Tale of a Misconfiguration in Password Reset |
Shuaib Oladigbolu (@_sawzeeyy) |
– |
Password reset flaw |
– |
12/30/2018 |
Bypassing Access Control in a Program on Hackerone !! |
Sahil Tikoo (@viperbluff) |
Hackerone |
Authorization flaw |
– |
12/30/2018 |
How I was able to delete Google Gallery Data [IDOR] |
Yogesh Tantak |
Google |
IDOR |
– |
12/30/2018 |
Abusing ACL Permissions to Overwrite other User’s Uploaded Files/Videos on s3 Bucket |
Armaan Pathan (@armaancrockroax) |
– |
Unrestricted file upload, Authorization flaw |
– |
12/30/2018 |
How I Takeover WordPress Admin fiiipay.my |
Syahrul Akbar Rohmani (@sahruldotid) |
FiiiPay |
Account takeover, Default CMS files |
S$ 300 (~ $408) |
12/28/2018 |
How I Was Able To Takeover All User Account And Admin Panel |
Dipak kumar Das (@d1pakdas) |
– |
IDOR, Account takeover |
$1,500 |
12/28/2018 |
Reflected XSS on ws-na.amazon-adsystem.com(Amazon) |
ssid (@newp_th) |
Amazon |
Reflected XSS |
– |
12/27/2018 |
From Hunting for a Laptop to Hunting down Remote Code Execution |
Anil Tom |
Asus |
RCE, WebDAV flaw |
$0, HoF |
12/27/2018 |
RCE in nokia.com |
Sampanna Chimoriya |
Nokia |
RCE |
$0, HoF |
12/27/2018 |
Unauthenticated user can upload an attachment at HackerOne |
Ahamed Morad (@Modam3r5 |
Hackerone |
Authorization flaw |
$0 (Duplicate) |
12/24/2018 |
Tokopedia Account Takeover Bug Worth 8 Million IDR |
Ironfirst (@ironfisto) |
Tokopedia |
Password reset flaw, Account takeover |
– |
12/24/2018 |
Server-side Request Forgery in OpenID support |
Putra Adhari |
Liberapay |
SSRF |
– |
12/24/2018 |
Client side validation strikes again: PIN code bypass ! |
Davy (@RandoriSec) |
Netflix, Linxo |
Client-side validation bypass, Authentication bypass, Authorization flaw |
– |
12/22/2018 |
How I accidentally found a clickjacking “feature” in Facebook
|
Lasq (@lasq88) |
Facebook |
Clickjacking |
$0 |
12/21/2018 |
XSS worm – A creative use of web application vulnerability |
Nicolas Heiniger (@NicolasHeiniger) |
Swisscom |
XSS |
– |
12/21/2018 |
Facebook BugBounty — Disclosing page members |
Nirmal Thapa (@tnirmalz) |
Facebook |
Information disclosure |
– |
12/20/2018 |
Story of my two (but actually three) RCEs in SharePoint in 2018 |
Soroush Dalili (@irsdl) |
Microsoft |
RCE |
$0 |
12/19/2018 |
Exploiting Two Endpoints to get Account Takeover |
Hritik Sharma |
– |
Authorization flaw, Privilege escalation |
– |
12/19/2018 |
Asus’S Admin Panel Auth Bypass |
Mustafa Khan (@samwcyo) |
Asus |
Authentication bypass |
– |
12/18/2018 |
WordPress Privilege Escalation through Post Types |
Simon Scannell |
WordPress |
Privilege escalation, Stored XSS, Object Injection |
– |
12/17/2018 |
Subdomain Takeover — New Level |
Valeriy Shevchenko |
– |
Subdomain Takeover |
– |
12/17/2018 |
Reading ASP secrets for $17,000 |
Sam Curry (@samwcyo) |
– |
Local file disclosure (LFD) |
$17,000 |
12/16/2018 |
Accessing VoIP Internal service via Port 8009: Routing traffic through local Apache proxy |
Ahmed A. Sherif |
– |
Information disclosure |
– |
12/16/2018 |
Self XSS to Interesting Stored XSS |
rohan aggarwal (@nahoragg) |
– |
Stored XSS |
– |
12/15/2018 |
How i hacked help desk of a Company |
Ali Razzaq (@AliRazzaq_) |
– |
Ticket Trick |
– |
12/15/2018 |
Remote Code Execution on a Facebook server |
Daniel Le Gall |
phpMyAdmin |
LFI, RCE, CSRF |
– |
12/14/2018 |
XSSing Google Code-in thanks to improperly escaped JSON data |
Thomas Orlita (@ThomasOrlita) |
Google |
XSS |
– |
12/14/2018 |
$3k Bug Bounty – Twitter’s OAuth Mistakes |
Terence Eden (@edent) |
Twitter |
OAuth flaw |
$2,940 |
12/14/2018 |
Unremovable Tags In Facebook Page Reviews |
Max Pasqua |
Facebook |
Logic flaw, DoS |
$500 |
12/14/2018 |
Chaining Two Vulnerabilities to Break Facebook Appointment Times For the Second Time |
Max Pasqua |
Facebook |
Logic flaw, DoS |
$500 |
12/14/2018 |
#BugBounty — “User Account Takeover-I just need your email id to login into your shopping portal account” |
Avinash Jain (@logicbomb_1) |
– |
OAuth flaw, Authentication bypass, Account takeover |
– |
12/13/2018 |
Exploiting XXE with local DTD files |
Arseniy Sharoglazov (@_mohemiv) |
– |
XXE |
|
12/13/2018 |
Pilot Into Facebook Group Support |
Jane Manchun Wong (@wongmjane) |
Facebook |
Logic flaw, Authorization flaw |
$0 |
12/13/2018 |
[Open redirect] Developers are lazy(or maybe busy) |
KatsuragiCSL (@ZuuitterE) |
– |
Open redirect |
$150 |
12/12/2018 |
Second bite on GitLab, and some interesting Ruby functions/features |
Nyangawa |
Gitlab |
RCE |
$10,000 |
12/12/2018 |
From blind XXE to root-level file read access |
Pieter Hiele (@honoki) |
– |
Blind XXE |
– |
12/12/2018 |
How i was able to pwned application by Bypassing Cloudflare WAF |
gujjuboy10x00 (@vis_hacker) |
– |
WAF bypass |
– |
12/12/2018 |
Microsoft Account Takeover Vulnerability Affecting 400 Million Users |
Aviva Zacks |
Facebook |
Subdomain takeover, OAuth flaw |
– |
12/11/2018 |
How I could have stolen your photos from Google – my first 3 bug bounty writeups |
Gergő Turcsányi (@GergoTurcsanyi) |
Google |
Parameter tampering, Authorization flaw, IDOR |
$4,133.7 |
12/11/2018 |
How I was able to generate Access Tokens for any Facebook user. |
Samm0uda (@Samm0uda) |
Facebook |
IDOR, Information disclosure |
– |
12/11/2018 |
Bruteforcing Instagram account’s passwords without limit. |
Samm0uda (@Samm0uda) |
Facebook |
Bruteforce, Lack of rate limiting |
– |
12/11/2018 |
A Misconfiguration in techprep.fb.com REST API allowed me to modify any user profile. |
Samm0uda (@Samm0uda) |
Facebook |
Authorization flaw |
– |
12/11/2018 |
How i was able to upload files to api.techprep.fb.com |
Samm0uda (@Samm0uda) |
Facebook |
Unrestricted file upload, XSS |
– |
12/11/2018 |
Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over |
Plenum (@plenumlab) |
– |
Account takeover, Privilege escalation, Bruteforce |
– |
12/10/2018 |
My first bug bounty writeup |
Sampanna Chimoriya |
Indeed |
XSS, HTML injection |
– |
12/10/2018 |
Change Anyone’s profile picture-Exploiting IDOR |
Rupika Luhach |
– |
IDOR |
– |
12/09/2018 |
Proof Of Concept Nokia Cross Site Scripting |
Adesh Kolte (@AdeshKolte) |
Nokia |
XSS |
$0, HoF |
12/09/2018 |
How I was Able To Bypass Email Verification |
Muzammil Kayani (@muzammilabbas2) |
– |
Information disclosure |
$200 |
12/08/2018 |
RCE in Hubspot with EL injection in HubL |
Fyoorer (@ƒyoorer) |
Hubspot |
RCE |
– |
12/07/2018 |
Billion Laugh Attack in https://sites.google.com |
Antonio Sanso (@asanso) |
Google |
Billion laugh attack, DoS |
$500 |
12/05/2018 |
XSS to XXE in Prince v10 and below (CVE-2018-19858) |
Corben Leo (@hacker_) |
– |
XSS, XXE |
– |
12/05/2018 |
Taking over Google calendar of a company |
Daniel V. |
– |
Subdomain takeover |
– |
12/04/2018 |
How to accidentally find a XSS in ProtonMail iOS app |
SecuNinja (@secuninja) |
ProtonMail |
XSS |
– |
12/04/2018 |
GitHub Desktop RCE (OSX) |
André Baptista (@0xACB) |
Github |
RCE |
– |
12/04/2018 |
Digging in to SCP Command Injection |
Dylan Katz (@Plazmaz) |
JSch |
Command injection |
$0 |
12/03/2018 |
[BBP系列三] Hijack the JS File of Uber’s Website |
Chaobin Zhang |
Uber |
JS file hijacking |
$6,000 |
12/03/2018 |
Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account) |
Logical Bimboo |
– |
Host header injection |
– |
11/30/2018 |
Story about my first bug bounty |
Sudhanshu Raj |
Alibaba |
XSS |
$100 |
11/30/2018 |
Exploiting post message to steal and replace user’s cookies |
Yasser Gersy (@yassergersy) |
– |
postMessage flaw |
– |
11/30/2018 |
Broken Authentication — Bug Bounty |
Vulnerables |
– |
Improper session management |
$50 |
11/28/2018 |
IRCTC — Millions of Passenger Details left at huge risk! |
Avinash Jain (@logicbomb_1) |
IRCTC |
Information disclosure, Lack of rate limiting |
$0 |
11/28/2018 |
Pwning eBay – How I Dumped eBay Japan’s Website Source Code |
David (@slashcrypto) |
Ebay |
.git folder disclosure, Source code disclosure |
$0, HoF |
11/28/2018 |
How I Managed to Create Unauthorized Comments on Facebook Live Stream- part 1 |
Binit Ghimire |
Facebook |
Authorization flaw |
$750 |
