List of bug bounty writeups

Table of contents

Bug bounty writeups published in 2022

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
New macOS vulnerability, “powerdir,” could lead to unauthorized user data access Microsoft 365 Defender Research Team Apple Privacy issue, MacOS bug - 01/10/2022
How did I find Log4j vulnerability via Static Code Analysis and receive €€€ bounty? Pranav Gajjar (@Pranav_Gajjar_) - Log4j, RCE - 01/10/2022
Host Header Injection Lead To Account Takeovers M7.Arman (@ArmanSecurity) - Host header injection, Password reset flaw, Account takeover - 01/09/2022
2FA bypass by reading the documentation Brandon Roldan (@tomorrowisnew_) - 2FA bypass $100 01/09/2022
A Tale Of 5250$: How I Accessed Millions Of User’s Data Including Their National ID’s Sam (@__Sam0_0) - AWS misconfiguration, Information disclosure $5,250 01/07/2022
A phishing document signed by Microsoft – part 2 Pieter Ceelen (@ptrpieter) & Dima van de Wouw (@_DaWouw) Microsoft Phishing, RCE - 01/07/2022
Exploiting Redash instances with CVE-2021-41192 Ian Carroll (@iangcarroll), Tuan Anh Nguyen (@haxor31337) & Gal Nagli (@naglinagli) - Privilege escalation, Session management flaw, SSRF $90,000+ 01/06/2022
How I was able to spoof any Instagram username on Instagram shop Nawaf Alkhaldi (@nvmeeet) Facebook IDOR $1,050+ 01/06/2022
Authorization bypass — Gmail 7𝖍3𝖍4𝖈kv157 (@7h3h4ckv157) Google Spoofing - 01/06/2022
SQL Injection - The File Upload Playground Jerry Shah (@Jerry) - Unrestricted file upload, SQL injection - 12/11/2021
Accessing GoDaddy internal instance through an email logic bug. Mostafa Mamdoh GoDaddy Logic flaw, Privilege escalation, Account takeover - 01/05/2022
Breaking Parser Logic: Gain Access To NGINX Plus API — Read/Write Upstreams. zoid (@z0idsec) - Path traversal - 01/05/2022
Facebook android webview vulnerability : Execute arbitrary javascript (xss) and load arbitrary website Rahul Kankrale (@RahulKankrale) Facebook XSS, Android bug $1,075 01/03/2022
NPM might be executing malicious code in your CI without your knowledge Rotem Bar (@rotembar) Node.js RCE - 01/03/2022
P5 to P1: Interesting Account Takeover Tushar Sharma (@tusharSharma_0) - Account takeover, Session expiration flaw, Password reset flaw $1,000 01/03/2022
IDOR leads to leak Private Details annonymous - IDOR - 01/03/2022
How i was able to bypass a Pin code Protection Kerolos sameh (@xko2xx) - Authorization flaw - 01/03/2022
Story of YouTube’s Unfixable Ads Bypass MrMax4o4 Google Logic flaw - 01/03/2022
The Story Of How I Bypass SSO Login zer0d - Authentication bypass - 01/02/2022
doorLock: Apple HomeKit Denial of Service Trevor Spiniolas Apple DoS - 01/01/2022
A tale of zero click account takeover Veshraj Ghimire (@GhimireVeshraj) - Account takeover, IDOR - 01/01/2022
Abusing Business Logic Of An Application To Create Backdoor In App Snap Sec (@snap_sec) - Logic flaw - 01/01/2022
Bypassing Private Forms Restriction And Submitting Arbitrary Responses On Them Snap Sec (@snap_sec) - Broken Access Control - 01/01/2022
One Click To Account Takeover M7.Arman (@ArmanSecurity) - Mass assignment - 01/01/2022

Bug bounty writeups published in 2021

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Fixing the Unfixable: Story of a Google Cloud SSRF David Schütz (@xdavidhu) Google SSRF $4,133.70 12/31/2021
Here’s How I Could Read Anyone’s Apple ID Metrics Remotely. Faizan Ahmad Wani Apple Information disclosure - 12/31/2021
Bug Hunting Journey of 2021 Sudhanshu Rajbhar (@sudhanshur705) - Stored XSS, Open redirect, Token theft, CSRF, Logic flaw, Information disclosure, IDOR, Account takeover $3,200+ 12/31/2021
My first Google HOF RV Sharma Google Broken Access Control $1,337 12/31/2021
WhatsApp for Android Retains Deleted Contacts Locally Nightwatch Cybersecurity (@nightwatchcyber) Facebook Privacy issue $0 (Won’t fix) 12/30/2021
How I Am Able To Crash Anyone’s Mozilla Firefox Browser By Sending An Email Sam Mozilla DoS $0 12/30/2021
Google Cloud Shell XSS NDevTK (@ndevtk) Google XSS $5,000 12/30/2021
[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty Rahul Kankrale (@RahulKankrale) Facebook IDOR $863 01/03/2022
Story of a weird CSRF bug Sudhanshu Rajbhar (@sudhanshur705) - CSRF - 12/29/2021
Remote Code Execution in Google Cloud Dataflow Mike Brancato (@meatballninja) Google RCE $3,333.70 12/28/2021
Full account takeover vulnerability in Minecraft Abdulrahman Makki (@AMakki1337) Minecraft Account takeover $5,000 12/28/2021
Bounty Evaluation GitHub = $15,000 US Dollars | Rate Limit Taniya Agarwal GitHub Bruteforce, Email verification bypass, Account takeover $15,000 12/28/2021
Common Nginx Misconfiguration leads to Path Traversal MikeChan - Path traversal - 12/28/2021
Bi/ug Bounties and HyperV RCE Research Peter Hlavaty (@rezer0dai) Microsoft Hyper-V RCE $100,000+ 12/27/2021
XSS via file upload Jay Sharma - XSS, Unrestricted file upload - 12/27/2021
How I Bypassed Netflix Profile Lock? Krishnadev P Melevila (@Krishnadev_P_M) Netflix Logic flaw $0 (Won’t fix) 12/27/2021
Turning bad SSRF to good SSRF: Websphere Portal Shubham Shah (@infosec_au) HCL Technologies SSRF N/A (VDP) 12/26/2021
Massive Users Account Takeovers(Chaining Vulnerabilities to IDOR)😲 Anurag__Verma - Authentication bypass, IDOR, Lack of rate limiting - 12/25/2021
Information Disclosure leads to sensitive credential($$$) khan mamun (@mamunwhh) - Information disclosure $150 12/25/2021
How I found (and fixed) a vulnerability in Python Adam Goldschmidt (@AdamGolds) Python Web cache poisoning - 12/24/2021
Cache Poisoning at Scale Youstin (@iustinBB) - Web cache poisoning $40,000 12/23/2021
MS Teams: 1 feature, 4 vulnerabilities Fabian Bräunlein Microsoft SSRF, Information disclosure, DoS, Spoofing $0 (Won’t fix) 12/22/2021
How I was able to bypass WAF and find the origin IP and a few sensitive files Jan Muhammad Zaidi (@hasanakajan) - WAF bypass - 12/22/2021
Sandbox escape + privilege escalation in StorePrivilegedTaskService Sector 7 (@sector7_nl) Apple Local Privilege Escalation, MacOS bug - 12/21/2021
NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories Wiz (@wiz_io) Microsoft Security misconfiguration, Exposed .git folder $7,500 12/21/2021
How I found (P2) Broken Authentication with Zero Skill of Hacking yoshi m lutfi (@yoshiahmadlutfi) - Authentication bypass, Account takeover - 12/21/2021
SSD Advisory – Rocket.Chat Client-side Remote Code Execution - RocketChat RCE, MacOS bug N/A (VDP) 12/21/2021
Bring Your Own SSRF – The Gateway Actuator Wyatt Dahlenburg (@wdahlenb) - SSRF, DoS - 12/20/2021
Blackbox Cookie Testing — How I Cracked The Admin’s Cookie Saeed Balquizi - Authentication bypass - 12/20/2021
RCE in Visual Studio Code’s Remote WSL for Fun and Negative Profit Parsia Hackerman (@cryptogangsta) Microsoft RCE $0 (OOS) 12/20/2021
How I was able to reveal page admin of almost any page on Facebook Sudip Shah Facebook IDOR $4,500 12/20/2021
Stored XSS by bypassing signature Abdulrahman Makki (@AMakki1337) - XSS, Unrestricted file upload $3,500 12/20/2021
Flickr Account Takeover Lauritz (@lauritz) Flickr Account takeover, Authentication flaw $7,550 12/18/2021
Hacked Google-Meet…??! 7𝖍3𝖍4𝖈kv157 (@7h3h4ckv157) Google Authorization flaw - 12/18/2021
Exploitation Of CVE-2021-21220 – From Incorrect JIT Behavior To RCE Bruno Keith (@bkth_) & Niklas Baumstark(@_niklasb) Google, Microsoft Browser bug, Memory corruption, RCE $100,000 12/16/2021
Broken Access Control Meareg Microsoft IDOR - 12/16/2021
GHSL-2021-1053: Path traversal in Grafana REST API - CVE-2021-43813, CVE-2021-43815 Alvaro Muñoz (@pwntester) Grafana Labs Path traversal - 12/15/2021
Gumtree – leaking your data and not really listening Alan Monie (@AlanMonie) Gumtree IDOR - 12/15/2021
How I found the Authentication Bypass bug and Earn \(\) Thedarkwayg (@shadow_CLAY) - Session expiration issue $1,000 12/15/2021
How I found XSS vulnerability in Amazon in 5 minutes using shodan Mohamed Taha (@Mohamed12742780) Amazon XSS - 12/15/2021
How I Bypassed Incapsula WAF By Imperva Dawood Ikhlaq - SQL injection - 12/14/2021
Zero Click To Account Takeover M7.Arman (@ArmanSecurity) - Account takeover, Password reset flaw - 12/14/2021
SVG based Stored XSS xaonan44 - Stored XSS - 12/12/2021
Open Redirection - QR Code Magic Jerry Shah (@Jerry) - Open redirect $0 (Duplicate) 12/11/2021
Remote Deserialization Bug in Microsoft’s RDP Client through Smart Card Extension (CVE-2021-38666) Valentino Ricotta Microsoft Memory corruption bug $5,000 12/10/2021
Remote ASLR Leak in Microsoft’s RDP Client through Printer Cache Registry (CVE-2021-38665) Valentino Ricotta Microsoft Memory corruption bug $1,000 12/10/2021
ProtoBuffer ReUtilization “New Way to Security Test GoogleCaptcha” ChooK Rapid7 Captcha bypass N/A (VDP) 12/10/2021
Don’t Reply: A Clever Phishing Method In Apple’s Mail App Jon Bottarini (@jon_bottarini) Apple Phishing $5,000 12/09/2021
A phishing document signed by Microsoft – part 1 Pieter Ceelen (@ptrpieter) & Dima van de Wouw Microsoft Phishing, RCE - 12/09/2021
File Upload to RCE Ahmed Magdy (@8Ahmed88Magdy8) - Unrestricted file upload - 12/09/2021
Exploiting S3 bucket with path folder to Access PII info of A BANK Santosh Kumar Sha (@killmongar1996) - AWS misconfiguration, Information disclosure - 12/09/2021
From Finding AWS S3 Bucket to Sensitive Data Exposure Demon (@R29k_) - AWS misconfiguration - 12/09/2021
Account Takeover via Stored XSS Demon (@R29k_) - Account takeover, Stored XSS $1,000 12/09/2021
CVE-2021-43798 - Path Traversal Vulnerability In Grafana & How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs Jordy Versmissen / J0VSEC (@j0v0x0) Grafana Labs Path traversal - 12/08/2021
Another Admin panel Rizwan_siddiqui (@Rizwan_SiDdiqu1) - Response manipulation, Authentication bypass - 12/08/2021
Microsoft Vancouver leaking website credentials via overlooked DS_STORE file CyberNews Team Microsoft Information disclosure - 12/08/2021
Windows 10 RCE: The exploit is in the link Fabian Bräunlein & Lukas Euler Microsoft RCE $5,000 12/07/2021
How I was able to change Reddit acquired Dubsmash’s music library sound tracks’ titles Sandeep Hodkasia (@sandeephodkasia) Reddit IDOR $3,000 12/07/2021
Hacking into Admin Panel of U.S Federal government system C.A.R.S — without credentials. Hazem Brini (@ImJungsuu) U.S. General Services Administration Client-side enforcement of server-side security, Privilege escalation N/A (VDP) 12/07/2021
Microsoft Azure Portal – CSV Injection Christian Becker (@0xchrisb) Microsoft CSV injection - 12/06/2021
SSRF vulnerability in AppSheet - Google VRP David Nechuta (@david_nechuta) Google SSRF $6,267.4 12/05/2021
Accidental IDOR in eLearnSecurity to Knowing Your Address and Cert You Bought. Anugrah SR (@cyph3r_asr) INE IDOR N/A (VDP) 12/05/2021
This is how i was able to See and Delete your Private Facebook Portal photos Abhishek Pathak (@pathleax) Facebook IDOR - 12/04/2021
How I managed to hack User accounts of a billion-dollar sport platform Vishnuraj - OTP bypass, Bruteforce, Lack of rate limiting - 12/04/2021
My mindset while hunting on Yandex and my SSRF Momen Ali (Cyber Guy) (@theCyberGuy0) Yandex SSRF - 12/04/2021
How I accessed the Sensitive document which I had already deleted Pawan Chhabria (@heybenchmarkkk) - Privacy issue - 12/04/2021
Write Up – XSS Stored In files.slack.com Via XML/SVG File (iOS) – $1,000 USD Omar Espino (@omespino) Slack XSS $1,000 12/03/2021
Bypassing Box’s Time-based One-Time Password MFA Tal Peleg Box OTP bypass, MFA bypass - 12/02/2021
AWS SageMaker Jupyter Notebook Instance Takeover Gafnit Amiga Amazon Self XSS, CSRF, RCE - 12/02/2021
Exploring Container Security: A Storage Vulnerability Deep Dive Fabricio Voznika & Mark Wolters Kubernetes Race condition, Kubernetes bug - 12/02/2021
Easy SQLi in Amazon subsidiary using Sqlmap Mostafa Mamdoh Amazon SQL injection $1,500 12/01/2021
This shouldn’t have happened: A vulnerability postmortem Tavis Ormandy (@taviso) Mozilla Memory corruption bug - 12/01/2021
AUDI, partner! vict0ni (@vict0ni) Audi Subdomain takeover, Information disclosure N/A (VDP) 12/01/2021
How i was able to bypass Cloudflare WAF for SQLi payload Momen Ali (Cyber Guy) (@theCyberGuy0) - SQL injection, WAF bypass - 12/01/2021
P1 _Bug in Apple that phase “old is Gold” Saurabh Sankhwar (@mr_encryption) Apple Logic flaw $0 (Informative) 12/01/2021
Microsoft Teams – CSV Injection Christian Becker (@0xchrisb) Microsoft CSV injection - 12/01/2021
VMware vCenter earlier versions (7.0.2.00100) has unauthorized arbitrary file read + ssrf + xss vulnerability Khoa Dinh (@_l0gg) VMware LFI, SSRF, XSS, Arbitrary file read - 11/30/2021
My write-up in hacking IBM’s administration panel and getting SQLi on it Momen Ali (Cyber Guy) (@theCyberGuy0) IBM SQL injection, Broken Access Control - 11/30/2021
NodeBB 1.18.4 - Remote Code Execution With One Shot Paul Gerste NodeBB RCE, XSS, Authentication bypass, Arbitrary file read $1,536 11/30/2021
This Microsoft Windows RCE Vulnerability Gives an Attacker Complete Control Malcolm Stagg (@malcolmst) Windows Memory corruption bug - 11/30/2021
Play The Opera Please Dhiraj (@RandomDhiraj) Opera Browser bug - 11/29/2021
Price Manipulation Bypass Using Integer Overflow Method Marx Chryz - Payment tampering, Memory corruption bug - 11/29/2021
How I got my first bounty on financial sector gateway site by using Previous GraphQL vulnerabilities. Night Hawk - Information disclosure, GraphQL bug $2,500 11/26/2021
SSD Advisory – Chrome Ad Heavy Bypass (via history.back()) Alesandro Ortiz (@AlesandroOrtizR) Chrome Browser bug - 11/26/2021
