08/19/2018 |
| User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty |
Thuvarakan Nakarajah |
Facebook (WhatsApp) |
Credentials sent over HTTP |
– |
08/18/2018 |
| YAHOO IDOR -elimination of any comment |
Bada Diaz (@bada77) |
Yahoo |
IDOR |
– |
08/17/2018 |
| 3 Minutes & XSS! |
Ashish Jha |
Edmodo |
XSS |
– |
08/17/2018 |
| IDOR leads to account takeover |
@s0cket7 |
– |
IDOR |
– |
08/16/2018 |
| ICloud.com DOM-Based XSS! #BugBounty |
Musab Alhussein |
Apple |
DOM XSS |
$0, HOF |
08/14/2018 |
| Another “TicketTrick” story |
Uranium238 (@uraniumhacker) |
Uber |
Logic flaw, TicketTrick |
– |
08/14/2018 |
| XSS at Hubspot and XSS in email areas. |
Friendly (@SkeletorKeys) |
Hubspot, [Private program] |
XSS |
$450 |
08/13/2018 |
| IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo |
Aagam shah (@neutrinoguy) |
Edmodo |
IDOR |
– |
08/12/2018 |
| Distorted and Undeletable Posts in Facebook Group |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw, Logic flaw |
– |
08/12/2018 |
| How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System |
Orange Tsai (@orange_8361) |
Amazon |
RCE |
– |
08/11/2018 |
| S3 Bucket Misconfiguration in Amazon |
Divyanshu Shukla |
Amazon |
AWS flaw |
$0 |
08/11/2018 |
| Adminer Script Results to Pwning Server?, Private Bug Bounty Program |
Yasho |
– |
Authentication bypass |
– |
08/11/2018 |
| Misconfigured JIRA setting – Apigee |
Tutorgeeks |
Google, Jira |
Information disclosure |
– |
08/10/2018 |
Archived content |
| [Twitter Bug Bounty] Misconfigured JSON endpoint on ads.twitter.com lead to Access control issue and Information Disclosure of role privileged users. |
Peerzada Fawaz Ahmad Qureshi (@zk34911) |
Twitter |
Authorization flaw, Information disclosure |
$280 |
08/10/2018 |
| Subdomain Takeover: Yet another Starbucks case |
Patrik Hudak |
Starbucks |
Subdomain takeover |
$2,000 |
08/09/2018 |
| From TOMCAT to NT AUTHORITY/SYSTEM |
Rahul R |
– |
Default credentials |
– |
08/09/2018 |
| My Disclosed Report about Basic auth Api details at Reverb.com |
Mohamed Haron (@m7mdharon) |
Reverb |
Information disclosure |
$100 |
08/09/2018 |
Archived content |
| This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs |
Carlos Daniel Giovanella |
HackerOne, Sentry |
Logs flooding and falsification |
$0 |
08/09/2018 |
| My First Critical Report |
Miguel Corral (@mcorral74) |
– |
Password reset flaw, Account takeover |
$2,500 |
08/08/2018 |
| How I hacked a Crypto Exchange (Bug Bounty Writeup) |
Muhammad Abdullah |
– |
IDOR |
– |
08/07/2018 |
| From data leak to account takeover |
Antony Garand |
– |
Account takeover, Information disclosure, Password reset flaw |
– |
08/07/2018 |
| How I gained commit access to Homebrew in 30 minutes |
Eric Holmes (@vesirin) |
Homebrew |
Information disclosure |
– |
08/07/2018 |
| Sending out phishing e-mails from @microsoft.com |
@si9int |
Microsoft |
HTML injection |
$0 |
08/07/2018 |
| Unauth meetings access |
Uranium238 (@uraniumhacker) |
Google |
Authorization flaw, Logic flaw |
– |
08/06/2018 |
| Self XSS leads to blind XSS and reflected XSS. |
Friendly (@SkeletorKeys) |
– |
Blind XSS, Reflected XSS |
$700 |
08/06/2018 |
| Reflected XSS Primagames.com |
Friendly (@SkeletorKeys) |
Prima Games |
Reflected XSS |
– |
08/06/2018 |
| My First Swag Pack : A Logical Bug on Edmodo |
Abartan Dhakal |
Edmodo |
Logic flaw |
$0, Swag |
08/05/2018 |
| Stored XSS in GameSkinny |
Friendly (@SkeletorKeys) |
GameSkinny |
Stored XSS |
– |
08/03/2018 |
| Blind-XSS in Chrome Experiments – Google (Write Up) |
Evan Ricafort |
Google |
Blind XSS |
$100 |
08/03/2018 |
| #BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company |
Avinash Jain (@logicbomb_1) |
Paytm |
IDOR |
– |
08/03/2018 |
| Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375) |
Daniel Kachakil |
Google |
Privilege escalation, Android flaw |
– |
08/01/2018 |
| Exploiting a Microsoft Edge Vulnerability to Steal Files |
Ziyahan Albeniz |
Microsoft |
SOP bypass |
– |
08/01/2018 |
| Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ) |
Mohamed Haron (@m7mdharon) |
Shipt |
Subdomain takeover |
– |
08/01/2018 |
Archived content |
| Disclose Facebook Internal Server Information With A Strange Poll |
Jane Manchun Wong (@wongmjane) |