11/27/2018 |
Instagram Multi-factor authentication Bypass |
Vishnuraj KV |
Facebook |
2FA bypass |
– |
11/27/2018 |
XSS on Facebook’s acquisition Oculus CDN |
Amol Baikar (@AmolBaikar) |
Facebook |
XSS |
$1,500 |
11/27/2018 |
XSS on Facebook-Instagram CDN Server bypassing signature protection. |
Amol Baikar (@AmolBaikar) |
Facebook |
XSS |
$1,500 |
11/27/2018 |
Facebook Source Code Disclosure in ads API |
Amol Baikar (@AmolBaikar) |
Facebook |
Sourc code disclosure |
– |
11/26/2018 |
From CTFs to Bug Bounty Booty |
Benji Tobias |
Tailor Store |
Information disclosure |
$200 |
11/26/2018 |
XML XSS in *.yandex.ru by Accident |
Oktavandi (@0ktavandi) |
Yandex |
XSS |
$160 |
11/26/2018 |
My Journey To The Google Hall Of Fame |
Abartan Dhakal (@imhaxormad) |
Google |
Open redirect, XSS |
– |
11/25/2018 |
Stored XSS Vulnerability in Jotform and H1C Private Site |
Anas Mahmood (@AnasIsHere) |
– |
Stored XSS |
$1,000 |
11/23/2018 |
Bypassing Scratch Cards On Google Pay |
Pratheesh P Narayanan |
Google |
Logic flaw |
$0, Duplicate |
11/22/2018 |
Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read! |
Zain Sabahat (@Zain_Sabahat) |
– |
SSRF, LFI |
– |
11/22/2018 |
An interesting XXE in SAP. |
Zain Sabahat (@Zain_Sabahat) |
SAP |
XXE |
– |
11/22/2018 |
How i Found Information Disclosure on Scribd.com |
Zerb0a |
Scribd.com |
CSRF |
$0 |
11/22/2018 |
How I Hacked Netflix users & Use it free forever |
Blueberryinfosec (@bbinfosec) |
Netflix |
Cookie injection, Privilege escalation |
$0 |
11/19/2018 |
XS-Searching Google’s bug tracker to find out vulnerable source code |
Luan Herrera (@lbherrera_) |
Google |
XS-Search attack, Information disclosure |
$9,400 |
11/19/2018 |
Authentication bypass in NodeJS application — a bug bounty story |
bl4de (@_bl4de) |
– |
Authentication bypass |
– |
11/19/2018 |
XSS bypass using META tag in realestate.postnl.nl |
Prial Islam Khan (@prial261) |
post.nl |
XSS |
$0, HoF, Swag |
11/18/2018 |
From Security Misconfiguration to Gaining Access of SMTP server |
Daniel V. |
– |
Phpinfo file disclosure |
– |
11/18/2018 |
Edmodo XSS Bug |
Sameer Phad (@sameerphad72) |
Edmodo |
XSS |
– |
11/18/2018 |
Bypassing “How I hacked Google’s bug tracking system itself for $15,600 in bounties.” |
Gopal Singh (@gopalsinghcse) |
Google |
Logic flaw |
$3,133.70 |
11/17/2018 |
Microsoft BingPlaces Business – (url) Redirect Vulnerability |
Benjamin K.M. |
Microsoft |
Open redirect |
– |
11/16/2018 |
XSS in hidden input fields |
Portswigger |
– |
XSS |
– |
11/16/2018 |
[POC] Cross-Site Scripting on Garuda Indonesia Website |
Arif-ITSEC111 |
Garuda Indonesia |
XSS |
– |
11/16/2018 |
HackenProof Customer Story: Uklon |
HackenProof (@hackenproof) |
Uklon |
XSS, IDOR, Blind XSS, Account takeover |
– |
11/16/2018 |
Most common security vulnerabilities in npm static server modules |
bl4de (@_bl4de) |
Node.js third-party modules |
Path traversal, LFI, HTML injection, XSS |
– |
11/16/2018 |
[email protected] Account Takeover via Cross site request forgery |
Adesh Kolte (@AdeshKolte) |
[email protected] |
CSRF |
– |
11/16/2018 |
Spoofing file extensions on HackerOne |
Anurag Jain(@csanuragjain) |
Hackerone |
Unrestricted file upload |
– |
11/16/2018 |
Disclose Page Admins via Gaming Dashboard Bans |
Philippe Harewood |
Facebook |
Information disclosure |
– |
11/15/2018 |
Facebook Vulnerability: Hiding from the view of Business Admin in the Business Manager |
Ritish Kumar Singh |
Facebook |
Logic flaw, Authorization flaw |
$500 |
11/15/2018 |
How I Discovered XSS that Affects around 20 Uber Subdomains |
Fady Othman (@Fady_Othman) |
Uber |
XSS |
$2,500 |
11/14/2018 |
Breaking Appointments and Job Interview Schedules With Malformed Times |
Max Pasqua |
Facebook |
DoS |
$500 |
11/14/2018 |
Spoof All Domains Containing ‘d’ in Apple Products [CVE-2018-4277] |
Tencent’s Xuanwu Lab |
Apple |
Browser flaw |
– |
11/13/2018 |
OOB XXE in PrizmDoc (CVE-2018–15805) |
Nik srivastava |
PrizmDoc |
OOB XXE |
– |
11/13/2018 |
[DOM based XSS] Or why you should not rely on Cloudflare too much |
KatsuragiCSL (@ZuuitterE) |
– |
DOM XSS |
– |
11/13/2018 |
Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends |
Ron Masas |
Facebook |
CSRF, Information disclosure |
– |
11/13/2018 |
Chain exploitation of XSS |
Mikhail Klyuchnikov (@__Mn1__) |
– |
DOM XSS, Clickjacking, CSRF |
|
11/12/2018 |
Clickjacking on Google MyAccount Worth 7,500$ |
Anurag Jain(@csanuragjain) |
Google |
Clickjacking |
$7,500 |
11/11/2018 |
#bugbounty How I Takeover Microsoft Store. |
Sadiq West |
Microsoft |
Subdomain takeover |
$0, HoF |
11/08/2018 |
Object name Exposure — ING Bank Responsible Disclosure Program |
Rohit kumar (@rohitcoder) |
ING Bank |
Information disclosure |
– |
11/08/2018 |
How I earned 5040$ from Twitter by showing a way to Harvest other users IP address |
Prial Islam Khan (@prial261) |
Twitter |
Information disclosure |
$5,040 |
11/07/2018 |
Vine User’s Private information disclosure |
Prial Islam Khan (@prial261) |
Vine |
IDOR, Information disclosure |
$7,560 |
11/07/2018 |
WordPress Design Flaw Leads to WooCommerce RCE |
Simon Scannell |
WordPress |
RCE |
– |
11/06/2018 |
XSS in Dynamics 365 |
Tim Kent (@__timk) |
Microsoft |
XSS |
– |
11/06/2018 |
Hacking a Company Through help desk – Ticket Trick | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
Ticket Trick |
– |
11/05/2018 |
Evernote For Windows Read Local File and Command Execute Vulnerabilities |
TongQing Zhu |
Evernote |
Stored XSS, LFI, RCE |
– |
11/05/2018 |
Duplicate but still cool |
Plenum (@plenumlab) |
– |
IDOR, Account takeover |
– |
11/05/2018 |
Unauthenticated RSFTP to Command Injection |
Nicodemo Gawronski |
– |
Path traversal, RCE |
– |
11/03/2018 |
Full Account Takeover via Referer Header (OAuth token Steal, Open Redirect Vulnerability Chaining) |
M.Asim Shahzad |
– |
Open redirect, OAuth token theft, Account takeover |
$1,200 |
11/03/2018 |
How Outdated JIRA Instances suffers from multiple security vulnerabilities? |
Yeasir Arafat |
Visma |
XSS, SSRF |
– |
11/03/2018 |
Archived content |
Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone) |
Kunal pandey (@kunalp94) |
Hackerone |
Imagemagick GIF |
$500 |
11/02/2018 |
Finding hidden gems vol. 3: quick win with .sh file |
Mateusz Olejarka |
– |
Information disclosure, Github leak |
– |
11/01/2018 |
P1 Like a Boss | Information Disclosure via Github leads to Employee Account Takeover | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
Information disclosure, Github leak |
$1,500 |
11/01/2018 |
Stored XSS in Bug Bounty |
KatsuragiCSL (@ZuuitterE) |
– |
Stored XSS |
– |
11/01/2018 |
[Open Redirect] When your PoC doesn’t work because of the server load balancers |
tololovejoi (@tolo7010) |
– |
Open redirect |
$300 |
11/01/2018 |
Bypass HackerOne 2FA requirement and reporter blacklist |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw, 2FA bypass, Authentication flaw |
$10,000 |
10/31/2018 |
It’s all in the detail: Email leak & Account takeover thanks to WayBackMachine & extensive knowledge about the program |
Zseano (@zseano) |
– |
Information disclosure, Authentication bypass, Account takeover |
– |
10/30/2018 |
IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”} |
Plenum (@plenumlab) |
– |
IDOR |
$1,500 |
10/30/2018 |
Journey through Google referer leakage bugs. |
KL Sreeram (@kl_sree) |
Google |
Information disclosure, Referer leakage |
$4,633.7 |
10/28/2018 |
#BugBounty — How I was able to download the Source Code of India’s Largest Telecom Service Provider including dozens of more popular websites! |
Avinash Jain (@logicbomb_1) |
– |
.git folder disclosure, Source code disclosure |
– |
10/27/2018 |
Privilege Escalation like a Boss |
janijay007 |
– |
IDOR |
– |
10/27/2018 |
How Misconfigured API leaked user private information? |
Yeasir Arafat |
– |
IDOR, Authorization flaw |
– |
10/26/2018 |
A very useful technique to bypass the CSRF protection for fun and profit. |
Yeasir Arafat |
– |
CSRF |
– |
10/26/2018 |
CSRF account takeover Explained Automated/Manual — Bug Bounty |
Vulnerables |
OpenMenu |