WordPress Plugin Confusion: How an update can get you pwned & Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack Kamil Vavra (@vavkamil) & Gal Nagli (@naglinagli) - Supply chain attack, WordPress plugin confusion, WordPress theme confusion - 11/25/2021
RocketChat - Monitor User Messages Rojan Rijal (@uraniumhacker) RocketChat Authorization flaw N/A (VDP) 11/25/2021
How I Found My First XSS Bug Thedarkwayg (@shadow_CLAY) Atlassian XSS $600 11/25/2021
Finding XSS on .apple.com and building a proof of concept to leak your PII information Zseano (@zseano) Apple XSS - 11/24/2021
Account Takeover in $Million Company? 0xGodson (@0xGodson_) Fastmail Account takeover, Password reset flaw $0 (Informative) 11/24/2021
Moodle Blind SQL injection via MNet authentication rekter0 (@rekter0) Moodle SQL injection N/A (VDP) 11/23/2021
A business logic error bug worth 600$ Deep Patidar (@itsdeepceh) - Payment tampering $600 11/23/2021
GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks Romain Carnus, Maxime Nadeau, Julien Pineault & Mathieu Novis Microsoft Local Privilege Escalation - 11/22/2021
[BugBounty] XSS with Markdown — Exploit & Fix on OpenSource Lê Thành Phúc - XSS - 11/22/2021
Peeping through a Web-Socket Aditya Verma (@0cirius0) - Cross-Site Websocket Hijacking (CSWH) - 11/21/2021
Hacking Apple Security Report System HackrzVijay (@hackrzvijay) Apple Logic flaw, Social engineering $0 (OOS) 11/20/2021
Exploiting OAuth: Journey to Account Takeover Aditya Dixit (@zombie007o) - Account takeover, OAuth flaw, XSS, Weak CSP, CSRF - 11/19/2021
How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud Valeriy Shevchenko (@Krevetk0Valeriy) Atlassian Information disclosure, Authentication flaw $15,000 11/19/2021
A Story of an Epic Blind Remote Code Execution(RCE) Akash Solanki (@MAALP1225) - RCE, OS command injection - 11/18/2021
A common defect in java system-Memory DoS (include CVE-2021-2344, CVE-2021-2371, CVE-2021-2376, CVE-2021-2378) threedr3am (@threedr3am1) Oracle DoS - 11/18/2021
URL whitelist bypass in https://cxl-services.appspot.com & Reacting to myself finding an SSRF vulnerability in Google Cloud David Schütz (@xdavidhu) Google Privilege escalation, URL validation bypass, SSRF $10,401.1 11/17/2021
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory Karl Fosaaen (@kfosaaen) Microsoft Information disclosure - 11/17/2021
Write Up – Apple N/A: PII Information, Full Contact List, Main Phone No. And Main Icloud Email Extracted; Bug Patched: Arbitrary Local File Read Via Zip File And Symlinks On Ios Files App. Omar Espino (@omespino) Apple Arbitrary file read $0 11/17/2021
The tale of CVE-2021–34479 (VSCode XSS) Daniel Santos (@bananabr) Microsoft XSS, CSP bypass - 11/17/2021
Keybase App Vulnerability: Incomplete Cleanup of Messages In Keybase for Android/iOS, CVE-2021-34421 Olivia O’Hara (@oliviaohara), Jackson Henry (@JacksonHHax), John Jackson (@johnjhacking) & Robert Willis (@rej_ex) Keybase Information disclosure - 11/17/2021
Diving into Open-source LMS Codebases Poh Jia Hao (@Chocologicall) Moodle, Chamilo LMS Insecure file upload, Insecure deserialization, RCE, CSRF, SQL injection, Reflected XSS N/A (VDP) 11/16/2021
DOS attack in Yahoo, How i was able to deny new users from service? Mostafa Mamdoh Yahoo DoS, Logic flaw $1,000 11/16/2021
Full account takeover through referral code. Mostafa Mamdoh Shipt Authentication flaw, Account takeover $700 11/16/2021
DOS attack in Yahoo, How i was able to deny new users from service? Mostafa Mamdoh Yahoo DoS $1,000 11/15/2021
How I Found P1 bug Due to Sensitive data exposure And Earn \(\) Piyush shukla (@PiyushShukla__) - Information disclosure - 11/15/2021
Broken Link Hijacking — 404 Google Play Store— xxx$ Bounty Proviesec (@proviesec) - Broken link hijacking - 11/14/2021
Exploiting CSP in Webkit to Break Authentication & Authorization Sachin Thakuri (@sachinnthakuri) & Prakash (@1lastBr3ath) Apple Information disclosure, CSP leak, Account takeover $100,000+ 11/13/2021
Impact of an Insecure Deep Link Yashar Shahinzadeh (@YShahinzadeh) & Аli Dinifаr (@binb4sh) CafeBazaar Insecure deep link - 11/13/2021
Never leave this tip while you hunting Broken Access Control secureITmania (@secureitmania) - Broken Access Control - 11/13/2021
How I got $200 in 30 Seconds. Yash__ HackZ (@HackzYash) - Information disclosure $200 11/12/2021
chaining improper authentication to idor and no rate limit for mass account takeover mohit (@mohit29295572) - Account takeover, Lack of rate limiting, CSRF, IDOR - 11/12/2021
From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy Mostafa Mamdoh Udemy Broken access control, Information disclosure, IDOR, HTML injection $1,300 11/12/2021
Simple SSRF Allows Access To Internal Assets Sam Paredes (@caffeinevulns) - SSRF - 11/11/2021
Write Up – Google VRP Bug Bounty: /etc/environment Local Variables Exfiltrated On Linux Google Earth Pro Desktop App – $1,337 USD Omar Espino (@omespino) Google XSS $1,337 11/11/2021
Unrestricted File Upload Leads to SSRF and RCE Muhammad Adel (@ItsFadinG_) - ImageTragick, Unrestricted file upload, SSRF, RCE - 11/11/2021
Fuzzing Microsoft’s RDP Client using Virtual Channels: Overview & Methodology Valentino Ricotta Microsoft Memory corruption bug $6,000 11/10/2021
ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough Nir Ohfeld (@nirohfeld) & Sagi Tzadik (@sagitz_) Microsoft Account takeover, Privilege escalation $40,000 11/10/2021
Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond Daniel Thatcher - HTTP Header Smuggling, HTTP Request Smuggling - 11/10/2021
400$ Bounty again using Google Dorks Haris M (@hrsm321) - Directory listing, Information disclosure $400 11/09/2021
Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over Cam (@secretlyhidden1) Google IDOR - 11/09/2021
Bypass Chrome Ad-Heavy detection mechanism 0x0021h (@0x0021h) Google Browser bug - 11/09/2021
How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes Mahmoud Youssef (@0xmahmoudjo0) - SQL injection - 11/07/2021
SONY Hunting I: Discovering Hidden Parameters (5x SWAG) can1337 (@canmustdie) Sony Open redirect N/A (VDP) 11/07/2021
Insufficient Redirect URI validation: The risk of allowing to dynamically add arbitrary query parameters and fragments to the redirect_uri Lauritz (@lauritz) GitHub, Microsoft, StackExchange OAuth flaw, Prototype pollution - 11/06/2021
4 Crits in 48 hours: Unicorn Programs Monke (@pmofcats) - Privilege escalation, Information disclosure, IDOR - 11/06/2021
Unauthenticated Access To Cloud Portal — A 🚪 Without 🗝️ Yukesh Kumar (@3th1c_yuk1) - Authentication bypass - 11/05/2021
HacktoberFest2k21 vulnerability: How users metadata can be changed via Auth JWT tokens leaking from waybackurls Anurag__Verma DigitalOcean IDOR N/A (VDP) 11/04/2021
Fiverr email restriction bypassed | Bounty 100$ Maruf Hosan Fiverr Logic flaw $100 11/04/2021
A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions Perception Point (@PerceptionPo1nt) Apple Local Privilege Escalation, MacOS bug - 11/03/2021
How i made 500$ with XSS Nassim Chami (@nvccim) - XSS, Account takeover $500 11/01/2021
Never Give Up — Story of Hacking Dutch Government and Earning that Dutch Swag. BabaBounty (@Rohan96867358) Dutch Government IDOR N/A (VDP) 10/31/2021
This is how i was able to Permanently Crash all Mapillary users within minutes Abhishek Pathak (@pathleax) Facebook Application-level DoS - 10/31/2021
How I found Command Injection via Obsolete PHPThumb Sushant Kamble - OS command injection - 10/30/2021
How I was able to access a properly Configured S3 Bucket Pawan Chhabria (@heybenchmarkkk) - Leaked AWS keys, Information disclosure - 10/28/2021
Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection Microsoft Security Vulnerability Research (MSVR) Apple SIP bypass, Local Privilege Escalation - 10/28/2021
Write Up – XSS Stored In api.media.atlassian.com Via Doc File (iOS) Omar Espino (@omespino) Atlassian Stored XSS - 10/28/2021
A journey from XML External Entity (XXE) to NTLM hashes! Shubham Chaskar (@chaskar_shubham) - XXE - 10/28/2021
Apple XAR – Arbitrary File Write (CVE-2021-30833) Richard Warren (@buffaloverflow) Apple Arbitrary file write - 10/28/2021
Unauthenticated Cache Purge Priyansh Bansal (@PriyanshB25) Lenovo Unauthenticated cache purge - 10/28/2021
Unauthorized access to any user’s account. vikram naidu (@ImVikram7msd) - IDOR, Authentication bypass, Account takeover - 10/28/2021
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD Simon Scannell (@scannell_simon) GoCD Broken authentication, Authentication flaw N/A (VDP) 10/27/2021
Easy SSRF from Wayback Machine Khaled Mohamed (@0xElkomy) - SSRF - 10/27/2021
Use-After-Free in Voice Control: CVE-2021-30902 Write-up 08Tc3wBB (@08Tc3wBB) Apple Memory corruption bug - 10/27/2021
An Effective 5 min recon leads to a Hall of Fame Renganathan (@IamRenganathan) - Information disclosure - 10/26/2021
Account Takeover via improper input validation Gaurav Narwani (@gauravnarwani97) & Verneet (@err0rrrrr) - OAuth flaw, Token theft, Account takeover - 10/24/2021
How I was able to revoke your Instagram 2FA Dhiyaneshwaran (@DhiyaneshDK) Facebook (Instagram) Bruteforce, Rate-limiting bypass $5,000 10/23/2021
Google Chrome Vulnerability Worth for $6K: Use After Free (CVE-2021-30573) Security For Everyone / S4E Team (@secforeveryone) Google Memory corruption bug $6,000 10/23/2021
Discourse SNS webhook RCE joernchen (@joernchen) Discourse RCE - 10/23/2021
Tagged User Could Delete Facebook Story Mark Rhoy (@mrkrhy_xyz) Facebook Logic flaw, Android app bug, Authorization flaw - 10/23/2021
How i Got 3 SQL injection in just 10 minutes. Ahmed Fatouh (@XDev05) - SQL injection - 10/23/2021
A story of another awesome old school hacking that lead to a cool P1 bug Vuk Ivanovic - 403 bypass - 10/22/2021
Moodle - Stored XSS and blind SSRF possible via feedback answer text rekter0 (@rekter0) & Holme (@holme_sec) Moodle Stored XSS, SSRF N/A (VDP) 10/22/2021
All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021-38646) Eugene Lim (@spaceraccoonsec) Apache OpenOffice RCE, Memory corruption bug - 10/22/2021
Unauthorized access to any Facebook user’s draft profile picture frames Sandeep Hodkasia (@sandeephodkasia) Facebook IDOR - 10/22/2021
CVE-2021-2471 MySQL JDBC XXE - Oracle (MySQL) XXE - 10/21/2021
From staging to 0 click account takeover mohamad mahmoudi (@dPhoeniixx) Pinterest Account takeover, Logic flaw - 10/19/2021
Exploiting Request forgery on Mobile Applications. Sayed Abdelhafiz (@dPhoeniixx) Pinterest CSRF, Account takeover, Android app bug, iOS app bug - 10/19/2021
A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection Marc Olivier Bergeron Amazon SQL injection, WAF bypass - 10/19/2021
The Speckle Umbrella story — part 2 Imre Rad (@ImreRad) Google Information disclosure, Logic flaw - 10/18/2021
How I Escalated a Time-Based SQL Injection to RCE 0xEchidonut Sony SQL injection, RCE - 10/17/2021
Business Logic Errors - A Logic Destruction Jerry Shah (@Jerry) - Logic flaw - 10/17/2021
Exploitation of file’s download parameters to create potential risk of malware delivery: $200 bug! Muhammad Aamir (@Muhammad__Aamir) - CSRF, RCE $200 10/17/2021
Write Up – Google VRP N/A: Arbitrary Local File Read (Macos) Via <a> Tag And Null Byte (%00) In Google Earth Pro Desktop App Omar Espino (@omespino) Google Local File Read $0 (Won’t fix) 10/14/2021
500$ Bug: Sensitive Data Exposure to Broken Access Control leads, How I able to take over any account of India’s Biggest College Ever.👨‍💻 Gowtham_Naidu (@NaiduPonnana) - OTP bypass, Account takeover, Password reset flaw $500 10/13/2021
Abusing Slack’s file-sharing functionality to de-anonymise fellow workspace members Julien Cretel (@jub0bs) Slack XSLeaks $0 (Won’t fix) 10/12/2021
ESET Endpoint Security credentials theft Mehdi Alouache ESET Credentials sent over unencrypted channel $0 (Informative) 10/12/2021
Bypassing required reviews using GitHub Actions Omer Gil (@omer_gil) GitHub Privilege escalation, Logic flaw - 10/12/2021
Hacking YouTube With MP4 KeyboardWarrior (@Keyb0ardWarr10r) Google Logic flaw, DoS $0 (Informative) 10/11/2021
Exploiting HTML-to-PDF Converters through HTML Imports Mohammed Diaa (@mhmdiaa) - XSS, LFI - 10/10/2021
How I Hacked Billion Android Users Social And 3rd Party Account | A Story About 5000$ Bug Karthikeyan (@Karthithehacker) Google Android bug $5,000 10/10/2021
How I got $500 with Open redirect khan mamun (@mamunwhh) - Open redirect $500 10/10/2021
Stumbling across a DOM XSS on google.com tkiela (@svennergr) Google DOM XSS - 10/10/2021
Account Takeover — Story of 2 same issues in a single program but different sub-domains. Himanshu Pdy (@himanshu_pdy_01) - Account takeover - 10/10/2021
Auth Bypass in Google Assistant David Schütz (@xdavidhu) Google Insecure deeplink $8,133.70 07/10/2021
Power of Your Own Wordlist — Fuzz for Log File Leads to Information Leakage MikeChan - Information disclosure - 10/09/2021
Request Smuggling In Major Crypto Site — road to disappointment CeloIme Prezime - HTTP Request Smuggling $0 10/09/2021
Accessing Apple’s internal UAT Slackbot for fun and non-profit Shail Patel (@shail_official) & Ashish Kunwar (@D0rkerDevil) Apple Authorization flaw $0 10/07/2021
CVE-2021-26420: Remote Code Execution In Sharepoint Via Workflow Compilation - Microsoft RCE - 10/06/2021
Hacking Netflix Eureka! Maxim Tyukov (@maxtyukov) Netflix SSRF, XSS - 10/06/2021
CSRF to one tray Red-bull Mohammed Saneem Redbull CSRF N/A (VDP) 10/06/2021