Facebook |
Logic flaw |
– |
08/01/2018 |
| CRLF Injection Into PHP’s cURL Options |
TomNomNom |
– |
CRLF injection |
– |
08/01/2018 |
| How I could access your internal servers, steal and modify your image repository |
PoC || GO |
– |
RCE |
– |
07/31/2018 |
| Hacking Imgur for Fun and Profit |
Nathan (@NathOnSecurity) |
Imgur |
Outdated component with a known vulnerability, Information disclosure |
$5,500 |
07/29/2018 |
| 18th Acknowledgement From Microsoft |
Muhammad Muhaddis |
Microsoft |
IDOR |
$0, HOF |
07/29/2018 |
| Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) |
Brian Hyde |
Yahoo |
XSSI |
$750 |
07/29/2018 |
| Microsoft Office 365 Stored XSS |
@Pethuraj |
Microsoft |
Stored XSS |
$0, HOF |
07/29/2018 |
| Making a Blind SQL Injection a Little Less Blind |
TomNomNom |
– |
SQL injection |
– |
07/28/2018 |
| Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features |
Ameer Assadi |
Binary.com |
Clickjacking |
– |
07/28/2018 |
| How I found XSS on Amazon? |
Coding_Karma |
Amazon |
XSS |
$0 |
07/26/2018 |
| Exfiltration via CSS Injection |
d0nut |
– |
CSS injection |
– |
07/25/2017 |
| SQL Injection and A silly WAF |
Mahmoud Gamal |
– |
SQL injection |
– |
07/25/2017 |
| Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716] |
Sebastian (ha.cker.info) |
Private program, SEOmatic CMS plugin |
SSTI |
– |
07/24/2018 |
| Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again |
Michał Bentkowski |
Google |
Open redirect |
$7,500 |
07/24/2018 |
| Finding hidden gems vol. 1: forging OAuth tokens using discovered client id and client secret |
Mateusz Olejarka |
– |
Information disclosure |
$3,133.7 |
07/23/2018 |
| Unclaimed Medium Publication takeover in WeTransfer |
Prial Islam Khan (@prial261) |
WeTransfer |
Medium publication takeover |
$100 |
07/21/2018 |
| Google Assistant Bug Worth $3133.7 ! |
Circle Ninja |
Google |
Reflective XSS |
$3,133.7 |
07/21/2018 |
| RCE due to ShowExceptions |
Harsh Jaiswal (@rootxharsh) |
– |
RCE |
$5,000 |
07/20/2018 |
| Into the Borg – SSRF inside Google production network |
Enguerran Gillier |
Google |
SSRF |
$13,337 |
07/20/2018 |
| The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet |
François Proulx |
EOSIO |
DNS rebinding |
– |
07/19/2018 |
| RCE on Yahoo Luminate |
Rojan Rijal |
Yahoo |
RCE |
– |
07/19/2018 |
| How I was able to delete 13k+ Microsoft Translator projects |
Haider Mahmood |
Microsoft |
CSRF, IDOR |
$0 |
07/19/2018 |
| Hey Developer, Give me your API keys.!! |
Devansh batham |
Crowdin |
Information disclosure |
Swag, HoF |
07/18/2018 |
| Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw, Logic flaw |
– |
07/18/2018 |
| Hacking thousands of companies through their helpdesk |
Khaled Hassan |
– |
Account takeover, DoS, Logic flaw |
– |
07/17/2018 |
| CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation |
Charles Fol (Ambionics Security) |
PrestaShop |
Privilege escalation, Improper session management |
– |
07/16/2018 |
| WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?] |
@omespino |
Facebook |
Blind Stored XSS |
– |
07/16/2018 |
| Attacking PostgreSQL Database |
Vishnuraj KV |
– |
Bruteforce, Weak credentials |
– |
07/16/2018 |
| Bug Bounty at Bangladeshi Site. |
Shaifullah Shaon |
– |
SQL injection |
BDT 10,000 (~ $120) |
07/15/2018 |
| Should this be public though? |
Rojan Rijal |
Shopify, Uber |
Information disclosure |
$500 |
07/13/2018 |
| XSS in Microsoft subdomain |
Sudhanshu Raj |
Microsoft |
XSS |
– |
07/13/2018 |
| The tradeRifle Vulnerability Identified in LBank Mobile Service (CVE-2018-13363) |
PeckShield |
LBank |
MiTM |
– |
07/12/2018 |
| Gsuite Hangouts Chat 5k IDOR |
Cam (@SecretlyHidden1) |
Google |
IDOR |
$5,000 |
07/10/2018 |
| Persistent XSS at AH.nl |
Jonathan Bouman (@JonathanBouman) |
AH.nl |
Stored XSS |
$200 |
07/09/2018 |
| #BugBounty - Compromising User Account- “How I was able to compromise user account via HTTP Parameter Pollution(HPP)” |
Avinash Jain (@logicbomb_1) |
– |
HTTP Parameter Pollution, Password reset flaw, Account takeover |
– |
07/07/2018 |
| Server Side Request Forgery on Vanilla Forums |
Vikash Chaudhary |
Vanilla Forums |
SSRF |
– |
07/07/2018 |
| Latex to RCE, Private Bug Bounty Program |
Yasho |
– |
RCE |
– |
07/06/2018 |