CSRF, Account takeover |
$250 |
10/26/2018 |
CSRF account takeover in a company worth 1B$ |
Vulnerables |
– |
CSRF, Account takeover |
$100 |
10/26/2018 |
Subdomain takeover dew to missconfigured project settings for Custom domain . |
Prial Islam Khan (@prial261) |
Flock |
Subdomain takeover |
– |
10/25/2018 |
DoS on Facebook Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE. |
Rahul Kankrale (@RahulKankrale) |
Facebook |
DoS |
– |
10/25/2018 |
SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software |
Nik srivastava |
– |
XXE |
– |
10/24/2018 |
Facebook hidden redirection vulnerability |
Ege Ken |
Facebook |
Open redirect |
$0 |
10/24/2018 |
XSS with HTML and how to convert the HTML into charcode() |
Arif-ITSEC111 |
Purinar Logistics |
XSS |
– |
10/22/2018 |
Google sites and exploiting same origin policy |
Raushan Raj (@raushan_rajj) |
Google |
SOP bypass |
$3,133.70 |
10/22/2018 |
Cookie-based-injection XSS making exploitable with-out exploiting other Vulns |
Utkarsh Agrawal |
– |
XSS |
– |
10/22/2018 |
Harvesting all private invites using leave program fast-tracked invitation and [email protected] email forwarding feature |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw |
$2,500 & Swag |
10/22/2018 |
A possibility of Account Takeover in Medium |
Prashant Kumar (@notsoshant) |
Medium |
Account takeover, Logic flaw |
$0 |
10/20/2018 |
XSS with PUT in Ghost Blog |
Derek (@StackCrash) |
Ghost |
XSS |
– |
10/19/2018 |
XSS using a bug in Safari and why blacklists are stupid |
Linus Särud (@_zulln) |
Apple |
DOM XSS |
– |
10/19/2018 |
Archived content |
Add comment on a private Oculus Developer bug report |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR, Authorization flaw |
– |
10/18/2018 |
Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw |
$12,500 |
10/17/2018 |
XXE in IBM’s MaaS360 Platform |
Cody Wass |
IBM |
XXE |
– |
10/16/2018 |
Path traversal while uploading results in RCE |
Harsh Jaiswal (@rootxharsh) |
– |
Path traversal, RCE |
– |
10/15/2018 |
Brave Browser Script Blocker Bypass Vulnerability |
Xiaoyin Liu |
Brave Software |
Script blocker bypass |
– |
10/13/2018 |
Microsoft CSRF Vulnerability |
Adesh Kolte (@AdeshKolte) |
Microsoft |
CSRF |
$500 |
10/12/2018 |
[Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users |
Max (@iSecMax) |
Mail.ru |
Authentication bypass, Blind XSS |
– |
10/12/2018 |
Magic XSS with two parameters |
Mahmood Shahabi (@m4shahab1) |
– |
XSS |
– |
10/12/2018 |
Add description to Instagram Posts on behalf of other users – 6500$ |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$6,500 |
10/12/2018 |
Microsoft Edge Remote Code Execution |
Abdulrahman Al-Qabandi (@Qab) |
Microsoft |
RCE |
– |
10/11/2018 |
Access to staging environment via User-Agent string |
Yasser Gersy (@yassergersy) |
– |
Authentication bypass |
– |
10/10/2018 |
Archived content |
Symantec Messaging Gateway authentication bypass |
Artem Kondratenko (@artkond) |
Symantec |
Authentication bypass |
– |
10/10/2018 |
Facebook Business Takeover |
Philippe Harewood |
Facebook |
Authorization flaw, Logic flaw |
$27,500 |
10/09/2018 |
Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR) |
Jon Bottarini (@jon_bottarini) |
New Relic |
IDOR |
$2,500 |
10/09/2018 |
DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More |
VPN Mentor (@vpnmentor) |
Tinder |
DOM XSS |
– |
10/09/2018 |
Make any Unit in Facebook Groups Undeletable |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Logic flaw, IDOR, Authorization flaw |
– |
10/09/2018 |
[Critical] Bypass CSRF protection on IBM |
Mohamed Sayed (@FlEx0Geek) |
IBM |
CSRF |
– |
10/09/2018 |
Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com |
Jonathan Bouman (@JonathanBouman) |
LinkedIn |
Stored XSS |
$0, HoF |
10/07/2018 |
My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY |
Ali Tütüncü(@alicanact60) |
– |
Reflected XSS, CSP bypass |
– |
10/07/2018 |
Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study |
Abdelmoughite Eljoaydi |
Paypal |
Blind XXE |
– |
10/05/2018 |
Clickjacking in Google Docs and Voice typing feature. |
Raushan Raj (@raushan_rajj) |
Google |
Clickjacking |
$2,337 |
10/05/2018 |
GoogleMeetRoulette: Joining random meetings |
Martin Vigo (@martin_vigo) |
Google |
Bruteforce, Logic flaw |
– |
10/04/2018 |
An interesting Google vulnerability that got me 3133.7 reward. |
Ebrahem Hegazy (@Zigoo0) |
Google |
CSRF |
$3,133.7 |
10/04/2018 |
Persistent XSS (Unvalidated oEmbed) at Medium.com |
Jonathan Bouman (@JonathanBouman) |
Medium |
Stored XSS |
$100 |
10/04/2018 |
Exploiting an unknown vulnerability |
Abhishek Bundela (@abhibundela) |
– |
Logic flaw, Payment tampering |
– |
10/03/2018 |
Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager |
Rohit kumar (@rohitcoder) |
Facebook |
Logic flaw, Information disclosure |
$3,000 |
10/03/2018 |
AWS takeover through SSRF in JavaScript |
Gwendal Le Coguic (@gwendallecoguic) |
– |
SSRF |
– |
10/02/2018 |
Applying a small bypass to steal Facebook Session tokens in Uber |
Samuel (@saamux) |
Uber |
XSS, CSP bypass, OAuth flaw |
– |
10/02/2018 |
How i found Stored xss on your-domain.redacted.com |
Rudra Sarkar (@rudr4_sarkar) |
– |
XSS |
$0 |
10/02/2018 |
Collecting Shells by the Sea of NAS Vulnerabilities |
Rick Ramgattie (@RRamgattie) |
Lenovo |
OS command injection, XSS, CSRF |
– |
10/01/2018 |
Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps |
Mohamed Haron (@m7mdharon) |
Shopify |
Subdomain takeover |
– |
10/01/2018 |
Archived content |
Google Stored XSS in Payments |
Barış Sağdıç (@brsgdc) |
Google |
Stored XSS |
– |
10/01/2018 |
How I was able to takeover account’s of an Earning App |
Abbas Wafa |
– |
Information disclosure |
$0 |
10/01/2018 |
Hacking the Subway Android app |
Wesley Gahr (@wesley_gahr) |
Subway |
Logic flaw, Authorization flaw |
– |
09/28/2018 |
IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent |
Divyanshu Shukla |
Confluent |
IDOR, Content spoofing, Open redirect |
– |
09/28/2018 |
Just another tale of severe bugs on a private program. |
Siva Krishna Samireddi (@le4rner) |
– |
Open redirect, SSRF, IDOR, Logic flaw |
$1,623 |
09/28/2018 |
#BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! |
Avinash Jain (@logicbomb_1) |
– |
RCE, Exposed Jenkins instance |
– |
09/27/2018 |
Thick Client — Attacking databases the fun/easy way |
Richard Clifford |
– |
Thick client flaw, Credentials sent over unencrypted channel |
– |
09/26/2018 |
Arbitrary File Read in one of the largest CRMs |
Richard Clifford |
– |
LFI |
– |
09/26/2018 |
[XSS] survey.dropbox.com |
Kumar |
Dropbox |
XSS |
$0 |
09/25/2018 |
Weaponizing XSS Attacking Internal System |
Rahul R |
– |
Blind XSS |
– |
09/25/2018 |
Subdomain Takeover via Unsecured S3 Bucket Connected to the Website |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
Subdomain takeover |
– |
09/24/2018 |
Responsible disclosure: retrieving a user’s private Facebook friends. |
Riccardo Padovani (@rpadovani93) |
Facebook |
Logic flaw, Authorization flaw, Information disclosure |
3,000 |
09/23/2018 |
How I XSS’ed Uber and Bypassed CSP |
Efkan (@mefkansec) |
Uber |
Reflected XSS |
2,000 |
09/22/2018 |
R-XSS -> CSRF bypass to account takeover/ |
Nirmal Dahal (@TheNittam) |
– |
Reflected XSS, CSRF bypass |
– |
09/21/2018 |
Bypassing Firebase authorization to create custom goo.gl subdomains |
Thomas Orlita (@ThomasOrlita) |
Google |
Logic flaw, IDOR |
– |
09/21/2018 |
Another XSS in Google Colaboratory |
Michał Bentkowski |
Google |
XSS |
– |
09/20/2018 |
Shopify Athena Bug |
Uranium238 (@uraniumhacker) |
Shopify |
Authorization flaw, Information disclosure |
– |
09/20/2018 |
Local file inclusion at IKEA.com |
Jonathan Bouman (@JonathanBouman) |
Ikea |
LFI |
$250 |
09/19/2018 |
Bypassing Authentication Using Javascript Debugger. |
Mohit Dabas (@mohitdabas08) |
– |
Authentication bypass |
– |
09/18/2018 |
How i bypassed AKAMAI KONA WAF , XSS in overstock.com ! |
Oktavandi (@0ktavandi) |
Overstock.com |
XSS |
– |
09/18/2018 |
Facebook $750 Reward for a Simple Bug |
Aman Shahid (@amansmughal) |