[EN] Stored XSS in the administrator’s panel due to misuse of MarkupSafe Aethlios (@AethliosIK) pass Culture Stored XSS - 10/06/2021
How I got access to many PIIs through a source code leak Supras (@LdrTom) - Information disclosure - 10/05/2021
CVE-2021-26084 snowyyowl (@bennyyjacob) Atlassian RCE - 10/05/2021
Bypassing 403 Protection To Get Pagespeed Admin Access Prajit Sindhkar (@PrajitSindhkar) - 403 bypass $200 10/04/2021
$600 for IDOR (File or Folder Download) Inderjeet Singh - encodedguy (@3nc0d3dGuY) - IDOR $600 10/03/2021
A short story of Content Spoofing to HTML Injection in Apple using Dangling Markup Injection Rishu Ranjan (@tweetit_rrj) Apple HTML injection, Dangling Markup Injection - 10/03/2021
Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit) Vanshal Gaur (@VanshalG) - SSRF - 10/02/2021
The Discovery Of Gatekeeper Bypass CVE-2021-1810 & Analysis Of CVE-2021-1810 Gatekeeper Bypass Rasmus Sten (@pajp) Apple Logic flaw - 10/01/2021
Ping’ing XMLSec tint0 (@_tint0) Ping, Netflix, Paypal XSLT, XXE - 09/30/2021
Expect The Unexpected: Discovering fresh ZeroDay for Bounty SinSin (@sin_khe) - Logic flaw, Information disclosure - 09/30/2021
How I found bug on Google Cloud Anuragbhoir11 Google OTP bypass - 09/30/2021
Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts Youssef Sammouda (@samm0uda) Facebook Account takeover, Android app bug $10,000 09/29/2021
Force Browsing bug at Facebook business plan ($500 Bounty) Dewanand Vishal (@dewcode91) Facebook Authorization flaw, Forced browsing $500 09/29/2021
Telegram users’ privacy has been violated again. Messenger representatives demand not to disclose details ne555 / Dmitrii Telegram Privacy issue - 09/29/2021
“A tale of making internet pollution free” - Exploiting Client-Side Prototype Pollution in the wild Sergey Bobrov (@black2fan), Mohan Sri Rama Krishna P (@s1r1u5_), Terjanq (@terjanq), Beomjin Lee (@po6ix), Masato Kinugawa (@kinugawamasato), Nikita Stupin (@_nikitastupin), Rahul Maini (@iamnoooob), Harsh Jaiswal (@rootxharsh), Mikhail Egorov (@0ang3el), Melar Dev (@melardev) Apple, Atlassian, Mozilla, HubSpot, Segment Analytics & others Prototype pollution, XSS $12,600+ 09/28/2021
Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS) Bobby Rauch / Bobbyr Apple Stored XSS - 09/28/2021
DeepSurface Security Advisory: LPE in Firefox on Windows Robert Chen Mozilla Local Privilege Escalation $0 (Won’t fix) 09/28/2021
Bypass of biometrics & password security functionality for Android Dheeraj Madhukar (@Dheerajmadhukar) CoinDCX Authentication bypass, Android app bug - 09/27/2021
CVE-2021-39246 – Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack excessive verbose logging – Windows, macOS, Linux sickcodes (@sickcodes) Tor Verbose logging $0 (Informative) 09/27/2021
Improper phone number validation to account takeover shesha sai_c (@Cyb3r_4ss4s1n) - Logic flaw, OTP bypass, Account takeover - 09/27/2021
Attack Surface Analysis - Part 3 - Resurrected Code Execution Parsia Hackerman (@cryptogangsta) - RCE - 09/26/2021
Telegram bug in terminated sessions Hackintosh5 Telegram Session expiration issue - 09/24/2021
Remote Command Execution in Visual Studio Code Remote Development Extension Abdel Adim smaury Oisfi (@smaury92) Microsoft RCE - 09/24/2021
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program Denis Tokarev / illusionofchaos Apple Information disclosure, Local Privilege Escalation, Privacy issue - 09/24/2021
$8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser Renwa (@RenwaX23) Opera XSS, RCE $8,000 09/24/2021
Bug-Bounty | FASTMAIL [pobox.com : account takeover] Mohammed ELdawody Fastmail Account takeover, Password reset flaw - 09/24/2021
Bug-Bounty | FASTMAIL [topicbox.com: Privileges Escalation > Organization Takeover] Mohammed ELdawody Fastmail Privilege escalation, Logic flaw - 09/24/2021
Facebook Messenger for MacOS contained valid hardcoded FB access token (employee’s token?) Dzmitry Lukyanenka (@vulnano) - Hardcoded token $625 09/23/2021
Pwn2Own 2021: Parallels Desktop Guest To Host Escape Benjamin McBride (@bdmcbri) Parallels VM escape - 09/23/2021
Super Admin panel without Credentials 😎 Rizwan_siddiqui (@Rizwan_SiDdiqu1) - Authentication bypass N/A (VDP) 09/22/2021
Autodiscovering the Great Leak Amit Serper (@0xAmit) Microsoft Domain name collision - 09/22/2021
mXSS in support.mozilla.org Guilherme Keerok (@k33r0k) & Luan Herrera (@lbherrera_) Mozilla XSS $0 (OOS) 09/22/2021
A fever Worth 750$- [Accessing Private Projects ] Shakti Mohanty (@3ncryptSaan) Mozilla IDOR, Information disclosure $750 09/22/2021
Cookie Stealing via Clickjacking using Burp collaborator Anurag__Verma - Clickjacking - 09/22/2021
RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through Markus Wulftange (@mwulftange) Citrix Systems RCE, Path traversal - 09/21/2021
Mama Always Told Me Not to Trust Strangers without Certificates Adam (@AdamOfDc949) Netgear MiTM, RCE - 09/21/2021
5 RCEs in npm for $15,000 Robert Chen (@NotDeGhost) & Philip - RCE $15,000 09/20/2021
Unlimited report user in Instagram (Facebook) leads to abuse risk. Mano Prasanth Facebook Lack of rate limiting $0 (Informative) 09/20/2021
Vertical Privilege escalation Saddam Hussain (@wisdomfreak1) - Privilege escalation - 09/19/2021
Chaining bugs for better bounties Manas Harsh (@ManasH4rsh) - SSRF, XSS, Information disclosure $600 09/19/2021
Admin access !! th3.d1p4k (@DipakPanchal05) - Privilege escalation, Broken Access Control - 09/19/2021
A small change, and things go in your hand : Story of a $250 bounty Fardeen Ahmed (@fardeenahmed411) - Information disclosure $250 09/18/2021
From phpinfo page to many P1 bugs and RCE. [Symfony] Abdelrahman Khaled - File disclosure, Information disclosure, RCE - 09/18/2021
From Google Dorking to Information Disclosure MikeChan - Information disclosure, Lack of authentication N/A (VDP) 09/18/2021
All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035) Eugene Lim (@spaceraccoonsec) Apache OpenOffice RCE, Memory corruption bug - 09/17/2021
How to have free Internet WIFI on United Airlines flights Philippe Delteil (@PhilippeDelteil) United Airlines Payment tampering, Logic flaw - 09/17/2021
A Small Tale of Account Takeover … Saugat Pokharel (@saugatpk5) - IDOR, Account takeover - 09/16/2021
Weaponizing Reflected XSS to Account Takeover Hassan Shahid (@pwnsauc3) - XSS, Account takeover - 09/16/2021
How I was able to find 100+ XSS in United nations Bug Bounty Programr mrpentestguy (@MR_iambatman) United Nations XSS N/A (VDP) 09/16/2021
This is why you shouldn’t trust your Federated Identity Provider Soufiane Habti (@wld_basha) - OAuth flaw, Account takeover, Authentication bypass $1,500 09/15/2021
A Facebook bug that exposes email/phone number to your friends Saugat Pokharel (@saugatpk5) Facebook Information disclosure, Logic flaw $19,250 09/15/2021
How I Was Able To Send SMS From Google To Anyone | $$$ Google Vulnerability: Raidh Ĥere (@asterfiest) Google Content spoofing - 09/15/2021
How I hacked worldwide Tiktok users s3c (@s3c_krd) TikTok IDOR $7,500 09/15/2021 Archived page
Microsoft Azure Portal – Persistent Cross-Site Scripting Christian Becker (@0xchrisb) & Sven Schlüter (@secsven) Microsoft Stored XSS - 09/15/2021
10 golden minutes for taking over a Chess.com account Seqrity (@seqrity9) Chess.com Lack of rate limiting, Bruteforce, Session expiration issue $400 09/14/2021
Hacking CloudKit - How I accidentally deleted your Apple Shortcuts Frans Rosén (@fransrosen) Apple Logic flaw(s) $64,000 09/13/2021
Escalating Azure Privileges with the Log Analytics Contributor Role Karl Fosaaen (@kfosaaen) Microsoft Logic flaw(s) - 09/13/2021
$3133.70 Google Dialogflow IDOR Vulnerability Raidh Ĥere (@asterfiest) Google IDOR $3,133.70 09/12/2021
$5000 Google IDOR Vulnerability Writeup Raidh Ĥere (@asterfiest) Google IDOR $5,000 09/11/2021
How I found my first AEM related bug. Vedant Tekale (@_justYnot) - LFR - 09/11/2021
Bypassing GCP Org Policy with Custom Metadata & GCP AI Notebooks Vulnerability - Remediation Kat Traxler (@NightmareJS) Google Authorization flaw $1,337 09/10/2021
How I Was Able to delete any facebook story where am I mentioned or tagged Sank Dahal (@sank68034756) Facebook Logic flaw $1,000 09/10/2021
Mistuned Part 1: Client-side XSS to Calculator and More, Mistuned Part 2: Butterfly Effect & Part 3 Sank Dahal (@sank68034756) Apple XSS, Memory corruption bug, iOS bug - 09/10/2021
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances Yuval Avrahami (@yuval_avrahami) Microsoft Container takeover, Container escape, Privilege escalation - 09/09/2021
Change home directory and bypass TCC aka CVE-2020-27937 Wojciech Reguła (@_r3ggi) Apple Privacy issue, MacOS bug - 09/09/2021
GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink Justin Steven (@justinsteven) GitHub Logic flaw, Information disclosure - 09/08/2021
Spook.js: Attacking Google Chrome’s Strict Site Isolation via Speculative Execution and Type Confusion Ayush Agarwal, Sioli O’Connell, Jason Kim, Shaked Yehezke, Daniel Genkin, Eyal Ronen & Yuval Yarom Google Browser bug, Side-channel attack - 09/08/2021
Account Takeover via XSS in e-signature feature worth 2500$ Gökhan Güzelkokar (@gkhck_) - XSS, Account takeover $2,500 09/08/2021
Facebook email disclosure and account takeover Rikesh Baniya / NotRickyy (@rikeshbaniya) Facebook Information disclosure, Account takeover - 09/08/2021
Bug Bounty Guest Post: Local File Read via Stored XSS in The Opera Browser Renwa (@RenwaX23) Opera Stored XSS, Local File Read $4,000 09/08/2021
Accessing Grofers Grafana Instance Using Shodan Lohith Gowda M (@lohigowda_in) Grofers Weak credentials $25,000 09/08/2021
5 Different Vulnerabilities in Google’s Threadit Thomas Orlita (@ThomasOrlita) Google DOM XSS, Clickjacking, Privilege escalation, Information disclosure - 09/07/2021
SSRF in PDF export with PhantomJs أنس روبي (@xhzeem) - SSRF, XSS, LFI - 09/07/2021
Full structure takeover to many brands of company Abdelrahman Khaled - Directory listing, Information disclosure - 09/06/2021
SSD Advisory – NETGEAR D7000 Authentication Bypass - Netgear Authentication bypass - 09/06/2021
2 CSRF 1 IDOR on Google Marketing Platform apapedulimu / Nosa Shandy (@LocalHost31337) Google IDOR, CSRF $3,633.70 09/06/2021
How I can take over any user’s account with their mobile number Sushmitha Katikitala - Account takeover, OTP bypass, Authentication bypass - 09/06/2021
Burp Suite RCE Wfox PortSwigger RCE, Browser bug - 09/06/2021
Eye for an eye: Unusual single click JWT token takeover Yurii Sanin (@SaninYurii) JetBrains Open redirect, JWT bug, Account takeover - 09/05/2021
Business Logic Errors - Must Vote Jerry Shah (@Jerry) - Logic flaw $0 (Duplicate) 09/05/2021
Bypassed! and uploaded a sweet reverse shell Ajay Sharma (@security_donut) - Unrestricted file upload - 09/05/2021
How i hacked BBC mail servers Momen Ali (Cyber Guy) (@theCyberGuy0) BBC Information disclosure, Open mail relay 09/04/2021
More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers Youssef Sammouda (@samm0uda) Facebook Account takeover $126,000 09/03/2021
How @Mailru traeted my report on their program Aý Oùb (@Yukusawa18) Mail.ru AWS misconfiguration $150 09/03/2021
IDOR Vulnerability In GraphQL Api On Website Aidil Arief - IDOR, GraphQL bug - 09/03/2021
Google Cloud Build — under the hood Imre Rad (@ImreRad) Google - - 09/02/2021
Play the music and bypass TCC aka CVE-2020-29621 Wojciech Reguła (@_r3ggi) Apple Privacy issue, MacOS bug - 09/02/2021
RCE By Code Injection | Perl Reverse Shell Abdulrahman-Kamel - RCE, Code injection - 09/02/2021
ZDI-21-1053: Bypassing Windows Lock Screen Abdelhamid Naceri (@KLINIX5) Microsoft Authentication bypass - 09/02/2021
Your Vulnerability Is In Another OEM! Lucas Georges, Julient Boutet & Thomas Chauchefoin Western Digital Memory corruption bug, RCE - 09/02/2021
SQL injection in harvard subdomain Brandon Roldan (@tomorrowisnew_) Harvard University XSS, SQL injection - 09/02/2021
Breaking Application’s Logic to DOS Attack Abhijeet Singh (@abhiunix) - IDOR, DoS - 09/02/2021
chaining bugs from self XSS to account takeover Behnam Yazdanpanah (@abhiunix) - Self XSS, WAF bypass, CSRF, Account takeover - 09/02/2021
How I Found Multiple XSS in Hidden Legacy Pages Marx Chryz - XSS $1,000 09/02/2021
Hacking Dutch Government For a lousy T-shirt Veshraj Ghimire (@GhimireVeshraj) Dutch Government IDOR, Information disclosure $0, Swag 09/02/2021
CVE-2021-2429: A Heap-based Buffer Overflow Bug In The Mysql Innodb Memcached Plugin - Oracle (MySQL) Memory corruption bug - 09/02/2021
Now Patched Vulnerability in WhatsApp could have led to data exposure of users Dikla Barda & Gal Elbaz Facebook (WhatsApp) Memory corruption bug - 09/01/2021
Full PoC | Metasploit Pro Trial License Request Limit Bypass/a> ChooK Rapid7 Privilege escalation, Logic flaw N/A (VDP) 08/31/2021
Dropping root shell in a Crypto Exchange for Fun and Profitn’t Nirmal Thapa (@tnirmalz) ChangeNOW RCE $1,000 08/31/2021
Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD) Shubham Bhamare (@theshubh77) Facebook 2FA bypass $1,000 08/31/2021
Broken Access Control Leads To Change Of Admin Details V3D (@v3d_bug) - Privilege escalation, Client-side enforcement of server-side security - 08/31/2021
CVE-2021-39165: A Bug Bounty Journey from a Laravel SQL Injection Vulnerability Xuan Tuyen - SQL injection - 08/30/2021
Proxytoken: An Authentication Bypass In Microsoft Exchange Server Xuan Tuyen Microsoft Authentication bypass - 08/30/2021