| The $12,000 Intersection between Clickjacking, XSS, and Denial of Service |
Sam Curry (@samwcyo) |
Bustabit |
Clickjacking, XSS, DoS |
$12,000 |
07/04/2018 |
| Chaining Multiple Vulnerabilities to Gain Admin Access |
Ben Sadeghipour (@nahamsec) |
– |
IDOR, Account takeover |
– |
07/02/2018 |
| Bug Bounty: Tumblr reCAPTCHA vulnerability write up |
Leigh-Anne Galloway (@L_AGalloway) |
Tumblr |
reCAPTCHA bypass, email enumeration, username enumeration |
– |
06/29/2018 |
| Authentication bypass in Cisco Meraki |
takemyhand |
Cisco Meraki |
Authentication bypass |
– |
06/29/2018 |
| This popular Facebook app publicly exposed your data for years |
Inti De Ceukelaire |
Facebook, Nametests.com |
Information disclosure, Authorization flaw |
$4,000 |
06/28/2018 |
| Take Advantage of Out-of-Scope Domains in Bug Bounty Programs |
Abdullah Hussam (@Abdulahhusam) |
– |
XSS |
$1,250 |
06/27/2018 |
| How re-signing up for an account lead to account takeover |
@zseano |
– |
Logic flaw, Account takeover |
– |
06/26/2018 |
| Subdomain Takeover: Starbucks points to Azure |
Patrik Hudak |
Starbucks |
Subdomain takeover |
$2,000 |
06/25/2018 |
| Account Take over via reset password |
Yasser Gersy (@yassergersy) |
– |
Password reset flaw, Account takeover |
$1,500 |
06/25/2018 |
Archived content |
| How I got access to local AWS info via Jira |
Coen Goedegebure |
– |
SSRF |
– |
06/24/2018 |
| Fastest Fix on Open Bug Bounty Platform |
Wen Bin KONG |
Kevag Telekom GmbH |
Reflected XSS, CSRF |
– |
06/24/2018 |
| How I hacked Apple.com (Unrestricted File Upload) |
Jonathan Bouman (@JonathanBouman) |
Apple |
Unrestricted file upload |
– |
06/22/2018 |
| XSS in Google Colaboratory + CSP bypass |
Michał Bentkowski |
Google |
XSS, CSP bypass |
– |
06/21/2018 |
| Using a GitHub app to escalate to an organization owner for a $10,000 bounty |
Tanner |
Github |
Authorization flaw, IDOR |
$10,000 |
06/20/2018 |
| Setting arbitrary request headers in Chromium via CRLF injection |
Michał Bentkowski |
Google |
CRLF injection |
– |
06/20/2018 |
| I discovered a browser bug |
Jake Archibald |
Mozilla, Microsoft |
Browser bug, Range requests flaw |
– |
06/20/2018 |
| [Responsible disclosure] How I could have booked movie tickets through other user accounts |
Bharathvaj Ganesan |
AGS Cinemas |
Password reset flaw, Account takeover, Bruteforce, OTP bypass |
– |
06/18/2018 |
| How i found blind XSS in Apple |
Taha Smily |
Apple |
Blind XSS |
– |
06/18/2018 |
| Reflected Client XSS at Amazon.com |
Jonathan Bouman (@JonathanBouman) |
Amazon |
Reflected XSS |
$0 |
06/15/2018 |
| Yay! 3133.70$ for RCE on *.withgoogle.com subdomain. |
lalka |
Google |
RCE |
$3,133.70 |
06/15/2018 |
| Password reset to full account takeover |
Hamza Bettache |
– |
Password reset flaw, Account takeover |
– |
06/15/2018 |
| Reflected XSS in 360totalsecurity |
Taha Smily |
360totalsecurity |
Reflected XSS |
– |
06/14/2018 |
| The 2.5 BTC Stored XSS |
Khaled Hassan |
– |
Stored XSS |
2.5 BTC |
06/13/2018 |
| How I got paid premium plan for free on many popular websites |
Khaled Hassan |
– |
Logic flaw |
– |
06/13/2018 |
| Vulnerability Netflix (cross-site-scripting) XSS |
Bada Diaz (@bada77) |
Netflix |
Reflected XSS |
– |
06/13/2018 |
| Unvalidated Open Redirect Bol.com |
Jonathan Bouman (@JonathanBouman) |
bol.com |
Open redirect |
$100 in gift cards |
06/12/2018 |
| Full account Takeover via reset password function |
Khaled Hassan |
– |
IDOR, Account takeover, Password reset flaw |
$1,250 |
06/12/2018 |
| Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution |
Jake Miller |
Google |
CSV injection, Server side spreadsheet injection, Formula injection, RCE |
– |
06/11/2018 |
| How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL |
Darrell Damstedt |
– |
XXE |
$0 |
06/11/2018 |
| [PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique. |
Ayoub Ait Elmokhtar |
Paypal |
CSRF |
– |
06/10/2018 |
| Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper |
Matthew Bryan |
Steam Inventory Helper Chrome extension |
DOM XSS, Clickjacking |
– |
06/08/2018 |
| How I was able to list some internal information from PayPal #BugBounty |
Adrien Jeanneau |
Paypal |
Expression Language Injection (JSTL), Information disclosure |
$0 |