Facebook |
Authentication bypass, Logic flaw |
$750 |
09/18/2018 |
Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution ) |
Armaan Pathan (@armaancrockroax) |
– |
LFI, Unrestricted File Upload, RCE |
– |
09/18/2018 |
Reflected XSS at Philips.com |
Jonathan Bouman (@JonathanBouman) |
Philips |
Reflected XSS |
– |
09/17/2018 |
XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites |
Randy Westergren (@RandyWestergren) |
Google |
XSS |
$0 |
09/17/2018 |
Vertical escalation of privileges Leading to Sensitive Data Exposure |
Umair Ahmed (@u_ahmedofficial) |
– |
Bruteforce, IDOR, Authorization flaw |
– |
09/16/2018 |
User Account takeover in India’s largest digital business company |
Minali Arora (@AroraMinali) |
– |
Account takeover, OTP bypass |
– |
09/16/2018 |
IDOR User Account Takeover By Connecting My Facebook Account with victims Account |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Facebook |
IDOR |
$1,200 |
09/16/2018 |
Persistent Cross-Site Scripting on redacted worth $2,000 |
M.Asim Shahzad |
– |
Stored XSS |
$2,000 |
09/15/2018 |
How I hijacked your account when you opened my cat picture |
Matti Bijnens (@MattiBijnens) |
– |
Logout CSRF |
– |
09/14/2018 |
Hacking your own antivirus for fun and profit (Safe browsing gone wrong) |
Martin Thirup Christensen (@Mthirup) |
Bullguard |
Reflected XSS |
$0 |
09/14/2018 |
Subdomain Takeover worth 200$ |
Ali Razzaq (@AliRazzaq_) |
Netlify |
Subdomain takeover |
$200 |
09/14/2018 |
Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html |
Daniel Maksimovic |
Silver Gold Bull |
DOM XSS, Clickjacking |
– |
09/13/2018 |
Subdomain Takeover via Campaignmonitor |
Mohamed Haron (@m7mdharon) |
Campaign Monitor |
Subdomain Takeover |
$900 |
09/11/2018 |
Archived content |
Open-Redirect Vulnerability in udacity.com |
Anil Tom |
Udacity |
Open redirect |
$0, Swag |
09/11/2018 |
Hacking a Crypto Debit Card Service |
Muhammad Abdullah |
Plutus |
SQL injection |
– |
09/11/2018 |
XXE at Bol.com |
Jonathan Bouman (@JonathanBouman) |
Bol.com |
XXE |
$500 (voucher) |
09/11/2018 |
How to do 55.000+ Subdomain Takeover in a Blink of an Eye |
BuckHacker (@thebuckhacker) |
Shopify |
Subdomain takeover |
– |
09/10/2018 |
Authentication Bypass Using SQL Injection AutoTrader Webmail – Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
AutoTrader |
SQL injection |
– |
09/10/2018 |
Stored XSS Vulnerability in H1C Private site |
Anas Mahmood (@AnasIsHere) |
– |
Stored XSS |
$900 |
09/09/2018 |
Making the Facebook app more secure – $8500 bounty |
Ash King |
Facebook |
Open redirect |
$8,500 |
09/09/2018 |
ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
ZOL Zimbabwe |
XSS, SQL injection |
– |
09/09/2018 |
How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website) |
M.Asim Shahzad |
– |
Open redirect |
– |
09/09/2018 |
Disclosure of Facebook Page Admin due to insecure tagging behavior |
Aj Dumanhug (@ajdumanhug) |
Facebook |
Information disclosure, Logic flaw |
– |
09/09/2018 |
Stored XSS Vulnerability in Tumblr |
Anas Mahmood (@AnasIsHere) |
Tumblr |
Stored XSS |
$1,000 |
09/08/2018 |
Reflected XSS in Google Code Jam |
Thomas Orlita (@ThomasOrlita) |
Google |
Reflected XSS |
– |
09/08/2018 |
SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Nutanix |
SQL injection |
$0, Swag |
09/08/2018 |
Bypassing Hotstar Premium with DOM manipulation and some JavaScript |
OpSecX |
Hotstar |
Logic flaw, Payment bypas |
$0 |
09/07/2018 |
RCE Unsecure Jenkins Instance | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
– |
RCE |
$0 |
09/07/2018 |
Write-up – Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app |
@omespino |
Yahoo! |
Stored XSS |
$3,500 |
09/07/2018 |
Simple Login Brute Force / Current Password Requirement Bypass |
Mandeep Jadon (@1337tr0lls) |
– |
IDOR, Account takeover, Bruteforce |
– |
09/07/2018 |
#BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk! |
Avinash Jain (@logicbomb_1) |
Naaptol |
IDOR |
– |
09/07/2018 |
How I could download the source code of an Indian e-commerce website!! |
Minali Arora (@AroraMinali) |
– |
File disclosure, Source code disclosure |
– |
09/05/2018 |
P1 Vulnerability in 60 seconds |
@Wh11teW0lf |
– |
Information disclosure, File disclosure |
$1,500 |
09/05/2018 |
Facebook Bug Bounty! {Permission Bug} |
Ali Tütüncü(@alicanact60) |
Facebook |
Authorization flaw, Logic flaw |
$750 |
09/05/2018 |
Admin Disclosure of Facebook Business all Pages by normal employees: |
Kamal |
Facebook |
Information disclosure |
$0 |
09/02/2018 |
How I could have launched a spear phishing campaign with Starbucks email servers |
Kyle (@b3nac) |
Starbucks |
Host header injection |
$150 |
09/01/2018 |
Send request to Martians. Earthlings are already your friends. |
Sagar VD |
Google |
CSRF |
– |
09/01/2018 |
I Own Your Customers !!! |
Muhammad Abdullah |
– |
Information disclosure, Hardcoded credentials, AWS flaw |
– |
09/01/2018 |
Pwned Together: Hacking dev.to |
Antony Garand |
Dev.to |
Stored XSS |
$150, HoF |
08/31/2018 |
$100 Bounty in 300 seconds isn’t bad !!! |
Rohan Chavan (@rohanchavan1918) |
Zoho |
Stored XSS |
$100, HoF |
08/31/2018 |
Reflected XSS in Django REST Framework Api at MapBox Subdomain |
Mohamed Haron (@m7mdharon) |
Mapbox |
Reflected XSS |
$500 |
08/29/2018 |
Archived content |
Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file |
Mateusz Olejarka |
– |
Information disclosure, Github leak |
$0 |
08/29/2018 |
A Infinite Loop Story. |
Ashish Kunwar (@D0rkerDevil) |
– |
DoS |
$100 |
08/29/2018 |
Reflected Swf XSS at ( https://plugins.svn.wordpress.org ) |
Mohamed Haron (@m7mdharon) |
WordPress |
Swf XSS, Reflected XSS |
$350 |
08/28/2018 |
Archived content |
How i found a 1500$ worth Deserialization vulnerability |
Ashish Kunwar (@D0rkerDevil) |
– |
Misconfigured JSF ViewState, Java deserialization |
$1,500 |
08/28/2018 |
IDOR FACEBOOK: malicious person add people to the “Top Fans” |
Jafar Abo Nada |
Facebook |
IDOR |
– |
08/28/2018 |
Traversing the Path to RCE |
hawkinsecurity |
– |
Path traversal, RCE |
$0 |
08/27/2018 |
Uber Bug Bounty: 1000$ for two “high severity” issue |
Peuch |
Uber |
Information disclosure, Github leak |
$1,000 |
08/27/2018 |
Open Redirection |
negative Wibes |
Pleio |
Open redirection |
– |
08/26/2018 |
My first valid xss(@Hackerone) |
Jatin Aesthetic |
– |
XSS |
$100 |
08/25/2018 |
Remote Code Execution on a Facebook server |
Daniel Le Gall |
Facebook |
RCE |
$5,000 |
08/24/2018 |
Privileged Escalation in Facebook Messenger Rooms |
Jafar Abo Nada |
Facebook |
Privilege escalation, IDOR |
– |
08/24/2018 |
SQL Injection Vulnerability In University Of Cambridge |
Adesh Kolte (@AdeshKolte) |
Cambridge |
SQL injection |
– |
08/24/2018 |
Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org |
Thomas Orlita (@ThomasOrlita) |
Webcomponents.org |
Stored XSS |
– |
08/23/2018 |
API key: The real goldmine |
Yumi |
– |
Information disclosure |
– |
08/19/2018 |
User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty |
Thuvarakan Nakarajah |
Facebook (WhatsApp) |
Credentials sent over HTTP |
– |
08/18/2018 |
YAHOO IDOR -elimination of any comment |
Bada Diaz (@bada77) |
Yahoo |
IDOR |
– |
08/17/2018 |
3 Minutes & XSS! |
Ashish Jha |
Edmodo |
XSS |
– |
08/17/2018 |
IDOR leads to account takeover |
@s0cket7 |
– |
IDOR |
– |
08/16/2018 |
ICloud.com DOM-Based XSS! #BugBounty |
Musab Alhussein |
Apple |
DOM XSS |
$0, HOF |
08/14/2018 |
Another “TicketTrick” story |
Uranium238 (@uraniumhacker) |
Uber |
Logic flaw, TicketTrick |
– |
08/14/2018 |
XSS at Hubspot and XSS in email areas. |
Friendly (@SkeletorKeys) |
Hubspot, [Private program] |
XSS |
$450 |
08/13/2018 |
IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo |
Aagam shah (@neutrinoguy) |
Edmodo |
IDOR |
– |
08/12/2018 |
Distorted and Undeletable Posts in Facebook Group |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw, Logic flaw |
– |
08/12/2018 |
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System |
Orange Tsai (@orange_8361) |
Amazon |
RCE |
– |
08/11/2018 |
S3 Bucket Misconfiguration in Amazon |
Divyanshu Shukla |