I owe your Request | HTTP Request Smuggling leads to Full Accounts takeover Muhammad Adel (@ItsFadinG_) - HTTP Request Smuggling - 08/30/2021
Two account takeover bugs worth $4300 🎁 Usama Varikkottil (@usama_dev) - Account takeover, Privilege escalation, 403 bypass, IDOR $4,300 08/29/2021
How MarkMonitor left >60,000 domains for the taking Ian Carroll (@iangcarroll) - Subdomain takeover - 08/29/2021
Hunting for XSS with CodeQL Daniel Santos (@bananabr) GitLab XSS $500 08/29/2021
What would you do if Oracle’s mailing server sent you this? I am Broot Oracle HTML injection - 08/29/2021
ATO of WordPress Website “4 digits €€€€ Bounty in 5 Minute!” Ritesh Gohil (@RiteshG37659480) - Exposed registration page, Account takeover - 08/29/2021
Information disclosure via api misconfiguration Rizwan_siddiqui (@Rizwan_SiDdiqu1) - Information disclosure - 08/29/2021
Cache Poisoning via SelfXSS + Path Parameter ElMahdi Mrhassel (@ElMrhassel) - XSS, Web cache poisoning - 08/28/2021
SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection Caesar Evan Santoso - WAF bypass, SSRF, SQL injection - 08/28/2021
Exploiting Devops -Leak Source codes Shivbihari Pandey (@ninja_pandit_) - Information disclosure - 08/28/2021
How I Scored 2K Bounty via an IDOR Sicksec (@OriginalSicksec) Mail.ru IDOR $2,000 08/27/2021
How did I earned 6000$ from tokens and scopes in one day Corraldev (@javier_corralg) - Authorization flaw, Privilege escalation $6,000 08/27/2021
ChaosDB: Critical Vulnerability in Microsoft Azure Cosmos DB Nir Ohfeld (@nirohfeld) & Sagi Tzadik (@sagitz_) Microsoft Account takeover, Local Privilege escalation $40,000 08/26/2021
Oauth client secret leak and possible IDOR leading to PII Disclosure Monke & Bend Theory (@bendtheory) - IDOR, OAuth flaw, Information disclosure - 08/26/2021
Reflective XSS via search box [Bypassing Cloudflare WAF]. Friendly (@SkeletorKeys) - Reflected XSS - 08/26/2021
‘Websocket Hijacking’ to steal Session_ID of victim users Sunil Yedla (@sunilyedla2) - Cross-Site WebSocket Hijacking (CSWH) - 08/25/2021
Pwn2Own Vancouver 2021 :: Microsoft Exchange Server Remote Code Execution Steven Seeley (@steventseeley) Microsoft RCE, MiTM - 08/25/2021
Business Logic Ratings Bug Maxwell Dulin (@Dooflin5) - Logic flaw - 08/25/2021
Retrieve Archived Stories Of Any Public Instagram Account. Naveen Facebook (Instagram) IDOR, GraphQL bug $0 (Duplicate) 08/25/2021
Vulnerability in Bumble dating app reveals any user’s exact location Robert Heaton (@RobJHeaton) Bumble Information disclosure, Logic flaw $2,000 08/25/2021
The Nomulus rift Imre Rad (@ImreRad) Google Insecure deserialization - 08/25/2021
“How Companies Need to Widen There Scopes” amnotacat - RCE, Components with known vulnerabilities - 08/25/2021
How I found a primitive but critical broken access control vulnerability in YouTrack (CVE-2020–24618) Yurii Sanin (@SaninYurii) JetBrains Information disclosure - 08/25/2021
One Endpoint, Two Account Takeovers Yashar Shahinzadeh (@YShahinzadeh) - Account takeover - 08/24/2021
[$5K] Misconfigured Reset password that leads to Account Takeover (No user Interaction ATO) Aditya Sharma (@Assass1nmarcos) - Account takeover, Password reset flaw, Information disclosure $5,000 08/24/2021
How i was able to steal private files of any user on Larksuite Imran Nissar (@Imrannissar3) - IDOR - 08/24/2021
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions UpGuard Team (@upguard) Microsoft Information disclosure - 08/23/2021
Hey Google ! - Delete my Data Properly — #GoogleVRP Sriram Kesavan (@sriramoffcl) Google Logic flaw - 08/23/2021
Zoom RCE from Pwn2Own 2021 Thijs Alkemade & Daan Keuper Zoom RCE, Memory corruption bug $200,000 08/23/2021
Server Side Request Forgery with huge impact in production application Gökhan Güzelkokar (@gkhck_) - SSRF - 08/23/2021
Story Of Unexpected Bugs Neh Patel - IDOR, XSS - 08/22/2021
MonkeyType.com Stored Cross-Site Scripting Tyle Butler (@tbutler0x90) MonkeyType.com Stored XSS, Authentication bypass, IDOR $40 08/22/2021
How I was able to get 1000$ bounty from a ds-store file? Khaled Mohamed (@0xElkomy) - Information disclosure, Debugging enabled €1,000 08/21/2021
Playing With s3 Leaks Aswin Thambi Panikulangara (@r0074g3n7) - AWS misconfiguration - 08/21/2021
How I found my first Subdomain Takeover vulnerability Monish Basaniwal - Subdomain takeover, CSRF €375 08/20/2021
How I got RCE In The World Largest Russian Company Sicksec (@OriginalSicksec) Mail.ru RCE - 08/20/2021
Account Takeover via Access Token Leakage Tuhin Bose (@tuhin1729_) - IDOR, Information disclosure, Account takeover - 08/19/2021
From Pwn2Own 2021: A New Attack Surface On Microsoft Exchange - Proxyshell! Orange Tsai (@orange_8361) Microsoft RCE, Privilege escalation $200,000 08/18/2021
How to Hack Apple ID Zemnmez (@zemnmez) Apple XSS, Account takeover $10,000 08/17/2021
Confirming any new Email Address bug in Facebook (Part-4) Lokesh Kumar (@lokeshdlk77) Facebook Rate-limiting bypass $3,449 11/04/2020
Dangling DNS: Announcekit Mohamed Elbadry (@_melbadry9) - Subdomain takeover - 08/16/2021
Two weeks of securing Samsung devices: Part 2 Oversecured (@OversecuredInc) Samsung Arbitrary file write, Arbitrary file read, Vulnerable Android content provider $18,040 08/16/2021
CVE-2021-22929 – Brave Browser 1.27 and below permanently logs the server connection time for all v2 tor domains to ~/.config/BraveSoftware /Brave-Browser/tor/data/tor.log sickcodes (@sickcodes) Brave Software Privacy issue, Information disclosure $400 08/16/2021
A Bug’s Life: CVE-2021-21225 & Exploiting CVE-2021-21225 and disabling W^X Brendon Tiszka (@btiszka) Google Browser bug $22,000 08/16/2021
Why u should use burp to test Path Traversal Vulnerability and also get RXSS Yasser Mohammed (@boomneroli) - Path traversal, XSS, CSRF, Account takeover $700 08/16/2021
Second Order Subdomain Takeovers – They DO Exist! Alun Jones (@ftp_alun) Microsoft Subdomain takeover, Broken link hijacking - 08/15/2021
1st Bug Bounty WriteUp: Open Redirect To XSS on Login Page Nassim Chami (@nvccim) - Open redirect, XSS - 08/15/2021
Simple HTML Injection to $250 Ahmad Halabi (@Ahmad_Halabi_) - Account takeover, Mass assignment $600 08/14/2021
Finding multiple SSRF with aws metadata access on A BANK system Santosh Kumar Sha (@killmongar1996) - SSRF - 08/14/2021
Bypass Google Captcha+Parameter Pollution Leads to send email to any user on behalf of “Organization” with any desired content viral bhatt (@viralbhatt100) - HTTP Parameter Pollution, Captcha bypass - 08/14/2021
Facebook Bug:Invite user to Like a Page even after they decline the Page Like Invite Circle Ninja (@circleninja) Facebook Logic flaw $0 (Informative) 01/14/2021
How we was able to takeover whole organization via Privilege Escalation Yasser Mohammed (@boomneroli) - Privilege escalation, Authorization flaw $500 08/13/2021
How I found read/write access to the personal data of 3 million users of an E-commerce website? Prashant Singh / SecGeek_one0one - IDOR - 08/13/2021
Blind SSRF in URL Validator Yash Kandekar (@Neutron__) - Blind SSRF - 08/12/2021
Taking Over Employee Accounts by Managers with Zero Employee Interaction Chaitanya Rajhans (@Chaitanya_024) - HTML injection $250 08/12/2021
How I Bought a £240.00 Annual Subscription for Bargain £0.01 Craig Hays (@craighays) - Payment tampering, Logic flaw - 08/11/2021
OVE-20210809-0001 Visual Studio Code .ipynb Jupyter Notebook XSS (Arbitrary File Read) Justin Steven (@justinsteven) Microsoft XSS $0 (OOS) 08/11/2021
Multiple Vulnerabilities In cPanel/WHM Adrian Tiron (@adrian__t) cPanel XXE, Stored XSS, Privilege escalation, CSRF, Cross-Site WebSocket Hijacking (CSWH) - 08/10/2021
Fuzzing + IDOR = Admin TakeOver Gonzalo Carrasco (@0xCGonzalo) - IDOR, Account takeover - 08/09/2021
What is BOLA? 3-digit bounty from Topcoder ($$$) can1337 (@canmustdie) Topcoder IDOR - 08/09/2021
CVE-2021-25738 Jordy Versmissen / J0VSEC (@j0v0x0) Kubernetes RCE $1,000 08/07/2021
CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation Of Privilege (EOP) bohops (@bohops) Intel Local Privilege Escalation - 08/07/2021
Size Matters — CVE-2021–0485 (High) +Ch0pin (@Ch0pin) Google (Android) Local Privilege Escalation - 08/07/2021
Access to CrowdTangle Deletion Framework API Philippe Harewood (@phwd) Facebook Authorization flaw, GraphQL bug - 08/07/2021
View the country of a private Instagram User Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 08/07/2021
Access to CrowdTangle Deletion Framework API Philippe Harewood (@phwd) Facebook Information disclosure, Logic flaw, GraphQL bug $0 (Informative) 08/07/2021
Do you like to read? I can take over your Kindle with an e-book Slava Makkaveev Amazon Memory corruption bug, RCE, Local Privilege Escalation - 08/06/2021
Account Takeover (User + Admin) Via Password Reset Hemant Patidar (@HemantSolo) - Account takeover, Password reset flaw, Logic flaw $200 08/05/2021
PostMessage Xss vulnerability on private program Youghourta Ghannei (@YoughartaG) - XSS, postMessage bug - 08/03/2021
How the use of hidden form fields lead to Email verification bypass Yash Swarup (@wazirsec) - Email verification bypass, Client-side enforcement of server-side security - 08/03/2021
Detecting Jackson deserialization vulnerabilities with CodeQL Artem Smotrakov (@artem_smotrakov) GitHub Insecure deserialization $4,500 08/02/2021
Facebook Messenger for android indirect thread deletion vulnerability. Rahul Kankrale (@RahulKankrale) Facebook Insecure deeplink - 08/02/2021
how to be popular yan (@bcrypt) OkCupid CSRF, Type confusion - 08/02/2021
CVE-2020–15823: Server-Side Request Forgery (SSRF) in JetBrains YouTrack Yurii Sanin (@SaninYurii) JetBrains SSRF - 08/02/2021
~/BugBounty/IDOR/”How I was able to exfiltrate any user’s credit coupons” Jai Sharma (@ja1sharma) - IDOR - 08/02/2021
Privilege Escalation | stealing user’s point | Bugcrowd Abhind Abhi - IDOR, Privilege escalation - 08/02/2021
Tale of XSS in Angular Sicksec (@OriginalSicksec) - Reflected XSS - 08/02/2021
Blind XXE Leads to Internal Port Scanning Through SSRF Sam Paredes (@caffeinevulns) - XXE, SSRF - 08/01/2021
Multi Domain DOM Cross Site Scripting Sam Paredes (@caffeinevulns) - DOM XSS - 08/01/2021
The journey from Google Honorable Mention to Hall of Fame. Akash basnet (@noneofyou007) Google Referer leakage, Information disclosure, Password reset flaw - 08/01/2021
Missing permission check for Facebook gaming community invites Philippe Harewood (@phwd) Facebook Information disclosure, Authorization flaw - 08/01/2021
Bug Bounty Stories #1: Tale of CSP bypass in an electron app! SecurityGOAT (@RuntimeSecurity) - CSP bypass - 07/31/2021
From Hobby to Hacking Muhammad Syahrul Haniawan (@b0x_in) - Unrestricted file upload, RCE, Lack of authentication - 07/31/2021
How I escalate my Self-Stored XSS to Account Takeover with the help of IDOR Jefferson Gonzales (@gonzxph) - Self-XSS, IDOR, Account takeover - 07/31/2021
How I bypassed website using Akamai waf Yusif Cəfərov (@yusifceferov_) - XSS - 07/31/2021
Facebook Vulnerability: Expose Group Member — $3000 Muhammad Sholikhin (@MuhammadLikhin) Facebook IDOR $3,000 07/30/2021
XXE in Public Transport Ticketing Mobile APP Nikhil (niks) (@niksthehacker) - XXE, RCE - 07/30/2021
Account takeover via stored xss vikram naidu (@ImVikram7msd) - Stored XSS $1,000 07/30/2021
Google Bug Bounty: $500 worth client-side DoS on Google Keep Tommaso De Ponti (@heytdep) Google Application-level DoS $500 07/30/2021
Gaining Access To GCP Of Google Stadia — 500$ Bounty Sebastien Kaul Google Information disclosure $500 07/29/2021
How I found my first IDOR in HackerOne N1GHTMAR3 (@n1ghtmar3_2421) - IDOR - 07/29/2021
How I could have hacked your medium account by phishing your FB, Twitter & Google credentials. Renganathan (@IamRenganathan) Medium Open redirect, OAuth flaw - 07/29/2021
Chaining Open Redirect with XSS to Account Takeover Radian ID - Open redirect, XSS, Account takeover - 07/29/2021
How I earned \(\) by Amazon S3 Bucket misconfigurations? Abdullah Mohamed (@3bodymo_) - AWS misconfiguration, Subdomain takeover - 07/29/2021
Information Disclosure to Account Takeover Sunil Yedla (@sunilyedla2) - Information disclosure, OAuth flaw, Account takeover, Authentication bypass - 07/28/2021
Pre-Auth RCE in Moodle Part I - PHP Object Injection in Shibboleth Johannes Moritz & Robin Peraglie Moodle RCE, PHP Object Injection N/A (VDP) 07/27/2021
XSS-Special-Cases: XSS That Works only in mobile Devices 0xdln (@0xdln) - XSS - 07/27/2021
Abusing JSON Web Token to steal accounts — 3000$ Filipe Azevedo (@filipaze_) - IDOR $3,000 07/27/2021
Telegram Report: SSRF leads to DOS attack [Reports that didn’t make it] Philippe Delteil (@PhilippeDelteil) Telegram SSRF, DoS - 07/27/2021
XXE Case Studies cinzinga (@cinzinga_) - XXE - 07/26/2021
Apple Hall Of Fame for a Small Misconfiguration || Unauth Cache Purging Prajit Sindhkar (@PrajitSindhkar) Apple Unauthenticated cache purge $0, HoF 07/26/2021
Mattermost Server v5.32 > v5.36 Reflected XSS in OAuth flow zi0Black (@zi0Black) Mattermost Reflected XSS, OAuth flaw $900 07/26/2021
Bug Chain leads to Mass Account Takeover! Shubhayu Majumdar (@shubhayu64) - Information disclosure, Password reset flaw, Account takeover - 07/26/2021
Easy Bounty With Exposed Buckets & Blobs mr.d0x (@mrd0x) - Misconfigured cloud storage $1,450 07/26/2021
How I found a bug in Apple within just in 5min. Akash basnet (@noneofyou007) Apple XSS - 07/25/2021
Not valid bug that leads to us a multiple Valid Report in Facebook Kntjrld Facebook Information disclosure $1,000 07/25/2021