06/07/2018 |
| How I found XSS via SSRF vulnerability -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
CERT-EU, Motorola, Stanford |
SSRF, XSS |
$750 |
06/07/2018 |
| #BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection. |
Avinash Jain (@logicbomb_1) |
– |
SQL injection |
– |
06/06/2018 |
| Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0 |
Daniel Svartman |
OAuth |
Logic flaw |
– |
06/05/2018 |
| Searching for XSS found LDAP injection |
Davide Tampellini |
– |
LDAP injection |
– |
06/05/2018 |
| Are you sure this is a trusted email? |
Khaled hassan |
– |
Open mail relay |
$900 |
06/05/2018 |
| Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected) |
Matthew Bryan |
Read&Write Chrome extension |
SOP bypass |
– |
06/05/2018 |
| How I Hacked Fotor & Got “Nothing” |
Somdev Sangwan (D3v) |
Fotor |
SSRF, RFI |
$0 |
06/01/2018 |
Archived content |
| Getting PHP Code Execution and leverage access to panels,databases,server |
Shawar Khan |
– |
Code execution |
– |
06/01/2018 |
| How i converted SSRF to XSS in Jira. |
Ashish Kunwar (@D0rkerDevil) |
– |
SSRF, XSS |
$50 |
06/01/2018 |
| How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
AT&T |
RCE, Clickjacking, XSS, Same Origin Method Execution |
$750 |
06/01/2018 |
| #Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay |
Raghavendra Reddy |
– |
Parameter tampering |
– |
05/31/2018 |
| Reflected XSS in Yahoo Subdomain ( hk.movies.yahoo.com ) |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Reflected XSS |
– |
05/30/2018 |
Archived content |
| 5k$ for path traversal on *.paypal-corp.com subdomain |
lalka |
Paypal |
Path traversal |
$5,000 |
05/30/2018 |
| Account Takeover and Blind XSS! Go Pro, get Bugs! |
Tabahi |
– |
IDOR, Stored XSS, Account takeover, Blind XSS |
$3,500 |
05/30/2018 |
| How I found 5 store XSS on a private program. Each worth “1,016.66$” |
Shahzad Sadiq |
– |
Stored XSS |
$5,083.3 |
05/30/2018 |
| How I got hall of fame in two fortune 500 companies — An RCE story… |
Alfie |
– |
RCE |
– |
05/29/2018 |
| How i was able to get admin panel on a private program |
Shahzad Sadiq |
– |
Weak credentials |
$1,500 |
05/29/2018 |
| reCAPTCHA bypass via HTTP Parameter Pollution |
Andres Riancho |
Google |
HTTP parameter pollution, reCAPTCHA bypass |
$500 |
05/28/2018 |
| Persistent XSS to Steal Passwords – Paypal |
Akhil Reni |
Paypal |
Stored XSS |
– |
05/26/2018 |
| Simple IDOR to reject a to-be users invitation via their notification |
Abss TBH |
WePay |
IDOR |
– |
05/24/2018 |
| How I was able to see any private album passwrod in Picturepush — IDOR |
Murtada Kamil |
PicturePush |
IDOR |
– |
05/23/2018 |
| #BugBounty — ”How I was able to hack any user account via password reset?” |
Bikash Gupta |
– |
IDOR, Account takeover, Password reset flaw |
– |
05/23/2018 |
| RCE by uploading a web.config |
003random |
– |
RCE |
– |
05/22/2018 |
| AWS Security Flaw which can grant admin access! |
Sharath AV |
Amazon |
Authorization flaw |
– |
05/22/2018 |
| Getting read access on Edmodo Production Server by exploiting SSRF |
Shawar Khan |
Edmodo |
SSRF |
– |
05/21/2018 |
| Self-XSS + CSRF to Stored XSS |
Renwa |
– |
Self XSS, CSRF, STored XSS |
– |
05/20/2018 |
| $36k Google App Engine RCE |
Ezequiel Pereira |
Google |
RCE |
$36,337 |
05/20/2018 |
| Fastest Fix on Open Bug Bounty Platform |
Wen Bin KONG |
Kevag Telekom GmbH |
XSS, CSRF |
– |
05/19/2018 |
| How i got 100$ from one private website |
Aayush Pokhrel |
– |
Information disclosure |
$100 |
05/19/2018 |
| How i HACKED admin account via password reset IDOR function of one private currency exchanger site |
Aayush Pokhrel |
– |
IDOR, Password reset flaw, Account takeover |
– |
05/19/2018 |
| Stored XSS in Yahoo and all subdomains! |
Hakim Bencella |
Microsoft |
Stored XSS |
$1,500 |
05/19/2018 |
| Xss in Microsoft |
hacker_eth |
Microsoft |
XSS |
– |
05/18/2018 |
| How I was able to get subscription of $120/year For Free |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
wetransfer.com |
Payment bypass |
$500 |
05/18/2018 |
| Whatsapp- DOS vulnerability on Android/iOS/Web |
Pratheesh P Narayanan |
Facebook |
DoS |
$500 |
05/15/2018 |
| HSTS Bypass Vulnerability in IE Preview |
Xiaoyin Liu |
Microsoft |
HSTS bypass |
$0 |