Amazon |
AWS flaw |
$0 |
08/11/2018 |
Adminer Script Results to Pwning Server?, Private Bug Bounty Program |
Yasho |
– |
Authentication bypass |
– |
08/11/2018 |
Misconfigured JIRA setting – Apigee |
Tutorgeeks |
Google, Jira |
Information disclosure |
– |
08/10/2018 |
Archived content |
[Twitter Bug Bounty] Misconfigured JSON endpoint on ads.twitter.com lead to Access control issue and Information Disclosure of role privileged users. |
Peerzada Fawaz Ahmad Qureshi (@zk34911) |
Twitter |
Authorization flaw, Information disclosure |
$280 |
08/10/2018 |
Subdomain Takeover: Yet another Starbucks case |
Patrik Hudak |
Starbucks |
Subdomain takeover |
$2,000 |
08/09/2018 |
From TOMCAT to NT AUTHORITY/SYSTEM |
Rahul R |
– |
Default credentials |
– |
08/09/2018 |
My Disclosed Report about Basic auth Api details at Reverb.com |
Mohamed Haron (@m7mdharon) |
Reverb |
Information disclosure |
$100 |
08/09/2018 |
Archived content |
This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs |
Carlos Daniel Giovanella |
HackerOne, Sentry |
Logs flooding and falsification |
$0 |
08/09/2018 |
My First Critical Report |
Miguel Corral (@mcorral74) |
– |
Password reset flaw, Account takeover |
$2,500 |
08/08/2018 |
How I hacked a Crypto Exchange (Bug Bounty Writeup) |
Muhammad Abdullah |
– |
IDOR |
– |
08/07/2018 |
From data leak to account takeover |
Antony Garand |
– |
Account takeover, Information disclosure, Password reset flaw |
– |
08/07/2018 |
How I gained commit access to Homebrew in 30 minutes |
Eric Holmes (@vesirin) |
Homebrew |
Information disclosure |
– |
08/07/2018 |
Sending out phishing e-mails from @microsoft.com |
@si9int |
Microsoft |
HTML injection |
$0 |
08/07/2018 |
Unauth meetings access |
Uranium238 (@uraniumhacker) |
Google |
Authorization flaw, Logic flaw |
– |
08/06/2018 |
Self XSS leads to blind XSS and reflected XSS. |
Friendly (@SkeletorKeys) |
– |
Blind XSS, Reflected XSS |
$700 |
08/06/2018 |
Reflected XSS Primagames.com |
Friendly (@SkeletorKeys) |
Prima Games |
Reflected XSS |
– |
08/06/2018 |
My First Swag Pack : A Logical Bug on Edmodo |
Abartan Dhakal |
Edmodo |
Logic flaw |
$0, Swag |
08/05/2018 |
Stored XSS in GameSkinny |
Friendly (@SkeletorKeys) |
GameSkinny |
Stored XSS |
– |
08/03/2018 |
Blind-XSS in Chrome Experiments – Google (Write Up) |
Evan Ricafort |
Google |
Blind XSS |
$100 |
08/03/2018 |
#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company |
Avinash Jain (@logicbomb_1) |
Paytm |
IDOR |
– |
08/03/2018 |
Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375) |
Daniel Kachakil |
Google |
Privilege escalation, Android flaw |
– |
08/01/2018 |
Exploiting a Microsoft Edge Vulnerability to Steal Files |
Ziyahan Albeniz |
Microsoft |
SOP bypass |
– |
08/01/2018 |
Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ) |
Mohamed Haron (@m7mdharon) |
Shipt |
Subdomain takeover |
– |
08/01/2018 |
Archived content |
Disclose Facebook Internal Server Information With A Strange Poll |
Jane Manchun Wong (@wongmjane) |
Facebook |
Logic flaw |
– |
08/01/2018 |
CRLF Injection Into PHP’s cURL Options |
TomNomNom |
– |
CRLF injection |
– |
08/01/2018 |
How I could access your internal servers, steal and modify your image repository |
PoC || GO |
– |
RCE |
– |
07/31/2018 |
Hacking Imgur for Fun and Profit |
Nathan (@NathOnSecurity) |
Imgur |
Outdated component with a known vulnerability, Information disclosure |
$5,500 |
07/29/2018 |
18th Acknowledgement From Microsoft |
Muhammad Muhaddis |
Microsoft |
IDOR |
$0, HOF |
07/29/2018 |
Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) |
Brian Hyde |
Yahoo |
XSSI |
$750 |
07/29/2018 |
Microsoft Office 365 Stored XSS |
@Pethuraj |
Microsoft |
Stored XSS |
$0, HOF |
07/29/2018 |
Making a Blind SQL Injection a Little Less Blind |
TomNomNom |
– |
SQL injection |
– |
07/28/2018 |
Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features |
Ameer Assadi |
Binary.com |
Clickjacking |
– |
07/28/2018 |
How I found XSS on Amazon? |
Coding_Karma |
Amazon |
XSS |
$0 |
07/26/2018 |
Exfiltration via CSS Injection |
d0nut |
– |
CSS injection |
– |
07/25/2017 |
SQL Injection and A silly WAF |
Mahmoud Gamal |
– |
SQL injection |
– |
07/25/2017 |
Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716] |
Sebastian (ha.cker.info) |
Private program, SEOmatic CMS plugin |
SSTI |
– |
07/24/2018 |
Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again |
Michał Bentkowski |
Google |
Open redirect |
$7,500 |
07/24/2018 |
Finding hidden gems vol. 1: forging OAuth tokens using discovered client id and client secret |
Mateusz Olejarka |
– |
Information disclosure |
$3,133.7 |
07/23/2018 |
Unclaimed Medium Publication takeover in WeTransfer |
Prial Islam Khan (@prial261) |
WeTransfer |
Medium publication takeover |
$100 |
07/21/2018 |
Google Assistant Bug Worth $3133.7 ! |
Circle Ninja |
Google |
Reflective XSS |
$3,133.7 |
07/21/2018 |
RCE due to ShowExceptions |
Harsh Jaiswal (@rootxharsh) |
– |
RCE |
$5,000 |
07/20/2018 |
Into the Borg – SSRF inside Google production network |
Enguerran Gillier |
Google |
SSRF |
$13,337 |
07/20/2018 |
The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet |
François Proulx |
EOSIO |
DNS rebinding |
– |
07/19/2018 |
RCE on Yahoo Luminate |
Rojan Rijal |
Yahoo |
RCE |
– |
07/19/2018 |
How I was able to delete 13k+ Microsoft Translator projects |
Haider Mahmood |
Microsoft |
CSRF, IDOR |
$0 |
07/19/2018 |
Hey Developer, Give me your API keys.!! |
Devansh batham |
Crowdin |
Information disclosure |
Swag, HoF |
07/18/2018 |
Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw, Logic flaw |
– |
07/18/2018 |
Hacking thousands of companies through their helpdesk |
Khaled Hassan |
– |
Account takeover, DoS, Logic flaw |
– |
07/17/2018 |
CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation |
Charles Fol (Ambionics Security) |
PrestaShop |
Privilege escalation, Improper session management |
– |
07/16/2018 |
WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?] |
@omespino |
Facebook |
Blind Stored XSS |
– |
07/16/2018 |
Attacking PostgreSQL Database |
Vishnuraj KV |
– |
Bruteforce, Weak credentials |
– |
07/16/2018 |
Bug Bounty at Bangladeshi Site. |
Shaifullah Shaon |
– |
SQL injection |
BDT 10,000 (~ $120) |
07/15/2018 |
Should this be public though? |
Rojan Rijal |
Shopify, Uber |
Information disclosure |
$500 |
07/13/2018 |
XSS in Microsoft subdomain |
Sudhanshu Raj |
Microsoft |
XSS |
– |
07/13/2018 |
The tradeRifle Vulnerability Identified in LBank Mobile Service (CVE-2018-13363) |
PeckShield |
LBank |
MiTM |
– |
07/12/2018 |
Gsuite Hangouts Chat 5k IDOR |
Cam (@SecretlyHidden1) |
Google |
IDOR |
$5,000 |
07/10/2018 |
Persistent XSS at AH.nl |
Jonathan Bouman (@JonathanBouman) |
AH.nl |
Stored XSS |
$200 |
07/09/2018 |
#BugBounty - Compromising User Account- “How I was able to compromise user account via HTTP Parameter Pollution(HPP)” |
Avinash Jain (@logicbomb_1) |
– |
HTTP Parameter Pollution, Password reset flaw, Account takeover |
– |
07/07/2018 |
Server Side Request Forgery on Vanilla Forums |
Vikash Chaudhary |
Vanilla Forums |
SSRF |
– |
07/07/2018 |
Latex to RCE, Private Bug Bounty Program |
Yasho |
– |
RCE |
– |
07/06/2018 |
The $12,000 Intersection between Clickjacking, XSS, and Denial of Service |
Sam Curry (@samwcyo) |
Bustabit |
Clickjacking, XSS, DoS |
$12,000 |
07/04/2018 |
Chaining Multiple Vulnerabilities to Gain Admin Access |
Ben Sadeghipour (@nahamsec) |
– |
IDOR, Account takeover |
– |
07/02/2018 |
Bug Bounty: Tumblr reCAPTCHA vulnerability write up |
Leigh-Anne Galloway (@L_AGalloway) |
Tumblr |
reCAPTCHA bypass, email enumeration, username enumeration |
– |
06/29/2018 |
Authentication bypass in Cisco Meraki |
takemyhand |
Cisco Meraki |
Authentication bypass |
– |
06/29/2018 |
This popular Facebook app publicly exposed your data for years |
Inti De Ceukelaire |
Facebook, Nametests.com |
Information disclosure, Authorization flaw |
$4,000 |
06/28/2018 |
Take Advantage of Out-of-Scope Domains in Bug Bounty Programs |
Abdullah Hussam (@Abdulahhusam) |
– |
XSS |
$1,250 |
06/27/2018 |