eBay XSS demo and guide to spear phishing MLT (@0dayWizard) Ebay XSS - 07/24/2021
How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools Orwa Atyat (@GodfatherOrwa) Facebook SSTI, SQL injection, Authentication bypass, Privilege escalation, Reflected XSS - 07/23/2021
Story OF MY 3RD Bounty From Facebook Aashish Jung Kunwar (@WhoisAasis) Facebook Irremovable users, Logic flaw $500 07/23/2021
FragAttacks Mathy Vanhoef (@vanhoefm) The Internet Wifi vulnerability $750 07/23/2021
Pre-Account Takeover by Reversing a Weak Email Verification Token Algorithm Craig Hays (@craighays) - Weak crypto - 07/22/2021
Unauthenticated Access To MongoDB Database of Oracle Corporation Pratikkhalane (@KhalanePratik) Oracle Lack of authentication, Exposed administrative interface - 07/22/2021
Escalating Self-XSS To Stored XSS via Image injection + IDOR Demon (@R29k_) - Self XSS, Stored XSS, IDOR - 07/21/2021
Guest Blog Post - Attacking the DevTools David Erceg (@david_erceg) Microsoft Browser bug $36,000 07/21/2021
XSS-Through-Fuzzing-Default-IIS 0xdln (@0xdln) - Reflected XSS - 07/20/2021
How I was able Find mass leaked AWS s3 bucket from js File Santosh Kumar Sha (@killmongar1996) - AWS misconfiguration - 07/20/2021
Hacking Xiaomi’S Android Apps - Part 1 Ameya (@iamTakeMyHand) Xiaomi Android app bug, Information disclosure, Open redirect, Privacy issue - 07/19/2021
How I Bypassed a tough WAF to steal user cookies using XSS! Asem Eleraky (@melotover) - XSS, WAF bypass - 07/19/2021
Facebook Vulnerability: $1500 for Removing Document Cover Muhammad Sholikhin (@MuhammadLikhin) Facebook Authorization flaw, IDOR $1,500 07/18/2021
Account Takeover + A Bonus Vulnerability Vikash Maurya - Account takeover, Session fixation - 07/18/2021
RCE via WebDav - Power Of PUT Jerry Shah (@Jerry) - Default credentials, RCE - 07/18/2021
IIS-Default-Page-to-Information-Disclosure 0xdln (@0xdln) - Information disclosure - 07/17/2021
Remote code execution in cdnjs of Cloudflare RyotaK (@ryotkak) Cloudflare RCE, Path traversal - 07/16/2021
Logical Flaw Resulting Path Hijacking Veshraj Ghimire (@GhimireVeshraj) - Namespace attack - 07/16/2021
How i was able to bypass Cloudflare for XSS! hosein vita (@HoseinVita) - XSS - 06/16/2021
RFD Vulnerability And Content-Disposition Header Bypass Story! Kabilan S (@kabilan1290) - Reflected File Download - 07/14/2021
Stored XSS in Google Doubleclick Studio [Google Research Grant] Jasminder Pal Singh (@Singh_Jasminder) Google Stored XSS $0 07/14/2021
How I found Blind SQL Injection just by browsing and getting a unique URL Jawad Mahdi (@hunter0x1) - SQL injection - 07/14/2021
Credential stuffing in Bug bounty hunting Valeriy Shevchenko (@Krevetk0Valeriy) - Credential stuffing $8,300 07/14/2021
($380) XSS STORED in Bigo Bug Bounty Program Aidil Arief Bigo XSS $380 07/14/2021
Forced Browsing to Access Admin Panel the_unluck_guy (@7he_unlucky_guy) - Forced browsing - 07/13/2021
Unencrypted HTTP Links to Google Scholar in Search David Schütz (@xdavidhu) Google MiTM - 07/13/2021
Part 2: Dive into Zoom Applications Rakesh Thodupunoori (@rakesh_3895) Zoom CSRF, Account takeover, Information disclosure, Session expiration issue, Authorization bug, Logic flaw - 07/13/2021
Apple Security Bounty: A personal experience Nicolas Brunner Apple Permission issue, iOS bug $0 07/13/2021
Trick to bypass rate limit of password reset functionality Abdulrahman-Kamel - Rate limiting bypass - 07/12/2021
Pre-Denial Of Service (set-up 2FA on unverified account) Vikash Maurya - Application-Level DoS - 07/11/2021
Critical Bug Bounty Reports: Part 1 Greg Gibson - Account takeover, Password reset flaw, RCE, Information disclosure - 07/11/2021
Reflected XSS Through Insecure Dynamic Loading Greg Gibson - XSS - 07/11/2021
Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer Sam Curry (@samwcyo) Chess.com Broken link hijacking - 07/10/2021
Account Takeovers — Believe the Unbelievable Nikhil (niks) (@niksthehacker) - Account takeover, Session management flaw, Weak credentials, Components with known vulnerabilities, Password reset flaw $5,751 07/09/2021
Facebook Email/phone disclosure using Binary search Rikesh Baniya / NotRickyy (@rikeshbaniya) Facebook Password reset flaw, Information disclosure, Bruteforce - 07/09/2021
Discovering Zero-Day Vulnerabilities in McAfee Products mr.d0x (@mrd0x) McAfee Local Privilege Escalation - 07/09/2021
IDOR on clientauthconfig.googleapis.com David Schütz (@xdavidhu) Google IDOR $0 (Won’t fix) 07/08/2021
CVE-2021-22555: Turning \x00\x00 into 10000$ Andy Nguyen (@theflow0) Google Memory corruption bug, Local Privilege Escalation $10,000 07/07/2021
Mass Assignment exploitation in the wild – Escalating privileges in style Gal Nagli (@naglinagli) - Mass assignment, Privilege escalation - 07/07/2021
Let’s cancel the subscription (informative) Adnan Malik (@adnanmalikinfo) - Logic flaw, Payment tampering $0 (Informative) 07/07/2021
Kaspersky Password Manager: All your passwords are belong to us Jean-Baptiste Bédrune Kaspersky Weak crypto - 07/06/2021
Exploiting Auto-save Functionality To Steal Login Credentials Saad Ahmed (@XSaadAhmedX) - HTML injection - 07/06/2021
Blind XSS in Apple School- Enrollment Data Disclosure hackrzvijay (@hackrzvijay) Apple Blind XSS $5,000 07/05/2021
View Other User Private Livestream Data Geva (@Geva_7) Facebook IDOR - 07/03/2021
Bulletin.com email address leak Philippe Harewood (@phwd) Facebook Information disclosure, GraphQL bug $3,750 07/02/2021
How We Are Able To Hack Any Company By Sending Message – $20,000 Bounty [CVE-2021–34506] Vansh Devgan (@Th3Pr0xyB0y) & Shivam Kumar Singh (@MrRajputHacker) Microsoft UXSS $20,000 06/30/2021
Testing Cookies worth $500 Sankalpa Acharya (@sankalpa_02) - Account takeover, IDOR $500 06/30/2021
Finding DOM Polyglot XSS in PayPal the Easy Way Gareth Heyes (@garethheyes) Paypal DOM XSS, CSP bypass - 06/30/2021
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) Michael Stepankin (@artsploit) - RCE, Insecure deserialization - 06/29/2021
gcp-dhcp-takeover-code-exec Imre Rad (@ImreRad) Google DHCP flood, VM takeover - 06/28/2021
How I found my first Chrome bug (CVE-2021–21210) Daniel Santos Google (Chrome) NAT Slipstreaming - 06/28/2021
Diving into Dependabot along with a bug in npm tyage (@tyage) GitHub SSRF, RCE $8,117 06/27/2021
Taking over Uber accounts through voicemail Shubham Shah (@infosec_au) Uber Account takeover $0 (Informative) 06/27/2021
Misconfigured $3 Bucket - A Semi Opened Environment Yukesh Kumar (@3th1c_yuk1) Redbull AWS misconfiguration N/A (VDP) 06/27/2021
Escalating XSS to Arbitrary File Read Pethuraj (@Pethuraj) - XSS, LFI - 06/27/2021
Oversightboard.com site-wide CSRF due to missing checking Youssef Sammouda (@samm0uda) Facebook CSRF $500 06/27/2021
Disclose unconfirmed email/phone of a Facebook user Youssef Sammouda (@samm0uda) Facebook Information disclosure $500 06/27/2021
Some ways to find more IDOR Thái Vũ (@thaivd98) - IDOR - 06/26/2021
Gaining access to protected components DavMehtab Zafar (@0xmzfr) - Vulnerable Android content provider - 06/25/2021
From Information Disclosure to interesting Privilege Escalation David Shaul (@dudy2kk) - Information disclosure, Account takeover, Privilege escalation - 06/25/2021
PII Leakage - Revealing Secrets Jerry Shah (@Jerry) - Information disclosure - 06/25/2021
A supply-chain breach: Taking over an Atlassian account Dikla Barda, Yaara Shriki, Roman Zaikin (@R0m4nZ41k1n) & Oded Vanunu (@Od3dV) Atlassian XSS, CSRF - 06/24/2021
Flywheel Subdomain Takeover Smaran Chand (@smaranchand) - Subdomain takeover - 06/24/2021
MSRC is confused! 😕 Ricardo Iramar dos Santos (@ricardo_iramar) Microsoft Dependency confusion $0 06/24/2021
Microsoft Store free purschase vulnerabilites Marlon Fabiano (@astrounder) Microsoft Payment tampering, Logic flaw - 06/24/2021
Three Microsoft Store vulnerabilites Marlon Fabiano (@astrounder) Microsoft Payment tampering, Logic flaw - 06/24/2021
How i was able to get Appreciation from the organization of a website just by changing a sign..!!! Fardeen Ahmed (@fardeenahmed411) - Information disclosure, Source code disclosure - 06/23/2021
Cracking Encrypted Credit Card Numbers Exposed By API Craig Hays (@craighays) - Information disclosure, Weak crypto - 06/22/2021
Stored XSS via Invite leading to Mass Account Takeover at Opera. Samrat Gupta (@Sm4rty_) Opera Stored XSS - 06/20/2021
Unprivileged User with Read/Write permission to User Access can escalate their role to ADMIN — Privilege Escalation Ertugrul Ozdemir (@ertugrulphp) - Privilege escalation - 06/20/2021
How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It Laxman Muthiyah (@laxmanmuthiyah) Apple Account takeover, 2FA bypass, Rate-limiting bypass, Race condition $18,000 06/19/2021
Full Local File Read via Error Based XXE using XLIFF File pwn.vg / Tomi (@mastomii) - XXE - 06/19/2021
Zero Click account Takeover Zahir Tariq (@ZahirTariq3) - Account takeover, Password reset flaw - 06/19/2021
Exploiting File Upload Functionality in Unique Way. Rohit Soni - Unrestricted file upload - 06/19/2021
Accessing Restricted Documents With Extra JSON Body Content Imran Huda (@imranHudaA) - Mass-assignment, Authorization flaw $500 06/18/2021
Account takeover via stored XSS with arbitrary file upload 0xbadb00da (@0xbadb00da) - Insecure file upload, XSS, Account takeover - 06/18/2021
M1 Macs GateKeeper bypass aka CVE-2021-30658 Wojciech Reguła (@_r3ggi) Apple Local Privilege Escalation - 06/18/2021
How We Are Able To Hack Any Company By Sending Message - $20,000 Bounty [CVE-2021–34506] & Video PoC Th3Pr0xyB0y (@Th3Pr0xyB0y) & Shivam Kumar Singh (@MrRajputHacker) Microsoft Universal XSS $20,000 06/17/2021 Archived page
HTML Injection and a dream in Google Chrome for Linux (Write Up) Evan Ricafort (@evanricafort) Google HTML injection $0 (Informative) 06/17/2021
Crashing your LinkedIn app with a connection request. Renganathan (@IamRenganathan) LinkedIn Application-Level DoS - 06/17/2021
Why dynamic code loading could be dangerous for your apps: a Google example Oversecured (@OversecuredInc) Google Arbitrary file write, Insecure intents - 06/17/2021
Part-1 Dive into Zoom Applications Rakesh Thodupunoori (@rakesh_3895) Zoom CSRF, Payment bypass, Logic flaw, Account takeover, Privilege escalation $22,000 06/16/2021
Story of Google Hall of Fame and Private program bounty worth \(\) Basavaraj Banakar (@basu_banakar) Google Exposed registration page - 06/16/2021
One-click DOS via Response Manipulation Akhil - Logic flaw - 01/16/2021
Authentication Bypass | Easy P1 in 10 minutes Anirudh Makkar (@anirudhmakkar) - Authentication bypass, Forced browsing - 06/16/2021
This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them Mayur Fartade (@mayurfartade) - IDOR, GraphQL bug $30,000 06/15/2021
Importance of burp history analysis to bypass 403 Vuk Ivanovic - 403 bypass - 06/15/2021
Exploiting outdated Apache Airflow instances & Blast Radius: Apache Airflow Vulnerabilities Ian Carroll (@iangcarroll) - Session management flaw $13,000 06/14/2021
Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs Evan Grant (@stargravy) Microsoft postMessage bug, Token theft - 06/14/2021
Blind Command Injection - It hurts Jerry Shah (@Jerry) - Command injection, RCE - 06/14/2021
An exciting journey to find SSRF , Bypass Cloudflare , and extract AWS metadata ! hosein vita (@HoseinVita) - SSRF - 06/13/2021
User’s location diclosure in the “Nearby Friends” feature. $15,500 Bounty Yavor Rusev / Явор Русев Facebook Information disclosure $15,500 06/13/2021
[Google VRP] Privilege escalation on https://dialogflow.cloud.google.com lalka (@0x01alka) Google Authorization flaw, Logic flaw $3,133.70 06/13/2021
Story of Account Takeover : Using Social Login with Mass Assignment Vulnerability to hack accounts ! Mohammad Kaif - Mass assignment, Account takeover - 06/13/2021
How I found the silliest logical vulnerability for $750 that no one found for 3 years Sina Kheirkhah (@Sin_Khe) - Logic flaw $750 06/12/2021
How I was able to bypass the admin panel without the credentials. Pratikkhalane (@KhalanePratik) - Information disclosure $500 06/12/2021
Bypassing 2FA using OpenID Misconfiguration Youstin (@iustinBB) - 2FA bypass, Authentication flaw - 06/11/2021
Two weeks of securing Samsung devices: Part 1 Oversecured (@OversecuredInc) Samsung Arbitrary file write, Insecure intents $20,690 06/10/2021
Second Order Race Condition Prasoon Gupta (@0xdekster) - Race condition $1,000 06/10/2021
Unexpected IDOR Vulnerability in [REDACTED] - [redacted].net (Write Up) Evan Ricafort (@evanricafort) - IDOR $2 06/10/2021
Author spoofing in Google Colaboratory Zohar Shachar Google Logic flaw $500 06/09/2021
How i was able to bypass parental pin of showmax abdoul gadiri balde (@moodiAbdoul) Showmax Authorization flaw - 06/09/2021
Story of my first cash bounty on hackerone. Vedant Tekale (@_justYnot) - SSRF, XSS - 06/07/2021
How I could have accessed all your private videos/photos saved inside your device without even unlocking it? Samip Aryal Facebook Authorization flaw, Logic flaw $3,150 06/06/2021
How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access Santosh Kumar Sha (@killmongar1996) - SSRF - 06/06/2021
Shopify Multipass Misconfiguration Ahmed A. Sherif - Authentication flaw, Logic flaw - 06/05/2021
Pop-Ups in a good-world Guilherme Keerok (@k33r0k) Imgur XSS - 06/04/2021
Executing CSRF With Phone Validation Greg Gibson - CSRF - 06/04/2021