05/15/2018 |
| How I used a simple Google query to mine passwords from dozens of public Trello boards |
Kushagra Pathak |
Trello |
Authorization flaw, Information disclosure |
$0 |
05/09/2018 |
| Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS |
Honc (@honcbb) |
Trend Micro |
DOM XSS |
$0, HoF |
05/08/2018 |
| Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability |
Mohamed A. Baset |
Asus |
Authorization flaw, Information disclosure |
– |
05/08/2018 |
| Ubisoft | Blind XSS to customer support panel takeover |
Hx01 |
Ubisoft |
Blind XSS |
– |
05/06/2018 |
| A Five Minute SQL-I |
Ashish Jha |
– |
SQL injection |
– |
05/06/2018 |
| How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program |
Hariom Vashisth |
– |
Price manipulation, Parameter tampering |
$0 |
05/05/2018 |
| $4500 bounty – How I got lucky |
Eray Mitrani |
– |
Subdomain takeover |
$4,500 |
05/03/2018 |
| Disclose Private Video Thumbnail from Facebook WorkPlace |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$3,000 |
05/03/2018 |
| Stealing money from one account to another account |
Ajay Gautam (@evilboyajay) |
– |
Logic flaw |
– |
05/02/2018 |
| Story Of a Stored XSS Bypass |
Prial Islam Khan (@prial261) |
Zerocopter |
Open redirect |
– |
04/30/2018 |
| Multiple security vulnerabilities in domains belonging to Google |
Sysdreams |
Google |
Broken access control, Directory traversal, Stored XSS |
– |
04/30/2018 |
| How I found 2.9 RCE at Yahoo! Bug Bounty program |
Kedrisec |
Yahoo |
RCE |
– |
04/30/2018 |
| #BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! |
Avinash Jain (@logicbomb_1) |
– |
RCE |
– |
04/29/2018 |
| Reflected XSS on Stack Overflow |
ssid (@newp_th) |
Stack Overflow |
Reflected XSS |
– |
04/27/2018 |
| Stored XSS in Yahoo! |
Shahzada AL Shahriar Khan |
Yahoo |
Stored XSS |
$2000 |
04/27/2018 |
| Bypassing the Confirmation Email for Newsletter (bof.nl) |
Mohammed Israil (@mdisrail2468) |
Bits of Freedom |
Authorization flaw, IDOR |
$0, Swag |
04/26/2018 |
| How I earned 60K+ from private program |
Siva Krishna Samireddi (@le4rner) |
– |
Open redirect, subdomain takeover, XSS, HTTP parameter pollution |
60,000 INR (approx. $880) |
04/25/2018 |
| The Unknown Hero-App Logic Bugs |
Circle Ninja |
Canva |
Logic flaw |
– |
04/25/2018 |
| XSS “403 forbidden” bypass write up |
Nur A Alam Dipu |
– |
XSS |
– |
04/25/2018 |
| How we got LFI in apache Drill (Recon like a boss) |
gujjuboy10x00 (@vis_hacker) |
– |
LFI |
– |
04/23/2018 |
| DOM XSS in Google VRView library |
Federico Fazzi |
Google |
DOM XSS |
$3,133.7 |
04/23/2018 |
| Three Cases, Three Open Redirect Bypasses |
Mohammed Eldeeb (@malcolmx0x) |
– |
Open redirect |
– |
04/22/2017 |
| Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal |
YoKo Kho |
Paypal |
Stored XSS |
– |
04/21/2018 |
| Story Of a Stored XSS Bypass |
Prial Islam Khan (@prial261) |
– |
Stored XSS |
– |
04/21/2018 |
| Mangobaaz hacked | XSS to credentials exposure to pwn |
Hx01 |
MangoBaaz |
Reflected XSS |
$0 |
04/19/2018 |
| #BugBounty — ”Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company. |
Avinash Jain (@logicbomb_1) |
– |
LFI, RCE |
– |
04/19/2018 |
| Bypassing the Current Password Protection at PayPal TechSupport Portal |
YoKo Kho |
Paypal |
Authorization flaw, Account takeover |
– |
04/19/2018 |
| Google Bug: Posting on groups as any user’s behalf |
ssid (@newp_th) |
Google |
Email spoofing |
$0 |
04/18/2018 |
| Whatsapp user’s IP disclosure with Link Preview feature |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Information disclosure |
$0 (won’t fix) |
04/18/2018 |
| Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile |
YoKo Kho |
Ribose |
IDOR |
– |
04/18/2018 |
| How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program |
YoKo Kho |
– |
IDOR |
– |
04/18/2018 |
| IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks |
YoKo Kho (@YokoAcc) |
– |
IDOR |
– |
04/17/2018 |
| How I got stored XSS using file upload |
gujjuboy10x00 (@vis_hacker) |
– |
Stored XSS |
– |
04/17/2018 |
| From an error message to DB disclosure |
Yumi |
– |
Hardcoded credentials |
– |
04/17/2018 |
| Spoof an user to create a description of a group in Flickr |
Samuel (@saamux) |
Yahoo (Flickr) |
IDOR |
– |
04/16/2018 |