How re-signing up for an account lead to account takeover |
@zseano |
– |
Logic flaw, Account takeover |
– |
06/26/2018 |
Subdomain Takeover: Starbucks points to Azure |
Patrik Hudak |
Starbucks |
Subdomain takeover |
$2,000 |
06/25/2018 |
Account Take over via reset password |
Yasser Gersy (@yassergersy) |
– |
Password reset flaw, Account takeover |
$1,500 |
06/25/2018 |
Archived content |
How I got access to local AWS info via Jira |
Coen Goedegebure |
– |
SSRF |
– |
06/24/2018 |
Fastest Fix on Open Bug Bounty Platform |
Wen Bin KONG |
Kevag Telekom GmbH |
Reflected XSS, CSRF |
– |
06/24/2018 |
How I hacked Apple.com (Unrestricted File Upload) |
Jonathan Bouman (@JonathanBouman) |
Apple |
Unrestricted file upload |
– |
06/22/2018 |
XSS in Google Colaboratory + CSP bypass |
Michał Bentkowski |
Google |
XSS, CSP bypass |
– |
06/21/2018 |
Using a GitHub app to escalate to an organization owner for a $10,000 bounty |
Tanner |
Github |
Authorization flaw, IDOR |
$10,000 |
06/20/2018 |
Setting arbitrary request headers in Chromium via CRLF injection |
Michał Bentkowski |
Google |
CRLF injection |
– |
06/20/2018 |
I discovered a browser bug |
Jake Archibald |
Mozilla, Microsoft |
Browser bug, Range requests flaw |
– |
06/20/2018 |
[Responsible disclosure] How I could have booked movie tickets through other user accounts |
Bharathvaj Ganesan |
AGS Cinemas |
Password reset flaw, Account takeover, Bruteforce, OTP bypass |
– |
06/18/2018 |
How i found blind XSS in Apple |
Taha Smily |
Apple |
Blind XSS |
– |
06/18/2018 |
Reflected Client XSS at Amazon.com |
Jonathan Bouman (@JonathanBouman) |
Amazon |
Reflected XSS |
$0 |
06/15/2018 |
Yay! 3133.70$ for RCE on *.withgoogle.com subdomain. |
lalka |
Google |
RCE |
$3,133.70 |
06/15/2018 |
Password reset to full account takeover |
Hamza Bettache |
– |
Password reset flaw, Account takeover |
– |
06/15/2018 |
Reflected XSS in 360totalsecurity |
Taha Smily |
360totalsecurity |
Reflected XSS |
– |
06/14/2018 |
The 2.5 BTC Stored XSS |
Khaled Hassan |
– |
Stored XSS |
2.5 BTC |
06/13/2018 |
How I got paid premium plan for free on many popular websites |
Khaled Hassan |
– |
Logic flaw |
– |
06/13/2018 |
Vulnerability Netflix (cross-site-scripting) XSS |
Bada Diaz (@bada77) |
Netflix |
Reflected XSS |
– |
06/13/2018 |
Unvalidated Open Redirect Bol.com |
Jonathan Bouman (@JonathanBouman) |
bol.com |
Open redirect |
$100 in gift cards |
06/12/2018 |
Full account Takeover via reset password function |
Khaled Hassan |
– |
IDOR, Account takeover, Password reset flaw |
$1,250 |
06/12/2018 |
Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution |
Jake Miller |
Google |
CSV injection, Server side spreadsheet injection, Formula injection, RCE |
– |
06/11/2018 |
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL |
Darrell Damstedt |
– |
XXE |
$0 |
06/11/2018 |
[PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique. |
Ayoub Ait Elmokhtar |
Paypal |
CSRF |
– |
06/10/2018 |
Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper |
Matthew Bryan |
Steam Inventory Helper Chrome extension |
DOM XSS, Clickjacking |
– |
06/08/2018 |
How I was able to list some internal information from PayPal #BugBounty |
Adrien Jeanneau |
Paypal |
Expression Language Injection (JSTL), Information disclosure |
$0 |
06/07/2018 |
How I found XSS via SSRF vulnerability -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
CERT-EU, Motorola, Stanford |
SSRF, XSS |
$750 |
06/07/2018 |
#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection. |
Avinash Jain (@logicbomb_1) |
– |
SQL injection |
– |
06/06/2018 |
Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0 |
Daniel Svartman |
OAuth |
Logic flaw |
– |
06/05/2018 |
Searching for XSS found LDAP injection |
Davide Tampellini |
– |
LDAP injection |
– |
06/05/2018 |
Are you sure this is a trusted email? |
Khaled hassan |
– |
Open mail relay |
$900 |
06/05/2018 |
Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected) |
Matthew Bryan |
Read&Write Chrome extension |
SOP bypass |
– |
06/05/2018 |
How I Hacked Fotor & Got “Nothing” |
Somdev Sangwan (D3v) |
Fotor |
SSRF, RFI |
$0 |
06/01/2018 |
Archived content |
Getting PHP Code Execution and leverage access to panels,databases,server |
Shawar Khan |
– |
Code execution |
– |
06/01/2018 |
How i converted SSRF to XSS in Jira. |
Ashish Kunwar (@D0rkerDevil) |
– |
SSRF, XSS |
$50 |
06/01/2018 |
How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
AT&T |
RCE, Clickjacking, XSS, Same Origin Method Execution |
$750 |
06/01/2018 |
#Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay |
Raghavendra Reddy |
– |
Parameter tampering |
– |
05/31/2018 |
Reflected XSS in Yahoo Subdomain ( hk.movies.yahoo.com ) |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Reflected XSS |
– |
05/30/2018 |
Archived content |
5k$ for path traversal on *.paypal-corp.com subdomain |
lalka |
Paypal |
Path traversal |
$5,000 |
05/30/2018 |
Account Takeover and Blind XSS! Go Pro, get Bugs! |
Tabahi |
– |
IDOR, Stored XSS, Account takeover, Blind XSS |
$3,500 |
05/30/2018 |
How I found 5 store XSS on a private program. Each worth “1,016.66$” |
Shahzad Sadiq |
– |
Stored XSS |
$5,083.3 |
05/30/2018 |
How I got hall of fame in two fortune 500 companies — An RCE story… |
Alfie |
– |
RCE |
– |
05/29/2018 |
How i was able to get admin panel on a private program |
Shahzad Sadiq |
– |
Weak credentials |
$1,500 |
05/29/2018 |
reCAPTCHA bypass via HTTP Parameter Pollution |
Andres Riancho |
Google |
HTTP parameter pollution, reCAPTCHA bypass |
$500 |
05/28/2018 |
Persistent XSS to Steal Passwords – Paypal |
Akhil Reni |
Paypal |
Stored XSS |
– |
05/26/2018 |
Simple IDOR to reject a to-be users invitation via their notification |
Abss TBH |
WePay |
IDOR |
– |
05/24/2018 |
How I was able to see any private album passwrod in Picturepush — IDOR |
Murtada Kamil |
PicturePush |
IDOR |
– |
05/23/2018 |
#BugBounty — ”How I was able to hack any user account via password reset?” |
Bikash Gupta |
– |
IDOR, Account takeover, Password reset flaw |
– |
05/23/2018 |
RCE by uploading a web.config |
003random |
– |
RCE |
– |
05/22/2018 |
AWS Security Flaw which can grant admin access! |
Sharath AV |
Amazon |
Authorization flaw |
– |
05/22/2018 |
Getting read access on Edmodo Production Server by exploiting SSRF |
Shawar Khan |
Edmodo |
SSRF |
– |
05/21/2018 |
Self-XSS + CSRF to Stored XSS |
Renwa |
– |
Self XSS, CSRF, STored XSS |
– |
05/20/2018 |
$36k Google App Engine RCE |
Ezequiel Pereira |
Google |
RCE |
$36,337 |
05/20/2018 |
Fastest Fix on Open Bug Bounty Platform |
Wen Bin KONG |
Kevag Telekom GmbH |
XSS, CSRF |
– |
05/19/2018 |
How i got 100$ from one private website |
Aayush Pokhrel |
– |
Information disclosure |
$100 |
05/19/2018 |
How i HACKED admin account via password reset IDOR function of one private currency exchanger site |
Aayush Pokhrel |
– |
IDOR, Password reset flaw, Account takeover |
– |
05/19/2018 |
Stored XSS in Yahoo and all subdomains! |
Hakim Bencella |
Microsoft |
Stored XSS |
$1,500 |
05/19/2018 |
Xss in Microsoft |
hacker_eth |
Microsoft |
XSS |
– |
05/18/2018 |
How I was able to get subscription of $120/year For Free |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
wetransfer.com |
Payment bypass |
$500 |
05/18/2018 |
Whatsapp- DOS vulnerability on Android/iOS/Web |
Pratheesh P Narayanan |
Facebook |
DoS |
$500 |
05/15/2018 |
HSTS Bypass Vulnerability in IE Preview |
Xiaoyin Liu |
Microsoft |
HSTS bypass |
$0 |
05/15/2018 |
How I used a simple Google query to mine passwords from dozens of public Trello boards |
Kushagra Pathak |
Trello |
Authorization flaw, Information disclosure |
$0 |
05/09/2018 |
Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS |
Honc (@honcbb) |
Trend Micro |
DOM XSS |
$0, HoF |
05/08/2018 |
Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability |
Mohamed A. Baset |
Asus |
Authorization flaw, Information disclosure |
– |
05/08/2018 |
Ubisoft | Blind XSS to customer support panel takeover |
Hx01 |
Ubisoft |
Blind XSS |
– |
05/06/2018 |
A Five Minute SQL-I |