403 Forbidden Bypass th3.d1p4k (@DipakPanchal05) - OTP bypass, Exposed registration page, XSS - 06/04/2021
Android: Exploring vulnerabilities in WebResourceResponse Oversecured (@OversecuredInc) Amazon Arbitrary file read - 06/03/2021
Server Side Request Forgery - A Forged Document Jerry Shah (@Jerry) - SSRF, File upload bug $500 06/03/2021
Bypassing LFI (Local File Inclusion) Abhishek (@abhishake21) - LFI - 06/03/2021
XSS in the AWS Console Nick Frichette (@frichette_n) Amazon XSS, CSP bypass, CSTI - 06/02/2021
Exploiting Open Redirect - Whitelist Bypass Using Salesforce Environment Gaurav Nayak (@4auvar) - Open redirect, Token theft - 06/02/2021
Escalating SSRF to Accessing all user PII information by aws metadata Santosh Kumar Sha (@killmongar1996) - SSRF - 06/01/2021
CVE-2021-29084: Exploiting CRLF Header Injection in Synology NAS for Unauthenticated File Downloads Justin Taft Synology CRLF injection - 06/01/2021
Facebook Page Admin Disclosure Kunjan Nayak (@kunjannayak5) Facebook Information disclosure $500 05/31/2021
AppCache’s forgotten tales Luan Herrera (@lbherrera_) Google (Chrome) Browser bug $10,000 05/31/2021
Escalating SSRF to Accessing all user PII information by aws metadata Santosh Kumar Sha (@killmongar1996) - SSRF - 05/31/2021
runc mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs (CVE-2021-30465) Etienne Champetier / champtar Google Kubernetes bug, Container breakout - 05/30/2021
Metadata service MITM allows root privilege escalation (EKS / GKE) Etienne Champetier / champtar Google Kubernetes bug, Privilege escalation, MiTM - 05/30/2021
Account Takeover via iFrame Injection xbforce (@xbforce) - Iframe injection, Account takeover - 05/29/2021
The beauty of chaining client-side bugs Master SEC (@MasterSEC_AR) - CRLF, XSS, CSP bypass, DoS, CSTI - 05/29/2021
CafeBazaar and Subdomain Takeover Sina Kheirkhah (@Sin_Khe) CafeBazaar Subdomain takeover - 05/29/2021
Github, The Goldmine for P1s and P2s - Sensitive Information Exposure via Github by a Company Employee Savir Suda (@savxiety) - Information disclosure - 05/28/2021
Hey WAF! Better Luck Next Time! 👽 Akash Rox Starz - SQL injection - 05/28/2021
How I hacked a Target again and again… Aditya Verma (@0cirius0) - OAuth bug, Account takeover, XSS, Broken Access Control - 05/27/2021
Bypassing restricted port protection in WebKit David Schütz (@xdavidhu) Apple Browser bug - 05/26/2021
GitLab Arbitrary File Read & Write through Kroki - CVE-2021-22203 Anh Duc Nguyen (@ledz1996) - Arbitrary file read $5,600 05/25/2021
Stored XSS with two different parameters Joel Cantu (@InfosecRintox) - Reflected XSS - 05/25/2021
Chaining XSS with authentication issues to turn it into full account takeover N1GHTMAR3 (@n1ghtmar3_2421) - XSS, Account takeover - 05/24/2021
Disclose leads form details of any Facebook Business Account or Facebook Page (Bug Bounty) Amine Aboud (@amineaboud) Facebook IDOR, GraphQL bug - 05/23/2021
CORS misconfig that worths USD200 MikeChan - CORS misconfiguration $200 05/23/2021
Finding and Exploiting Unintended Functionality in Main Web App APIs Bend Theory (@bendtheory) - IDOR, Information disclosure, Privilege escalation $4,000 05/21/2021
Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$) Rohit kumar (@rohitcoder) Facebook Information disclosure $500 05/21/2021
CSRF from which we can create a support ticket in Victim’s Account (500$) Rohit kumar (@rohitcoder) Facebook CSRF $500 05/21/2021
How I turned 0000 into $600: Phone Verification Bypass Shrirang Diwakar - OTP bypass $600 05/21/2021
403 Forbidden Bypass th3.d1p4k (@DipakPanchal05) - 403 bypass, Forced browsing - 05/21/2021
Oculus SSO “Account Linking” bug leads to account takeover on third party websites and inside VR Games/Apps Youssef Sammouda (@samm0uda) Facebook SSO bug, Authentication flaw, Account takeover $12,000 05/20/2021
XSS via postMessage in chat.mozilla.org Guilherme Keerok (@k33r0k) Mozilla XSS, postMessage bug $500 05/20/2021
Third-Party Apps were still getting your private Facebook data even after their access expiry. Samip Aryal Facebook Logic flaw $1,000 05/20/2021
Writeups: Facebook Whitehat program(2021): Instagram Live setting bug Takashi Suzuki Facebook Logic flaw $537 05/20/2021
SSRF in PDF Renderer using SVG pwn.vg / Tomi (@mastomii) - SSRF $2,150 05/19/2021
Time-Based SQL Injection to Dumping the Database Naveen J (@thevillagehackr) - SQL injection, Android app bug - 05/19/2021
Finding my First Critical Web Cache Poisoning Yasser Khan (@N3T_hunt3r) - Web cache poisoning - 05/18/2021
Path Traversal in MobileSafari David Schütz (@xdavidhu) Apple Path traversal - 05/18/2021
Drupal Insecure Default Leads To Password Reset Poisoning Bogdan Tiron (@Bogdan___T) Drupal Password reset flaw, Host header injection N/A (VDP) 05/17/2021
Just Gopher It: Escalating a Blind SSRF to RCE for $15k SirLeeroyJenkins (@SirLeeroyJenkin) - SSRF, RCE $15,000 05/17/2021
Clickjacking in Nearby Devices Dashboard David Schütz (@xdavidhu) Google Clickjacking - 05/17/2021
My Fourth Account takeover through password reset Omar Hamdy (@seaman00o) - Account takeover, Password reset flaw - 05/17/2021
How i hijacked 12 Subdomains in one Program Naveen kumawat (@nvk0x) - Subdomain takeover - 05/17/2021
Auth Bypass in https://nearbydevices-pa.googleapis.com David Schütz (@xdavidhu) Google Broken Access Control $5,000 05/16/2021
MSSQL Injection In JSON Request Kailash (@Corrupted_brain) - SQL injection - 05/16/2021
Edmodo Bug Bounty Writeup Pethuraj (@Pethuraj) Edmodo XSS $0 (Duplicate) 05/16/2021
2FA Bypass via Forced Browsing Akhil - 2FA bypass - 05/15/2021
Mass Assignment exploitation in the wild - Escalating privileges in style Gal Nagli (@naglinagli) - Mass assignment, Privilege escalation - 05/14/2021
One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover Youssef Sammouda (@samm0uda) Facebook Reflected XSS, Account takeover $9,600 05/13/2021
Blind XSS on Google Internal System Kailash (@Corrupted_brain) Google Blind XSS $5,000 05/13/2021
Counter-Strike Global Offsets: reliable remote code execution brymko (@brymko), dezk (@cffsmith) & Simon Scannell (@scannell_simon) Valve RCE - 05/13/2021
How I find my first Stored XSS Filipe Azevedo (@filipaze_) - Stored XSS - 05/13/2021
My story of hacking Dutch Government Tuhin Bose (@tuhin1729_) Dutch Government XSS - 05/12/2021
CVE-2020-35580 hateshape (@hateshaped) - LFI - 05/11/2021
CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data Intezer Microsoft Privilege escalation - 05/11/2021
2FA Verification Bypass in Shapeshift [shapeshift.com] (Write Up) Evan Ricafort (@evanricafort) Shapeshift 2FA bypass - 05/10/2021
Stored XSS to Organisation Takeover Zaid Bhat (@zaidozaid) - Stored XSS - 05/10/2021
Simple logical Bug turned into a bounty Sndp Giri Facebook Logic flaw $500 05/10/2021
Exploiting Activity in medium android app Raju kumar (@MrCyberwarrior) Medium Insecure intents - 05/10/2021
Unauthorized access to Django Admin Dashboard by endpoint leaked on GitHub Santosh Kumar Sha (@killmongar1996) - Lack of authentication, Forced browsing - 05/10/2021
Microsoft bug bounty writeup th3.d1p4k (@DipakPanchal05) Microsoft Information disclosure - 05/08/2021
Workplace by Facebook | Unauthorized access to companies environment — $27,5k Marcos Ferreira (@mvinni_) Facebook Authorization flaw, Logic flaw, IDOR $27,500 05/07/2021
Apple Bug bounty writeups XSS(2021) Takashi Suzuki Apple XSS - 05/07/2021
Identify a Facebook user by his phone number despite privacy settings set Youssef Sammouda (@samm0uda) Facebook Privacy issue, Information disclosure $9,000 05/06/2021
CVE-2021-1815 – MacOS Local Privilege Escalation Via Preferences Offensive Security (@offsectraining) Apple Local Privilege Escalation - 05/06/2021
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit - Google RCE - 05/05/2021
Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens Youssef Sammouda (@samm0uda) Facebook OAuth flaw, Authorization flaw, Account takeover $18,000 05/05/2021
How I Found Sql Injection on intensedebate.com (h1) in 5 minute $350 Ahmad A Abdulla (@lu3ky13) Automattic SQL injection $350 05/05/2021
XSS Through Parameter Pollution Saajan Bhujel (@saajanbhujel11) - Open redirect, XSS, HTTP Parameter Pollution - 05/05/2021
Injecting Punycode URL Within the Arbitrary Text via Comment Box In Google Photo Sharing Option Divyanshu Shukla (@justm0rph3u5) Google HTML injection $0 (OOS) 05/05/2021
ExifTool CVE-2021-22204 - Arbitrary Code Execution William Bowling / vakzz (@wcbowling) GitLab RCE $20,000 05/04/2021
Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida & Exploiting the Source Engine (Part 1) Geebz (@Gbps111) Valve RCE $7,500 05/04/2021
Deep Dive into Open Source Bug Bounty Ritik Sahni (@ritiksahni22) - CSRF - 05/03/2021
Finding known exploits for bugbounties. ipanda (@ipanda915) - RCE $0 (Duplicate) 05/03/2021
IDOR Leads To Leak Any Uber Eats Restaurant Analytics Prial Islam Khan (@prial261) Uber IDOR $2,000 05/02/2021
Basic recon to RCE Joshua Martinelle (@J0_mart) - Insecure deserialization, RCE - 05/02/2021
Chaining CSRF with XSS to deactivate Mass user accounts by single click Santosh Kumar Sha (@killmongar1996) - CSRF, XSS - 05/02/2021
SSRF Through PDF Generation Joshua Martinelle (@J0_mart) - SSRF - 05/01/2021
How I found my first RCE? ipanda (@ipanda915) - RCE - 05/01/2021
How I got $400 for my first SSRF bug? Usama Varikkottil (@usama_dev) - SSRF $400 05/01/2021
Facebook account takeover due to unsafe redirects after the OAuth flow Youssef Sammouda (@samm0uda) Facebook OAuth flaw, Open redirect, Account takeover $28,800 04/30/2021
My first OOB XXE exploitation Joshua Martinelle (@J0_mart) - XXE - 04/30/2021
How I was able to Retrieve your Personal Documents using the Wayback Machine! Savir Suda (@savxiety) - Privacy issue, Information disclosure - 04/30/2021
Exploiting memory corruption vulnerabilities on Android Oversecured (@OversecuredInc) Paypal Memory corruption bug $1,100 04/30/2021
A tale of Html to Pdf converter ssrf and various bypasses Jatin Aesthetic (@techyfreakk) - SSRF - 04/29/2021
De-anonymising Anonymous Animals in Google Workspace David Schütz (@xdavidhu) Google Privacy issue, Information disclosure - 04/29/2021
The False Oracle — Azure Functions Padding Oracle Issue polarply (@polarply) Microsoft Padding Oracle, Privilege escalation - 04/28/2021
How did I earn €€€€ by breaking the back-end logic of the server Dewanand Vishal (@dewcode91) - Logic flaw, Information disclosure - 04/28/2021
Reflected DOM-based XSS on DomaiNesia N45HT DomaiNesia XSS - 04/27/2021
Exploiting XSS via Markdown on Xiaomi N45HT Xiaomi XSS - 04/27/2021
WordPress 5.7 XXE Vulnerability Karim El Ouerghemmi WordPress XXE $600 04/27/2021
Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol Antonio Cocomazzi (@splinter_code) & Andrea Pierini (@decoder_it) Microsoft Local Privilege Escalation - 04/26/2021
Reflected XSS on Microsoft N45HT Microsoft Reflected XSS - 04/25/2021
From Wayback Machine To Account Takeover Demon (@R29k_) - Open redirect, Account takeover $800 04/25/2021
Supply Chain Attacks via GitHub.com Releases Nightwatch Cybersecurity (@nightwatchcyber) GitHub Logic flaw $0 04/25/2021
How I found Cross-Site-Scripting (Reflected) on more than 300 systems! MR SINISTER (@KabirSuda) - Reflected XSS - 04/25/2021
From Wayback Machine To Account Takeover Demon (@R29k_) - Account takeover, Password reset flaw, Open redirect - 04/25/2021
RCE via Internal Access to Adminer Database Management (Critical) Ahmad Halabi (@Ahmad_Halabi_) - RCE - 04/24/2021
AWS internal metadata accessed through SSRF by Chaining an Open Redirect bug Santosh Kumar Sha (@killmongar1996) - SSRF, Open redirect - 04/24/2021
Page Owners Can’t remove or change page roles of deactivated users (or if Attacker blocks the page owner) in Facebook Lite, Facebook for Android and touch.facebook.com Baibhav Anand (@SpongeBhav) Facebook Logic flaw $525 04/22/2021
Brave — Stealing your cookies remotely Pedro Oliveira (@kanytu) Brave Arbitrary file read $500 04/22/2021
Telegram bug bounties: XSS, privacy issues, official bot exploitation and more… Davide, Andrea & Giuseppe Telegram XSS, Authorization flaw, DoS - 04/22/2021
PrivateDrop: Breaking and Fixing Apple AirDrop Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute & Christian Weinert Apple Privacy issue, Information disclosure - 04/21/2021
New Clubhouse Security Vulnerabilities Could Happen to Any Growing Unicorn Katie Moussouris (@k8em0) Clubhouse Logic flaw - 04/21/2021
Remote code execution in Homebrew by compromising the official Cask repository RyotaK (@ryotkak) Homebrew RCE - 04/21/2021
Got Nice catch by Google Parth Desani (@DesaniParth) Google OAuth flaw, Open redirect, CSRF $0 (Early acquisition) 04/22/2021
How I was able to inject XSS payload into any user’s mailbox Gaurav Popalghat (@N008x) - XSS - 04/21/2021
CVE-2021-30481: Source engine remote code execution via game invites floesen (@floesen_) Valve RCE, Integer underflow $8,000 04/2O/2021
Auth Bypass in Google Workspace Real Time Collaboration David Schütz (@xdavidhu) Google Authentication bypass, Information disclosure - 04/2O/2021
Blind SSRF to Port Scanning through response time Harish - SSRF - 04/19/2021
Unauthorized access to admin setpassword page BY bypassing 403 Forbidden Santosh Kumar Sha (@killmongar1996) - Authorization flaw - 04/18/2021
(POC) Untrim any live video on Facebook Ahmad Talahmeh Facebook Authorization flaw $2,875 04/18/2021
Exploiting Unrestricted File Upload to achieve Remote Code Execution on a bug bounty program Jadek Mark (@mase289) - Unrestricted file upload, RCE - 04/18/2021