| Bypassing Captcha Like a Boss |
Ak1T4 (@akita_zen) |
– |
Captcha bypass |
$xxx |
04/16/2018 |
| #SecurityBreach — ”How I was able to book hotel room for 1.50₹!” |
Hariom Vashisth |
– |
CORS flaw |
– |
04/15/2018 |
| Bypass CSP by Abusing XSS Filter in Edge |
Xiaoyin Liu |
Microsoft |
CSP bypass |
$1,500 |
04/15/2018 |
| How I hacked companies related to the crypto currency and earned $60,000 |
Max (@iSecMax) |
okex.com, livecoin.net, [private program] |
Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection |
$59,400 |
04/14/2018 |
| How I bypassed Ebay process on redirect |
Mohamed Sayed (@FlEx0Geek) |
Ebay |
Open redirect |
$0 |
04/13/2018 |
| Hijacking User’s Private Information access_token from Microsoft Office360 facebook App |
Mohamed A. Baset |
Microsoft |
Logic flaw |
$0 |
04/13/2018 |
| Please email me your password |
Jasmin Laundry |
– |
Blind XSS, Blind SQL injection, SMTP header injection, Account takeover |
– |
04/11/2018 |
| How I broke into Google Issue Tracker |
Abhishek Bundela (@abhibundela) |
Google |
Logic flaw, Authorization flaw |
$0 |
04/10/2018 |
| Source Code Analysis in YSurvey — Luminate bug |
Rojan Rijal |
Yahoo |
Authentication bypass, Authorization flaw, SQL injection |
– |
04/10/2018 |
| Piercing the veil: Server Side Request Forgery to NIPRNet access |
Alyssa Herrera (@Alyssa_Herrera_) |
DoD |
SSRF |
– |
04/09/2018 |
| Stealing HttpOnly Cookie via XSS |
Yasser Gersy (@yassergersy) |
– |
XSS |
– |
04/08/2018 |
Archived content |
| Reflected XSS on www.zomato.com By Mustafa Hasan |
Mohamed Haron (@m7mdharon) |
Zomato |
Reflected XSS |
$100 |
04/07/2018 |
Archived content |
| “Exploiting a Single Parameter” |
Hisham Mir (@Hishammir1) |
– |
SSRF, XSS |
$2,500 |
04/06/2018 |
| Link injection on 2 Twitter Subdomain |
Mohamed Haron (@m7mdharon) |
Twitter |
Link injection |
$280 |
04/01/2018 |
Archived content |
|
Avinash Jain (@logicbomb_1) |
– |
IDOR |
– |
04/05/2018 |
| How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for serious XSS vulnerability 🙁 |
Satyendra Shrivastava |
Udemy |
XSS, HTML injection |
– |
04/05/2018 |
| Directory Listing To Sensitive Files Exposure |
Hx01 |
– |
Directory listing |
– |
04/04/2018 |
| My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass ) |
Mohamed Haron (@m7mdharon) |
– |
SQL injection, Auth bypass, Account takeover |
$2,000 |
04/01/2018 |
Archived content |
| XSS in Yahoo Subdomain |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Flash XSS |
$600 |
03/31/2018 |
Archived content |
| XSS In sports.tw.campaign.yahoo.net |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Reflected XSS |
– |
03/31/2018 |
Archived content |
| How I hacked one cryptocurrency service |
Valeriy Shevchenko |
PayKassa |
Blind XSS, Reflected XSS, CSRF |
$300 |
03/31/2018 |
| How I Could Have Promoted Any Facebook Page For Free. |
Anees Khan |
Facebook |
Logic flaw |
$0 |
03/30/2018 |
| View Insights for Any Facebook Marketplace Product |
Jane Manchun Wong (@wongmjane) |
Facebook |
Authorization flaw |
– |
03/29/2018 |
| Creating Test Conversion using any App |
Joshua Regio |
Facebook |
Web parameter tampering |
$3,000 |
03/27/2018 |
| Google bug bounty for security exploit that influences search results |
Tom Anthony |
Google |
Logic flaw |
$5,000 |
03/27/2018 |
| Reflected XSS Moogaloop SWF ( Version < 6.2.x ) |
Mohamed Haron (@m7mdharon) |
Vimeo |
Flash XSS, Reflected XSS |
– |
03/26/2018 |
Archived content |
| Misconfiguration of Demographics Privacy in a Page |
Mark Christian Deduyo |
Facebook |
Logic flaw |
$750 |
03/26/2018 |
| #BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) |
Avinash Jain (@logicbomb_1) |
BookMyShow |
Host header attack, IDOR |
– |
03/25/2018 |
| Hacking Oracle in 5 Minutes |
Rahul R |
Oracle |
Directory listing |
– |
03/25/2018 |
| Google adwords 3133.7$ Stored XSS |
Emad Shanab |
Google |
Stored XSS |
$3,133.7 |
03/21/2018 |
| Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489 |
Abdullah Hussam (@Abdulahhusam) |
WordPress |
CSRF |
$1337 |
03/15/2018 |
| #BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality |
Avinash Jain (@logicbomb_1) |
– |
Logic flaw, Password reset flaw, Account takeover |
– |
03/14/2018 |
| Dox Facebook Employees Behind “Did You Know” Questions |