Ashish Jha |
– |
SQL injection |
– |
05/06/2018 |
How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program |
Hariom Vashisth |
– |
Price manipulation, Parameter tampering |
$0 |
05/05/2018 |
$4500 bounty – How I got lucky |
Eray Mitrani |
– |
Subdomain takeover |
$4,500 |
05/03/2018 |
Disclose Private Video Thumbnail from Facebook WorkPlace |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$3,000 |
05/03/2018 |
Stealing money from one account to another account |
Ajay Gautam (@evilboyajay) |
– |
Logic flaw |
– |
05/02/2018 |
Story Of a Stored XSS Bypass |
Prial Islam Khan (@prial261) |
Zerocopter |
Open redirect |
– |
04/30/2018 |
Multiple security vulnerabilities in domains belonging to Google |
Sysdreams |
Google |
Broken access control, Directory traversal, Stored XSS |
– |
04/30/2018 |
How I found 2.9 RCE at Yahoo! Bug Bounty program |
Kedrisec |
Yahoo |
RCE |
– |
04/30/2018 |
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! |
Avinash Jain (@logicbomb_1) |
– |
RCE |
– |
04/29/2018 |
Reflected XSS on Stack Overflow |
ssid (@newp_th) |
Stack Overflow |
Reflected XSS |
– |
04/27/2018 |
Stored XSS in Yahoo! |
Shahzada AL Shahriar Khan |
Yahoo |
Stored XSS |
$2000 |
04/27/2018 |
Bypassing the Confirmation Email for Newsletter (bof.nl) |
Mohammed Israil (@mdisrail2468) |
Bits of Freedom |
Authorization flaw, IDOR |
$0, Swag |
04/26/2018 |
How I earned 60K+ from private program |
Siva Krishna Samireddi (@le4rner) |
– |
Open redirect, subdomain takeover, XSS, HTTP parameter pollution |
60,000 INR (approx. $880) |
04/25/2018 |
The Unknown Hero-App Logic Bugs |
Circle Ninja |
Canva |
Logic flaw |
– |
04/25/2018 |
XSS “403 forbidden” bypass write up |
Nur A Alam Dipu |
– |
XSS |
– |
04/25/2018 |
How we got LFI in apache Drill (Recon like a boss) |
gujjuboy10x00 (@vis_hacker) |
– |
LFI |
– |
04/23/2018 |
DOM XSS in Google VRView library |
Federico Fazzi |
Google |
DOM XSS |
$3,133.7 |
04/23/2018 |
Three Cases, Three Open Redirect Bypasses |
Mohammed Eldeeb (@malcolmx0x) |
– |
Open redirect |
– |
04/22/2017 |
Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal |
YoKo Kho |
Paypal |
Stored XSS |
– |
04/21/2018 |
Story Of a Stored XSS Bypass |
Prial Islam Khan (@prial261) |
– |
Stored XSS |
– |
04/21/2018 |
Mangobaaz hacked | XSS to credentials exposure to pwn |
Hx01 |
MangoBaaz |
Reflected XSS |
$0 |
04/19/2018 |
#BugBounty — ”Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company. |
Avinash Jain (@logicbomb_1) |
– |
LFI, RCE |
– |
04/19/2018 |
Bypassing the Current Password Protection at PayPal TechSupport Portal |
YoKo Kho |
Paypal |
Authorization flaw, Account takeover |
– |
04/19/2018 |
Google Bug: Posting on groups as any user’s behalf |
ssid (@newp_th) |
Google |
Email spoofing |
$0 |
04/18/2018 |
Whatsapp user’s IP disclosure with Link Preview feature |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Information disclosure |
$0 (won’t fix) |
04/18/2018 |
Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile |
YoKo Kho |
Ribose |
IDOR |
– |
04/18/2018 |
How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program |
YoKo Kho |
– |
IDOR |
– |
04/18/2018 |
IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks |
YoKo Kho (@YokoAcc) |
– |
IDOR |
– |
04/17/2018 |
How I got stored XSS using file upload |
gujjuboy10x00 (@vis_hacker) |
– |
Stored XSS |
– |
04/17/2018 |
From an error message to DB disclosure |
Yumi |
– |
Hardcoded credentials |
– |
04/17/2018 |
Spoof an user to create a description of a group in Flickr |
Samuel (@saamux) |
Yahoo (Flickr) |
IDOR |
– |
04/16/2018 |
Bypassing Captcha Like a Boss |
Ak1T4 (@akita_zen) |
– |
Captcha bypass |
$xxx |
04/16/2018 |
#SecurityBreach — ”How I was able to book hotel room for 1.50₹!” |
Hariom Vashisth |
– |
CORS flaw |
– |
04/15/2018 |
Bypass CSP by Abusing XSS Filter in Edge |
Xiaoyin Liu |
Microsoft |
CSP bypass |
$1,500 |
04/15/2018 |
How I hacked companies related to the crypto currency and earned $60,000 |
Max (@iSecMax) |
okex.com, livecoin.net, [private program] |
Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection |
$59,400 |
04/14/2018 |
How I bypassed Ebay process on redirect |
Mohamed Sayed (@FlEx0Geek) |
Ebay |
Open redirect |
$0 |
04/13/2018 |
Hijacking User’s Private Information access_token from Microsoft Office360 facebook App |
Mohamed A. Baset |
Microsoft |
Logic flaw |
$0 |
04/13/2018 |
Please email me your password |
Jasmin Laundry |
– |
Blind XSS, Blind SQL injection, SMTP header injection, Account takeover |
– |
04/11/2018 |
How I broke into Google Issue Tracker |
Abhishek Bundela (@abhibundela) |
Google |
Logic flaw, Authorization flaw |
$0 |
04/10/2018 |
Source Code Analysis in YSurvey — Luminate bug |
Rojan Rijal |
Yahoo |
Authentication bypass, Authorization flaw, SQL injection |
– |
04/10/2018 |
Piercing the veil: Server Side Request Forgery to NIPRNet access |
Alyssa Herrera (@Alyssa_Herrera_) |
DoD |
SSRF |
– |
04/09/2018 |
Stealing HttpOnly Cookie via XSS |
Yasser Gersy (@yassergersy) |
– |
XSS |
– |
04/08/2018 |
Archived content |
Reflected XSS on www.zomato.com By Mustafa Hasan |
Mohamed Haron (@m7mdharon) |
Zomato |
Reflected XSS |
$100 |
04/07/2018 |
Archived content |
“Exploiting a Single Parameter” |
Hisham Mir (@Hishammir1) |
– |
SSRF, XSS |
$2,500 |
04/06/2018 |
Link injection on 2 Twitter Subdomain |
Mohamed Haron (@m7mdharon) |
Twitter |
Link injection |
$280 |
04/01/2018 |
Archived content |
|
Avinash Jain (@logicbomb_1) |
– |
IDOR |
– |
04/05/2018 |
How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for serious XSS vulnerability 🙁 |
Satyendra Shrivastava |
Udemy |
XSS, HTML injection |
– |
04/05/2018 |
Directory Listing To Sensitive Files Exposure |
Hx01 |
– |
Directory listing |
– |
04/04/2018 |
My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass ) |
Mohamed Haron (@m7mdharon) |
– |
SQL injection, Auth bypass, Account takeover |
$2,000 |
04/01/2018 |
Archived content |
XSS in Yahoo Subdomain |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Flash XSS |
$600 |
03/31/2018 |
Archived content |
XSS In sports.tw.campaign.yahoo.net |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Reflected XSS |
– |
03/31/2018 |
Archived content |
How I hacked one cryptocurrency service |
Valeriy Shevchenko |
PayKassa |
Blind XSS, Reflected XSS, CSRF |
$300 |
03/31/2018 |
How I Could Have Promoted Any Facebook Page For Free. |
Anees Khan |
Facebook |
Logic flaw |
$0 |
03/30/2018 |
View Insights for Any Facebook Marketplace Product |
Jane Manchun Wong (@wongmjane) |
Facebook |
Authorization flaw |
– |
03/29/2018 |
Creating Test Conversion using any App |
Joshua Regio |
Facebook |
Web parameter tampering |
$3,000 |
03/27/2018 |
Google bug bounty for security exploit that influences search results |
Tom Anthony |
Google |
Logic flaw |
$5,000 |
03/27/2018 |
Reflected XSS Moogaloop SWF ( Version < 6.2.x ) |
Mohamed Haron (@m7mdharon) |
Vimeo |
Flash XSS, Reflected XSS |
– |
03/26/2018 |
Archived content |
Misconfiguration of Demographics Privacy in a Page |
Mark Christian Deduyo |
Facebook |
Logic flaw |
$750 |
03/26/2018 |
#BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) |
Avinash Jain (@logicbomb_1) |
BookMyShow |
Host header attack, IDOR |
– |
03/25/2018 |
Hacking Oracle in 5 Minutes |
Rahul R |
Oracle |
Directory listing |
– |
03/25/2018 |
Google adwords 3133.7$ Stored XSS |
Emad Shanab |
Google |
Stored XSS |
$3,133.7 |
03/21/2018 |
Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489 |
Abdullah Hussam (@Abdulahhusam) |
WordPress |
CSRF |
$1337 |
03/15/2018 |
#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality |
Avinash Jain (@logicbomb_1) |
– |
Logic flaw, Password reset flaw, Account takeover |
– |
03/14/2018 |
Dox Facebook Employees Behind “Did You Know” Questions |
Jane Manchun Wong (@wongmjane) |
Facebook |
Information disclosure |
– |
03/13/2018 |
Union Based Sql injection Write up ->A private Company Site |
Nur A Alam Dipu |
– |
SQL injection |
– |
03/12/2018 |
How I hacked 74k users of a website. |
Utkarsh Agrawal |
– |
Authentication flaw |
– |