Pwning your assignments: Stored XSS via GraphQL endpoint Kartik Sharma (@dominat0r98) - Stored XSS, GraphQL bug $2,881 04/18/2021
Misconfiguration in Change-password Functionality Leads to Account Takeover Mahmoud Radwan (@0x___2m) & Mahmoud samaha (@0x__2m) - IDOR, Logic flaw, Password reset flaw, Account takeover - 04/18/2021
XSS via Exif Data - The P2 Elevator Jerry Shah (@Jerry) - Stored XSS - 04/18/2021
Discoure themes OS Command Injection joernchen (@joernchen) Discourse RCE, OS command injection - 04/18/2021
(POC) Remove any Facebook’s live video ($14,000 bounty) Ahmad Talahmeh Facebook Logic flaw $14,000 04/17/2021
Lets Learn English - Hacking 10M+ Users Aseem Shrey (@AseemShrey) - AWS misconfugation, Insecure Firebase database, OTP bypass, Account takeover, Logic flaw - 04/17/2021
(POC) Update business fyi message as Facebook page analyst Ahmad Talahmeh Facebook IDOR, GraphQL bug $750 04/17/2021
How I earned \(\) through Stored XSS Harish - Stored XSS, CSTI $3,205 04/16/2021
Fun sql injection — mod_security bypass Y000 (@Y000) - SQL injection - 04/16/2021
Allow arbitrary URLs, expect arbitrary code execution Fabian Bräunlein & Lukas Euler Nextcloud, Telegram, VLC RCE - 04/15/2021
How I got 9000 USD by hacking into iCloud Alexandre Fernandes (@fernale) Apple XSS $9,000 04/15/2021
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) CENSUS Facebook (WhatsApp) Man-in-the-Disk - 04/14/2021
Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere Cisco Talos Microsoft RCE - 04/14/2021
Google Photos : Theft of Database & Arbitrary Files Android Vulnerability Rahul Kankrale (@RahulKankrale) Google Improper Export of Android Application Components $1,337 04/13/2021
You Talking To Me? Li JianTao (@cursered) Google RCE, Browser bug $0 (Duplicate) 04/12/2021
ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3 Chris Williams (@HawaiiFive0day) Tesla, Google RCE, Browser bug - 04/12/2021
Unauthenticated Account Takeover Through Forget Password Nikhil (niks) (@niksthehacker) - Password reset flaw, Account takeover, Information disclosure - 04/12/2021
Stored XSS on the DuckDuckGo search results page PMOC (@pmofcats) DuckDuckGo Stored XSS - 04/10/2021
Cookie poisoning leads to DoS and Privacy Violation Benjamin Walter CS Money DoS, SSRF $700 04/09/2021
(CRITICAL) Blind Storage XSS — My first Bug Bounty 💰 Benjamin Walter CS Money Blind XSS $1,000 04/8/2021
What if you could deposit money into your Betting account for free? Oh wait where has this 25k came from… Mikey (@mikey96_bh) - Logic flaw $10,000 04/07/2021
Chaining an Blind SSRF bug to Get an RCE Santosh Kumar Sha (@killmongar1996) - Blind SSRF, RCE - 04/7/2021
I Built a TV That Plays All of Your Private YouTube Videos David Schütz (@xdavidhu) Google CSRF $6,000 04/05/2021
Apple TV for Fire OS code execution Razvan Sima (@0xraaz) Apple RCE, Insecure storage, Man-in-the-Disk attack - 04/05/2021
Cloud Based Storage Misconfigurations -> Critical Bounties Mikey (@mikey96_bh) - Cloud storage misconfiguration $7,500 04/05/2021
Weird and very easy authentication bypass found with Google dorking GrumpinouT (@RVerwilghen) - Authentication bypass - 04/05/2021
Intro to Open-source Bug Bounty Arjun Shibu (@0xsegf) Mailtrain Directory traversal - 04/05/2021
CSRF in YouTube Leanback API David Schütz (@xdavidhu) Google CSRF - 04/05/2021
Breaking GitHub Private Pages for $35k Robert Chen (@NotDeGhost) & Philip Github XSS, CRLF, Web cache poisoning $35,000 04/04/2021
Remote code execution through unsafe unserialize in PHP Sjoerd Langkemper - Insecure deserialization, RCE - 04/04/2021
Journeys in Quoteless and Multi Reflection XSS Bend Theory (@bendtheory) - XSS $250 04/04/2021
RCE on Starbucks Singapore and more for $5600 Kamil Onur Özkaleli (@ko2sec) Starbucks RCE, Unrestricted file upload $5,600 04/03/2021
Code execution as root via AT commands on the Quectel EG25-G modem nns Quectel OS command injection, RCE $2,000 04/03/2021
Gain write permission of repositories with a bug in GitHub Actions tyage (@tyage) GitHub Broken Access Control, Logic flaw $25,000 04/02/2021
Automate Cache Poisoning Vulnerability - Nuclei Mohamed Elbadry (@_melbadry9) - Web cache poisoning, Stored XSS $1,500 04/02/2021
This Man Thought Opening A TXT File Is Fine, He Thought Wrong. MacOS CVE-2019-8761 Paulos Yibelo (@PaulosYibelo) Apple MacOS bug, HTML injection - 04/02/2021
Bragging Rights: Let’s head back to bug bucket Manas Harsh (@ManasH4rsh) - XSS, IDOR, 2FA bypass $951 04/02/2021
XSS in Large Messenger and Payment App - a Shout Out to Parameter Guessing Lauritz (@lauritz) - XSS, HTLML injection - 04/02/2021
Play a game, get Subscribed to my channel - YouTube Clickjacking Bug | #GoogleVRP GoogleSriram Kesavan (@sriramoffcl) - Clickjacking $100 04/02/2021
Who Contains the Containers? James Forshaw (@tiraniddo) Microsoft Local privilege escalation - 04/01/2021
Facebook account takeover due to a wide platform bug in ajaxpipe responses Youssef Sammouda (@samm0uda) Facebook Account takeover $30,000 04/01/2021
Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow Youssef Sammouda (@samm0uda) Facebook Account takeover, OAuth flaw, Open redirect $12,000 04/01/2021
Zero click vulnerability in Apple’s macOS Mail Mikko Kenttälä (@Turmio_) Apple Account takeover, Information disclosure, RCE - 04/01/2021
Download Facebook internal mobile builds Philippe Harewood (@phwd) Facebook Information disclosure $6,000 03/31/2021
My first Bug report at Facebook 2021 Kntjrld Facebook Logic flaw, Authorization flaw - 03/31/2021
Missing CORS leads to Complete Account Takeover Niraj Modi (@nirajmodi51) - Missing CORS, CSRF, Account takeover - 03/30/2021
I felt like there were no more bugs left after winning € 2000 … But an email worth €750 changed my mind Thexssrat (@theXSSrat) - Broken Access Control, IDOR €2750 03/30/2021
A weird XSS gato the wizard - Reflected XSS - 03/30/2021
CSRF to Full Account Takeover Ashraf Harb (@ashrafharb97) - CSRF, Account takeover - 03/29/2021
PHP fopen() function to local file inclusion أنس روبي (@xhzeem) - LFI - 03/28/2021
How I made to Paypal Bug Bounty $750 Pethuraj (@Pethuraj) Paypal Open Redirect $750 03/28/2021
How to bypass CloudFlare bot protection ? jychp (@jychp_fr) CloudFlare Logic flaw $0 03/27/2021
Increasing impact of Information Disclosure — Full Account Takeover ! Abhisek R (@abh1sek_r) - Information disclosure, Password reset flaw $0 (OOS) 03/26/2021
Encrypted Payload -> Decrypted Execution ($600) : Stored XSS Shrirang Diwakar - Stored XSS $600 03/25/2021
PoC: The easiest 125 Euro’s I Ever made Thexssrat (@theXSSrat) - Logic flaw €125 03/25/2021
Exif meta data worth $XXXX Saddam Hussain (@wisdomfreak1) - Information disclosure - 03/25/2021
How I leveraged XSS to make Privilege Escalation to be Super Admin! Asem Eleraky (@melotover) - XSS, Privilege escalation - 03/25/2021
Multiple Authorization bypass issues in Google’s Richmedia Studio Zohar Shachar Google Authorization flaw $6,000 03/24/2021
Bypass rate limit to enumeration users through Google Drive Abdullah Mohamed (@3bodymo_) Google Rate limiting bypass $0 (Won’t fix) 03/24/2021
Finding and exploiting race condition vulnerability on facebook server Dewanand Vishal (@dewcode91) Facebook Race condition $2,000 03/24/2021
Ad portals and the half blood vulnerability Adam (@whitechaitai) - Logic flaw $600+ 03/23/2021
How I made it to Google HOF? Sudhanshu Rajbhar (@sudhanshur705) Google IDOR $1,000 03/21/2021
Finding My First Critical Vulnerability Thexssrat (@theXSSrat) - Information disclosure $250 03/21/2021
OTP brute-force via rate limit bypass Bilal Muqeet (@blmqt) - Bruteforce, Lack of rate limiting, OTP bypass - 03/21/2021
Cross Site Port Attack - A Stranger’s Call Jerry Shah (@Jerry) - XSPA - 03/21/2021
OAuth Misconfiguration found in small time-window of attack Muhammad Aamir (@Muhammad__Aamir) - OAuth misconfiguration $300 03/20/2021
A short story about an XSS in chat.mozilla.org (CVE-2021-21320) Walleson Moura (@phor3nsic_br) Mozilla XSS $500 03/19/2021
How to Harpon Big Blue! Clark Voss (@clark_voss) IBM Logic flaw, Exposed registration page - 03/19/2021
H2C Smuggling in the Wild Sean Yeoh (@seanyeoh) - HTTP request smuggling - 03/18/2021
TikTok for Android 1-Click RCE Sayed Abdelhafiz (@dPhoeniixx) TikTok RCE, XSS, Insecure intents - 03/18/2021
How I hacked Facebook: Part Two Alaa Abdulridha (@alaa0x2) Facebook SSRF, Account takeover, Cookie manipulation $54,580 03/18/2021
Stealing arbitrary GitHub Actions secrets Teddy Katz (@not_aardvark) GitHub Logic flaw $25,000 03/17/2021
Dangling DNS: Worksites.net Mohamed Elbadry (@_melbadry9) - Dangling DNS records, Subdomain takeover - 03/17/2021
Abusing Data Protection Laws For D0xing & Account Takeovers Hx01 (@Hxzeroone) - SSTI, Account takeover - 03/17/2021
CVE-2021-27076: A Replay-style Deserialization Attack Against Sharepoint Simon Zuckerbraun (@HexKitchen) Microsoft Insecure deserialization, RCE - 03/17/2021
An unknown Linux secret that turned SSRF to OS Command injection secureITmania (@secureitmania) - SSRF, Command injection - 03/17/2021
An Interesting Account Takeover!! Mayank Pandey (@mayank_pandey01) - IDOR, Account takeover, Weak encryption, Password reset flaw - 03/17/2021
Voice Confusion When Commenting On Watch Party Prakash Panta (@prakashpanta268) Facebook Information disclosure $1,000 03/16/2021
API Misconfiguration which leads to unauthorized access to servicedesk tickets Gaurav Popalghat (@N008x) - Information disclosure - 03/16/2021
De-anonymize the members of a private Facebook Group as a non-member. Baibhav Anand (@SpongeBhav) Facebook GraphQL bug, Information disclosure $4,500 03/15/2021
Facebook Group Members Disclosure. Baibhav Anand (@SpongeBhav) Facebook Information disclosure $9,000 03/15/2021
IDOR Vulenebility with empty response still exposing sensitive details of customers! Rahul Varale - IDOR - 03/14/2021
How I Found Sql Injection on 8x8 , Cengage,Comodo,Automattic,20 company Ahmad A Abdulla (@lu3ky13) Automattic, IBM, 8x8 SQL injection - 03/12/2021
Finding keys under the door Naveen Prakaasham K S V Paytm Stored XSS, Unrestricted file upload - 03/12/2021
Account Takeover Via Reset Password Worth 2000$ Ashutosh mishra (@ashutoshmish_ra) - Password reset flaw, Account takeover $2,000 03/12/2021
[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF ) Rio Mulyadi (@riomulyadi_) Google Blind XSS $3,133.70 03/11/2021
Messing with GitHub’s fork collaboration for fun and profit Teddy Katz (@not_aardvark) GitHub Broken Access Control $30,000 03/10/2021
Business Logic Error on Registration Leads to SMS Validation Bypass pleorqy (@pleorqy) - 2FA bypass - 03/10/2021
Chain of Low Level Bugs and Misconfigurations Leads to Account Takeover pleorqy (@pleorqy) - Reflected XSS, Clickjacking, Account takeover - 03/10/2021
Finding Basic Authtoken in JAVASCRIPT file BY Full Automation Santosh Kumar Sha (@killmongar1996) - Information disclosure - 03/10/2021
Write Up – Google VRP N/A: SSRF Bypass With Quadzero In Google Cloud Monitoring Omar Espino (@omespino) Google SSRF $0 (N/A) 03/08/2021
Dangling DNS: Amazon EC2 IPs (Current State) Mohamed Elbadry (@_melbadry9) 8x8 Dangling DNS records, Subdomain takeover - 03/08/2021
Stored XSS in Google Ads Android Application— $3133.70 Ashish Dhone (@ashketchum_16) Google Stored XSS, HTML injection $3,133.70 03/07/2021
Finding Hidden Login Endpoint Exposing Secret Client ID Ahmad Halabi (@Ahmad_Halabi_) - Information disclosure $700 03/07/2021
Exploiting a hidden and forgotten Bug Aditya Verma (@0cirius0) - SSRF - 03/07/2021
The easiest $2500 I got it from bug bounty program Abdullah Mohamed (@3bodymo_) Uber Information disclosure $2,500 03/06/2021
Leveraging Template injection to takeover an account. Akash Methani (@0xAkash) - CSTI, XSS - 03/04/2021
Low hanging fruits on Facebook Group Room. Unable to remove post on group when post room add with event ($500) Randy Arios Facebook Logic flaw $500 03/04/2021
Stored XSS at Trello.com Maor Dayan (@mord1234) Trello Stored XSS - 03/04/2021
Content Injection (RCE) in Yandex Browser for Android [2018] Nightwatch Cybersecurity (@nightwatchcyber) Yandex MiTM $0 03/03/2021
The Invincible Kid Samip Aryal Facebook Logic flaw $500 03/03/2021
How I Might Have Hacked Any Microsoft Account Laxman Muthiyah (@laxmanmuthiyah) Microsoft Account takeover, Password reset flaw, Bruteforce, 2FA bypass $50,000 03/02/2021
Exploiting CORS to perform an IDOR Attack leading to PII Information Disclosure Harsh Parekh (@notmarshmllow) - CORS misconfiguration, Information disclosure - 03/01/2021
Secret Key Exposure in API Config Directory Ahmad Halabi (@Ahmad_Halabi_) - Information disclosure $800 03/01/2021
Join Facebook Group With Unpublish Page gevakun Facebook Authorization flaw - 03/01/2021
RocketChat - Unauthenticated access to messages Rojan Rijal (@uraniumhacker) RocketChat Authorization flaw N/A (VDP) 03/01/2021
SSRF to fetch AWS credentials with full access to multiple services Zonduhackerone (@zonduu1) - SSRF - 02/28/2021
Big Bugs: Bitbucket Pipelines Kata Containers Build Container Escape Alex Chapman (@ajxchapman) - RCE - 02/28/2021
Admin Panel Accessed Via SQL Injection… (Ezy Boooom…😅) Ratnadip Gajbhiye - SQL injection - 02/28/2021
Bragging Rights: Killing File Uploads softly Manas Harsh (@ManasH4rsh) - Unrestricted file upload, Stored XSS - 02/28/2021
Jira Auth Bypass bug in Google Acquisition (Apigee) Jayateertha Guruprasad (@JayateerthaG) Google Authentication bypass - 02/28/2021