Jane Manchun Wong (@wongmjane) |
Facebook |
Information disclosure |
– |
03/13/2018 |
| Union Based Sql injection Write up ->A private Company Site |
Nur A Alam Dipu |
– |
SQL injection |
– |
03/12/2018 |
| How I hacked 74k users of a website. |
Utkarsh Agrawal |
– |
Authentication flaw |
– |
03/11/2018 |
| How I hacked 74k users of a website. |
Utkarsh Agrawal |
– |
Authorization flaw |
– |
03/11/2018 |
| Getting any Facebook user’s friend list and partial payment card details |
Josip Franjkovic |
Facebook |
Information disclosure, IDOR |
– |
03/09/2018 |
| Stored XSS, and SSRF in Google using the Dataset Publishing Language |
Craig Arendt (@signalchaos) |
Google |
Stored XSS, SSRF |
$18,337 |
03/07/2018 |
| Clickjackings in Google worth 12644.7$ |
Raushan Raj (@raushan_rajj) |
Google |
Clickjacking |
$12,644.7 |
03/06/2018 |
| Facebook Bug Bounty Reports |
Raushan Raj (@raushan_rajj) |
Facebook |
Authorization flaw, Logic flaw, Information disclosure |
$6,000 |
03/06/2018 |
| #BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! |
Avinash Jain (@logicbomb_1) |
– |
OTP bypass |
– |
03/05/2018 |
| How I found A Surprising XSS Vulnerability on Oracle NetSuite ? |
Circle Ninja |
Oracle |
XSS |
– |
03/02/2018 |
| The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! |
Mohamed A. Baset |
Facebook |
Information disclosure |
$2,500 |
02/25/2018 |
| Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! |
Mohamed A. Baset |
Facebook |
Clickjacking |
– |
02/25/2018 |
| How i Hacked into a bugcrowd. public program |
Vishnuraj KV |
– |
RCE |
– |
02/25/2018 |
| #BugBounty — API keys leakage, Source code disclosure in India’s largest e-commerce health care company. |
Avinash Jain (@logicbomb_1) |
– |
Path traversal |
– |
02/25/2018 |
| How I was able to delete any image in Facebook community question forum |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$1500 |
02/24/2018 |
| Bypassing Google’s authentication to access their Internal Admin panels |
Vishnu Prasad P G |
Google |
Authentication bypass |
$13,337 |
02/24/2018 |
| The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations! |
Seif Elsallamy |
Facebook |
Race condition |
– |
02/23/2018 |
| Modifying any Ad Space and Placement |
Joshua Regio |
Facebook |
IDOR |
– |
02/22/2018 |
| POODLE SSLv3 bug on multiple twitter smtp servers |
@omespino |
Twitter |
Cryptographic issues |
$280 |
02/21/2018 |
| Google bugs stories and the shiny pixelbook. |
Missoum Said (@missoum1307) |
Google |
DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF |
$6,250 |
02/20/2018 |
| How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties |
Anand Prakash (@sehacure) |
Tinder, Facebook |
Account takeover, Authorization flaw |
$6,250 |
02/20/2018 |
| Exploiting CORS Miss configuration using XSS |
Noman Shaikh |
– |
CORS misconfiguration |
– |
02/18/2018 |
| #BugBounty — Exploiting CRLF Injection can lands into a nice bounty |
Avinash Jain (@logicbomb_1) |
– |
CRLF injection |
$250 |
02/17/2018 |
| How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. |
Waleed Ahmed |
Facebook |
Android, DoS |
$500 |
02/15/2018 |
| #BugBounty — “How I was able to shop for free!”- Payment Price Manipulation |
Avinash Jain (@logicbomb_1) |
– |
Web parameter tampering / Price manipulation |
– |
02/11/2018 |
| Oracle Cross Site Scripting Vulnerability -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
Oracle |
Reflected XSS |
– |
02/10/2018 |
| Stored XSS on Snapchat |
Mrityunjoy |
Snapchat |
Stored XSS |
– |
02/09/2018 |
| I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it |
Anand Prakash (@sehacure) |
Facebook |
Bruteforce, Account takeover |
$15,000 |
02/09/2018 |
| Taking over Facebook accounts using Free Basics partner portal |
Josip Franjkovic |
Facebook |
Information disclosure, IDOR |
– |
02/07/2018 |
| Bug bounty left over (and rant) Part III (Google and Twitter) |
Antonio Sanso (@asanso) |
Google, Twitter |
OAuth flaw, Authentication flaw, Information disclosure |
$5,540 |
02/06/2018 |
| How I gained access to Sony’s database |
Rahul R |
Sony |
– |
$0 |
02/06/2018 |
| SQL injection with load file and into outfile |
NoGe |
– |
SQL injection |
$750 |
02/05/2018 |
| How I found IDOR on Twitter’s Acquisition – Mopub.com |