03/11/2018 |
How I hacked 74k users of a website. |
Utkarsh Agrawal |
– |
Authorization flaw |
– |
03/11/2018 |
Getting any Facebook user’s friend list and partial payment card details |
Josip Franjkovic |
Facebook |
Information disclosure, IDOR |
– |
03/09/2018 |
Stored XSS, and SSRF in Google using the Dataset Publishing Language |
Craig Arendt (@signalchaos) |
Google |
Stored XSS, SSRF |
$18,337 |
03/07/2018 |
Clickjackings in Google worth 12644.7$ |
Raushan Raj (@raushan_rajj) |
Google |
Clickjacking |
$12,644.7 |
03/06/2018 |
Facebook Bug Bounty Reports |
Raushan Raj (@raushan_rajj) |
Facebook |
Authorization flaw, Logic flaw, Information disclosure |
$6,000 |
03/06/2018 |
#BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! |
Avinash Jain (@logicbomb_1) |
– |
OTP bypass |
– |
03/05/2018 |
How I found A Surprising XSS Vulnerability on Oracle NetSuite ? |
Circle Ninja |
Oracle |
XSS |
– |
03/02/2018 |
The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! |
Mohamed A. Baset |
Facebook |
Information disclosure |
$2,500 |
02/25/2018 |
Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! |
Mohamed A. Baset |
Facebook |
Clickjacking |
– |
02/25/2018 |
How i Hacked into a bugcrowd. public program |
Vishnuraj KV |
– |
RCE |
– |
02/25/2018 |
#BugBounty — API keys leakage, Source code disclosure in India’s largest e-commerce health care company. |
Avinash Jain (@logicbomb_1) |
– |
Path traversal |
– |
02/25/2018 |
How I was able to delete any image in Facebook community question forum |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$1500 |
02/24/2018 |
Bypassing Google’s authentication to access their Internal Admin panels |
Vishnu Prasad P G |
Google |
Authentication bypass |
$13,337 |
02/24/2018 |
The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations! |
Seif Elsallamy |
Facebook |
Race condition |
– |
02/23/2018 |
Modifying any Ad Space and Placement |
Joshua Regio |
Facebook |
IDOR |
– |
02/22/2018 |
POODLE SSLv3 bug on multiple twitter smtp servers |
@omespino |
Twitter |
Cryptographic issues |
$280 |
02/21/2018 |
Google bugs stories and the shiny pixelbook. |
Missoum Said (@missoum1307) |
Google |
DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF |
$6,250 |
02/20/2018 |
How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties |
Anand Prakash (@sehacure) |
Tinder, Facebook |
Account takeover, Authorization flaw |
$6,250 |
02/20/2018 |
Exploiting CORS Miss configuration using XSS |
Noman Shaikh |
– |
CORS misconfiguration |
– |
02/18/2018 |
#BugBounty — Exploiting CRLF Injection can lands into a nice bounty |
Avinash Jain (@logicbomb_1) |
– |
CRLF injection |
$250 |
02/17/2018 |
How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. |
Waleed Ahmed |
Facebook |
Android, DoS |
$500 |
02/15/2018 |
#BugBounty — “How I was able to shop for free!”- Payment Price Manipulation |
Avinash Jain (@logicbomb_1) |
– |
Web parameter tampering / Price manipulation |
– |
02/11/2018 |
Oracle Cross Site Scripting Vulnerability -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
Oracle |
Reflected XSS |
– |
02/10/2018 |
Stored XSS on Snapchat |
Mrityunjoy |
Snapchat |
Stored XSS |
– |
02/09/2018 |
I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it |
Anand Prakash (@sehacure) |
Facebook |
Bruteforce, Account takeover |
$15,000 |
02/09/2018 |
Taking over Facebook accounts using Free Basics partner portal |
Josip Franjkovic |
Facebook |
Information disclosure, IDOR |
– |
02/07/2018 |
Bug bounty left over (and rant) Part III (Google and Twitter) |
Antonio Sanso (@asanso) |
Google, Twitter |
OAuth flaw, Authentication flaw, Information disclosure |
$5,540 |
02/06/2018 |
How I gained access to Sony’s database |
Rahul R |
Sony |
– |
$0 |
02/06/2018 |
SQL injection with load file and into outfile |
NoGe |
– |
SQL injection |
$750 |
02/05/2018 |
How I found IDOR on Twitter’s Acquisition – Mopub.com |
janijay007 |
Twitter |
IDOR |
– |
02/05/2018 |
Facebook mailto injection leads to social engineering & spam attack |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Mailto injection |
$0 (won’t fix) |
02/03/2018 |
#BugBounty — ”I don’t need your current password to login into your account” – How could I completely takeover any user’s account in an online classified ads company. |
Avinash Jain (@logicbomb_1) |
– |
Authentication bypass |
– |
02/03/2018 |
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) |
Mohammed Abdul Raheem |
– |
IDOR |
$3000 |
02/03/2018 |
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) |
Mohammed Abdul Raheem |
– |
IDOR |
$3000 |
02/02/2018 |
Internal IPs disclosure |
@omespino |
Nokia |
Internal IP disclosure |
– |
02/02/2018 |
How I was able to Bypass XSS Protection on HackerOne’s Private Program |
janijay007 |
– |
XSS |
– |
02/02/2018 |
Getting access to prompt debug dialog and serialized tool on main website facebook.com |
@omespino |
Facebook |
Debug info disclosure |
– |
01/31/2018 |
How I was able to Download Any file from Web server! |
hammadhassan924 |
– |
XSS, IDOR |
$450 |
01/27/2018 |
How I got 22000$ worth ethereum |
Shubham Gupta |
– |
Blind XSS |
~22,000 Ethereum |
01/26/2018 |
JSON CSRF attack on a Social Networking Site[Hackerone Platform] |
Sahil Tikoo (@viperbluff) |
Badoo |
CSRF |
$280 |
01/26/2018 |
Here’s how I could’ve ridden for free with Uber |
Anand Prakash (@sehacure) |
Uber |
Logic flaw |
$5,000 |
01/26/2018 |
Full Account Takeover through CORS with connection Sockets |
Samuel (@saamux) |
– |
CORS misconfiguration, Account takeover |
– |
01/25/2018 |
[Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility on https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/ |
Peerzada Fawaz Ahmad Qureshi (@zk34911) |
Yahoo |
Authorization flaw |
$300 |
01/25/2018 |
No RCE? Then SSH to the box! |
Jasmin Laundry |
– |
LFI, Directory traversal, RCE |
– |
01/25/2018 |
Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) |
Mohamed Haron (@m7mdharon) |
Hubspot |
Reflected XSS |
– |
01/24/2018 |
Archived content |
#BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection |
Avinash Jain (@logicbomb_1) |
LinkedIn |
Open redirect |
– |
01/24/2018 |
Asus Cross Site Scrpting And Directory Listing Vulnerability |
Adesh Kolte (@AdeshKolte) |
Asus |
Directory listing, XSS |
– |
01/23/2018 |
File Disclosure via .DS_Store file (macOS) |
@omespino |
Facebook |
Directory listing |
– |
01/23/2018 |
Internshala Bug in Internshala Student Partner |
Circle Ninja |
Internshala |
Bruteforce |
$0 |
01/20/2018 |
Reflected File Download ( RFD ) in www.Google.com |
Mohamed Haron (@m7mdharon) |
Google |
Reflected File Download |
$0 |
01/18/2018 |
Archived content |
$1800 in less than an hour. |
@yappare |
Indeed |
CSRF, XSS |
$1,800 |
01/17/2018 |
Reflected XSS via AngularJS Template Injection |
Taha Ibrahim Draidia |
Hostinger |
Reflected XSS |
– |
01/17/2018 |
#BugBounty — AWS S3 added to my “Bucket” list! |
Avinash Jain (@logicbomb_1) |
– |
AWS flaws |
– |
01/16/2018 |
View the bug subscriptions for any Oculus User |
Philippe Harewood |
Facebook |
IDOR |
– |
01/15/2018 |
Hacking Facebook accounts using CSRF in Oculus-Facebook integration |
Josip Franjkovic |
Facebook |
CSRF |
– |
01/15/2018 |
#BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company |
Avinash Jain (@logicbomb_1) |
– |
CSRF, Web parameter tampering |
– |
01/14/2018 |
Google Tez XSS |
@Pethuraj |
Google |
XSS |
$3,133.7 |
01/13/2018 |
#BugBounty — How I was able to read chat of users in an Online travel portal |
Avinash Jain (@logicbomb_1) |
– |
IDOR |
– |
01/10/2018 |
RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins |
Mohamed Haron (@m7mdharon) |
Yahoo! |
RCE |
$8,000 |
01/05/2018 |
Archived content |
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) |
Mohammed Abdul Raheem |
– |
IDOR |
$3,000 |
02/04/2018 |
F**k you Thomas” – ToyTalk bug bounty writeup |
Jahmel Harris |
ToyTalk |
Authentication bypass, HTML injection |
– |
01/04/2018 |
Abusing internal API to achieve IDOR in New Relic |
Jon Bottarini (@jon_bottarini) |
New Relic |
IDOR |
$1000 |
01/02/2018 |