janijay007 |
Twitter |
IDOR |
– |
02/05/2018 |
| Facebook mailto injection leads to social engineering & spam attack |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Mailto injection |
$0 (won’t fix) |
02/03/2018 |
| #BugBounty — ”I don’t need your current password to login into your account” – How could I completely takeover any user’s account in an online classified ads company. |
Avinash Jain (@logicbomb_1) |
– |
Authentication bypass |
– |
02/03/2018 |
| Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) |
Mohammed Abdul Raheem |
– |
IDOR |
$3000 |
02/03/2018 |
| Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) |
Mohammed Abdul Raheem |
– |
IDOR |
$3000 |
02/02/2018 |
| Internal IPs disclosure |
@omespino |
Nokia |
Internal IP disclosure |
– |
02/02/2018 |
| How I was able to Bypass XSS Protection on HackerOne’s Private Program |
janijay007 |
– |
XSS |
– |
02/02/2018 |
| Getting access to prompt debug dialog and serialized tool on main website facebook.com |
@omespino |
Facebook |
Debug info disclosure |
– |
01/31/2018 |
| How I was able to Download Any file from Web server! |
hammadhassan924 |
– |
XSS, IDOR |
$450 |
01/27/2018 |
| How I got 22000$ worth ethereum |
Shubham Gupta |
– |
Blind XSS |
~22,000 Ethereum |
01/26/2018 |
| JSON CSRF attack on a Social Networking Site[Hackerone Platform] |
Sahil Tikoo (@viperbluff) |
Badoo |
CSRF |
$280 |
01/26/2018 |
| Here’s how I could’ve ridden for free with Uber |
Anand Prakash (@sehacure) |
Uber |
Logic flaw |
$5,000 |
01/26/2018 |
| Full Account Takeover through CORS with connection Sockets |
Samuel (@saamux) |
– |
CORS misconfiguration, Account takeover |
– |
01/25/2018 |
| [Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility on https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/ |
Peerzada Fawaz Ahmad Qureshi (@zk34911) |
Yahoo |
Authorization flaw |
$300 |
01/25/2018 |
| No RCE? Then SSH to the box! |
Jasmin Laundry |
– |
LFI, Directory traversal, RCE |
– |
01/25/2018 |
| Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) |
Mohamed Haron (@m7mdharon) |
Hubspot |
Reflected XSS |
– |
01/24/2018 |
Archived content |
| #BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection |
Avinash Jain (@logicbomb_1) |
LinkedIn |
Open redirect |
– |
01/24/2018 |
| Asus Cross Site Scrpting And Directory Listing Vulnerability |
Adesh Kolte (@AdeshKolte) |
Asus |
Directory listing, XSS |
– |
01/23/2018 |
| File Disclosure via .DS_Store file (macOS) |
@omespino |
Facebook |
Directory listing |
– |
01/23/2018 |
| Internshala Bug in Internshala Student Partner |
Circle Ninja |
Internshala |
Bruteforce |
$0 |
01/20/2018 |
| Reflected File Download ( RFD ) in www.Google.com |
Mohamed Haron (@m7mdharon) |
Google |
Reflected File Download |
$0 |
01/18/2018 |
Archived content |
| $1800 in less than an hour. |
@yappare |
Indeed |
CSRF, XSS |
$1,800 |
01/17/2018 |
| Reflected XSS via AngularJS Template Injection |
Taha Ibrahim Draidia |
Hostinger |
Reflected XSS |
– |
01/17/2018 |
| #BugBounty — AWS S3 added to my “Bucket” list! |
Avinash Jain (@logicbomb_1) |
– |
AWS flaws |
– |
01/16/2018 |
| View the bug subscriptions for any Oculus User |
Philippe Harewood |
Facebook |
IDOR |
– |
01/15/2018 |
| Hacking Facebook accounts using CSRF in Oculus-Facebook integration |
Josip Franjkovic |
Facebook |
CSRF |
– |
01/15/2018 |
| #BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company |
Avinash Jain (@logicbomb_1) |
– |
CSRF, Web parameter tampering |
– |
01/14/2018 |
| Google Tez XSS |
@Pethuraj |
Google |
XSS |
$3,133.7 |
01/13/2018 |
| #BugBounty — How I was able to read chat of users in an Online travel portal |
Avinash Jain (@logicbomb_1) |
– |
IDOR |
– |
01/10/2018 |
| RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins |
Mohamed Haron (@m7mdharon) |
Yahoo! |
RCE |
$8,000 |
01/05/2018 |
Archived content |
| Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) |
Mohammed Abdul Raheem |
– |
IDOR |
$3,000 |
02/04/2018 |
| F**k you Thomas” – ToyTalk bug bounty writeup |
Jahmel Harris |
ToyTalk |
Authentication bypass, HTML injection |
– |
01/04/2018 |
| Abusing internal API to achieve IDOR in New Relic |
Jon Bottarini (@jon_bottarini) |
New Relic |
IDOR |
$1000 |
01/02/2018 |