Somebody Call The Plumber, GraphQL is Leaking Again… N0ur5 - Information disclosure, GraphQL bug - 02/28/2021
Any Account Takeover Through Privilege Escalation Shubham Chaskar (@chaskar_shubham) - Privilege escalation, Account takeover - 02/28/2021
Kubernetes man in the middle using LoadBalancer or ExternalIPs (CVE-2020-8554) champtar Kubernetes MiTM $1,000 02/28/2021
Host MITM attack via IPv6 rogue router advertisements (K8S CVE-2020-10749 / Docker CVE-2020-13401 / LXD / WSL2 / …) champtar Kubernetes MiTM $1,000 02/28/2021
Story About Stop 10000+ users to get Their job notification PJBorah - Logic flaw - 02/27/2021
IDOR which allowed me to view Personal Email Addresses of More than 50K Users! Savir Suda (@savxiety) - IDOR, Password reset flaw - 02/26/2021
SSRF: Bypassing hostname restrictions with fuzzing Dominic (@dee__see) Elastic SSRF - 02/26/2021
Account Takeover - Smoking with ‘null’ Jerry Shah (@Jerry) - Account takeover, Authentication flaw - 02/26/2021
Stealing user passwords through a VPN’s SSO Alain Mowat (@plopz0r) - Open redirect, SSTI - 02/25/2021
Poisoning your Cache for 1000$ - Approach to Exploitation Walkthrough Gal Nagli (@naglinagli) - Web cache poisoning, Stored XSS $1,000 02/25/2021
Hijacking Reset Password Link in https://www.niteflirt.com/ via Host Header Poising (Write Up) Evan Ricafort (@evanricafort) Niteflirt Host header injection, Account takeover, Password reset flaw $50 02/25/2021
CSRF through URL with # tag parameter Tommysuriel - CSRF $100 02/25/2021
CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux John Jackson (@johnjhacking) Keybase Unencrypted storage $1,000 02/22/2021
Grafana Admin Panel bypass in Google Acquisition(VirusTotal) Jayateertha Guruprasad (@JayateerthaG) Google Default credentials - 02/22/2021
Let’s know How I have explored the buried secrets in Xamarin application secureITmania (@secureitmania) - Hardcoded API keys, Information disclosure - 02/21/2021
RCE On A Laravel Private Program Yasho (@YShahinzadeh) - RCE - 02/20/2021
Is Math.random() Safe? from missing rate limit to bypass 2fa and possible sqli Yasser Mohammed (@boomneroli) - Race condition, Lack of rate-limiting, OTP bypass, SQL injection - 02/20/2021
Account Takeover via Response Manipulation worth 1800$.. Ashutosh mishra (@ashutoshmish_ra) - Authentication bypass, OTP bypass, Account takeover $1,800 02/20/2021
Build Pipeline Security xssfox (@xssfox) Amazon RCE - 02/18/2021
Account Take Over by Response Manipulation Naveen J (@thevillagehackr) - Authentication bypass, Account takeover - 02/17/2021
Expose information about Partner accounts in Partner portal Youssef Sammouda (@samm0uda) Facebook Information disclosure, GraphQL bug $3,600 02/17/2021
Expose Facebook object type (including private objects) Youssef Sammouda (@samm0uda) Facebook Information disclosure, Logic flaw $500 02/17/2021
Ability to find Facebook employee’s test accounts which lead to the disclosure of internal information. Youssef Sammouda (@samm0uda) Facebook Information disclosure, GraphQL bug $500 02/17/2021
Disclose internal CMS objects content Youssef Sammouda (@samm0uda) Facebook Information disclosure, Authorization flaw $500 02/17/2021
Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation Youssef Sammouda (@samm0uda) Facebook Information disclosure, GraphQL bug $500 02/17/2021
XSS in Facebook CDN due to improper filtering of uploaded files extensions Youssef Sammouda (@samm0uda) Facebook XSS $500 02/17/2021
Enumerate internal cached URLs which lead to data exposure Youssef Sammouda (@samm0uda) Facebook Information disclosure, Caching issue $4,800 02/17/2021
Make recruiting referrals on behalf of employees Youssef Sammouda (@samm0uda) Facebook Authorization flaw, GraphQL bug $3,000 02/17/2021
Leaking Facebook user information to external websites / Setting some cookies values Youssef Sammouda (@samm0uda) Facebook GraphQL bug, Logic flaw, Information disclosure $2,000 02/17/2021
Access private information about SparkAR effect owners who has a publicly viewable portfolio Youssef Sammouda (@samm0uda) Facebook Authorization flaw, Information disclosure, GraphQL bug $1,500 02/17/2021
Open redirect in Instagram.com Youssef Sammouda (@samm0uda) Facebook Open redirect $500 02/17/2021
Story of a very lethal IDOR. Vedant Tekale (@_justYnot) - XSS, IDOR, Account takeover N/A (VDP) 02/17/2021
From AWS S3 Misconfiguration to Sensitive Data Exposure Jadek Mark (@mase289) - AWS misconfiguration - 02/17/2021
Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story) Imre Rad (@ImreRad) Google Configuration file injection, RCE - 02/16/2021
Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story) Imre Rad (@ImreRad) Google RCE - 02/16/2021
Hunting for bugs in Telegram’s animated stickers remote attack surface polict (@polict_) Telegram Memory corruption bug, DoS - 02/16/2021
Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. Youssef Sammouda (@samm0uda) Facebook Authorization flaw, Logic flaw $12,500 02/15/2021
Full account takeover worth $1000 Think out of the box Mohsin Khan (@mokhansec) - Account takeover, CSRF, IDOR $1,000 02/15/2021
Delete linked payments accounts of a Facebook page (or user) Youssef Sammouda (@samm0uda) Facebook Authorization flaw, Logic flaw $1,000 02/15/2021
URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs. Youssef Sammouda (@samm0uda) Facebook Logic flaw $500 02/15/2021
Leak of internal categorySets names and employees test accounts. Youssef Sammouda (@samm0uda) Facebook Information disclosure $500 02/15/2021
View orders and financial reports lists for any page shop Youssef Sammouda (@samm0uda) Facebook Information disclosure, Authorization flaw $500 02/15/2021
Header manipulation to get the premier feature for free Saddam Hussain (@wisdomfreak1) - Logic flaw - 02/14/2021
Stored XSS in icloud.com — $5000 Vishal Bharad - Stored XSS $5,000 02/14/2021
My first bounty (stored-xss) Karan sharma (@karansh491) - Stored XSS $1,000 02/14/2021
IDOR via Websockets allow me to takeover any users account Mohsin Khan (@mokhansec) - IDOR $450 02/14/2021
How I Hacked Everyone’s Resume/CV’s and Got €€€ Vishal Bharad - IDOR, Authorization flaw, Information disclosure $250 02/14/2021
Changing other users Episode title & description - IDOR Vulnerability in [REDACTED] (Write Up) Evan Ricafort (@evanricafort) - IDOR $1,150 02/13/2021
[GITLAB] — Server Side Request Forgery in “Project Import” page. Lyubomir Tsirkov Gitlab SSRF $1,500 02/13/2021
[GITLAB] — Just another SSRF issue. Lyubomir Tsirkov Gitlab SSRF $1,000 02/13/2021
OAuth Misconfiguration Leads to Full Account takeover Yasser Mohammed (@boomneroli) - OAuth flaw, Clickjacking, CSRF, Account takeover - 02/13/2021
[GITLAB] — Just another SSRF issue. Lyubomir Tsirkov GitLab SSRF $1,000 02/12/2021
How I was able to get extra coins Saddam Hussain (@wisdomfreak1) - Logic flaw, Android app bug - 02/12/2021
Leaked Credentials gives access to internalfb.com Philippe Harewood (@phwd) Facebook Information disclosure $6,000 02/11/2021
Hacking Chess.com and Accessing 50 Million Customer Records Sam Curry (@samwcyo) Chess.com Reflected XSS, Information disclosure, Account takeover - 02/11/2021
The “P” in Telegram stands for Privacy Dhiraj (@RandomDhiraj) Telegram Privacy issue $3,000 02/11/2021
Escalating reflected XSS with HTTP Smuggling Hazana (@hazanasec) - HTTP request smuggling, Reflected XSS - 02/11/2021
Fastest Subdomain Take Over & DNS Misconfiguration Hunt. Kabeer (@iTheKabeer) - Subdomain takeover, DNS zone transfer - 02/10/2021
Sending ephemeral message to any Facebook user Rahul Kankrale (@RahulKankrale) Facebook IDOR - 02/10/2021
A Tale of 2nd $xxx Bounty from Facebook Kunjan Nayak Facebook Logic flaw $500 02/10/2021
Self-XSS to rXSS via Uploaded File Name P4nda (@InfoSecP4nda) - Self-XSS, Reflected XSS - 02/09/2021
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies Alex Birsan Paypal, Shopify, Apple, Netflix, Yelp, Uber, Microsoft & more! Dependency confusion $130,000+ 02/09/2021
Abusing URI Parsers for fun and profit Mohammad Owais (@_mohammadowais) - URL validation bypass $500 02/08/2021
Duplicate Registration - The Twinning Twins Jerry Shah (@Jerry) - Account takeover, Authentication flaw - 02/08/2021
Bigbasket Bug Bounty Writeup Lohith Gowda M (@lohi_gowda_) - Insecure Local Storage - 02/08/2021
Reflected XSS on a Public Program Naveen J (@thevillagehackr) - Reflected XSS - 02/08/2021
How I Gain Access to the Server Administration of a Million-Dollar Company Marx Chryz Del Mundo - Privilege escalation, Mass assignment $5,000 02/06/2021
Escalating SSRF to RCE Sander Wind (@SanderWind) - SSRF, RCE - 02/06/2021
XXE To AWS Metadata Disclosure Al-Madjus (@AlMadjus) - XXE $2,000 02/04/2021
Facebook Messenger Desktop App Arbitrary File Read Renwa (@RenwaX23) Facebook Arbitrary file read $2,000 02/04/2021
Page Admin Disclosed In Groups Due To Improper Session Handling In Facebook Web Samip Aryal Facebook Information disclosure - 02/04/2021
Redwood Report2Web XSS and Frame injection vict0ni (@vict0ni) - Reflected XSS, Frame injection - 02/04/2021
Bug bounty failure stories to learn from: how we ended up to hack a bank with no reward Red Timmy Security (@redtimmysec) - DoS, Default credentials - 02/04/2021
Open Redirect vulnerability found using link parameter Muhammad Aamir (@Muhammad__Aamir) - Open redirect $100 02/04/2021
Microsoft Remote Desktop Web Access Authentication Timing Attack Matt Dunn Microsoft Timing attack, Authentication flaw - 02/04/2021
How I was able to Turn a XSS into a Account Takeover Josh Fam (@Pullerze) - Web cache poisoning, Stored XSS, Account takeover, OAuth flaw, Logic flaw - 02/03/2021
Spoofing and Attacking With Skype mr.d0x (@mrd0x) Microsoft Spoofing - 02/02/2021
Stealing Chat session ID with CORS and execute CSRF attack Sunil Yedla (@sunilyedla2) - CSRF, CORS misconfiguration - 02/02/2021
Applying Offensive Reverse Engineering to Facebook Gameroom Eugene Lim (@spaceraccoonsec) Facebook Insecure deserialization - 02/02/2021
1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group nhiephon (@_nhiephon) Facebook Information disclosure - 02/02/2021
Spoofing and Attacking With Skype mr.d0x (@mrd0x) Microsoft Spoofing - 02/02/2021
Access developer tasks list of any Facebook Application (GraphQL IDOR) Amine Aboud (@amineaboud) Facebook IDOR - 02/01/2021
Disclose the FB profile of Facebook employees who create official announcement messages (Bug Bounty) Amine Aboud (@amineaboud) Facebook Information disclosure - 02/01/2021
An Account Takeover Vulnerability Due to Response Manipulation. Avanish Pathak (@avanish46) - Authentication bypass, Account takeover $4,100 01/31/2021
An unexpected bug Nitin yadav (@Nitinydv14) - Bruteforce - 01/31/2021
An Interesting Account Takeover Vulnerability Avanish Pathak (@avanish46) - IDOR, Account takeover - 01/30/2021
Android apk leaks access token to takeover the whole infrastructure Santosh Kumar Sha (@killmongar1996) - Information disclosure, Hardcoded credentials - 01/30/2021
How I chained P4 To P2 [Open Redirection To Full Account Takeover] Bishal Shrestha (@bishal0x01) - Open redirect, Account takeover - 01/30/2021
Broken Access Control & Stored XSS - Easy Hunt Kabeer (@iTheKabeer) - Stored XSS, IDOR - 01/29/2021
Destroying Armies and Villages through Cross-Site Scripting - Bug Bounty Write-up Fábio Freitas (@0xfabiof) InnoGames Stored XSS $1,000 01/29/2021
Cors Blimey: The power of chaining CORS Hazana (@hazanasec) - CORS misconfiguration, Stored XSS, CSRF - 01/28/2021
Launching Internal & Non-Exported Deeplinks On Facebook Ashley King (@AshleyKingUK) & Rahul Kankrale (@RahulKankrale) Facebook CSRF $4,000 01/28/2021
Analysing Crash Messages To Achieve Blind Root Command Injection Shawar Khan (@ShawarkOFFICIAL) - Command injection - 01/28/2021
Remote Code Execution – LimeSurvey (CVE-2018-7556) yeuchimse (@yeuchimse) - RCE - 01/28/2021
OTP Bypass Account Takeover to Admin Panel — Ft. Header Injection Avinash Jain (@logicbomb_1) - OTP bypass, Account takeover - 01/28/2021
Business Logic Error Methodology (easy way) + PoC-s Vuk Ivanovic - Logic flaw - 01/28/2021
How We Escaped Docker in Azure Functions Intezer Microsoft Privilege escalation - 01/27/2021
Weird functionality leads to Account Takeover (Millions of Users affected) Sahil Mehra (@nullr3x) - Account takeover, Authentication flaw $4,000 01/27/2021
Bragging Rights(Part 1): Short story of a bug wave Manas Harsh (@ManasH4rsh) - IDOR, Stored XSS, SSRF, Subdomain takeover, Hardcoded credentials $1,550 01/27/2021
Hijacking Google Drive Files (Documents, Photo & Video) Through Google Docs Sharing santuySec (@santuySec) Google Clickjacking $0 (Duplicate) 01/27/2021
$500 For No Rate Limit On Forgot Password Page BBHC (@community_bug) - Lack of rate-limiting, Password reset flaw $500 01/27/2021
Finding SSRF BY Full Automation Santosh Kumar Sha (@killmongar1996) - SSRF - 01/27/2021
BMW Bug Bounty – Account Verification Bypass writeup Pethuraj (@Pethuraj) BMW OTP bypass, Bruteforce, Lack of rate-limiting - 01/26/2021
Leaking issues from linked Jira – Atlassian Confluence Server yeuchimse (@yeuchimse) Atlassian XS-Search $600 01/25/2021
Get paid by smuggling, the legal way James Ling (@James_puppykok) - HTTP Request Smuggling - 01/25/2021
Chaining a self XSS to Account Takeover Arman Sameer (@ArmanSameer95) - Self XSS, Reflected XSS, Account takeover - 01/25/2021
IDOR Revealing Images CDN Links susan wagle - IDOR - 01/25/2021
Bypassing WAF with incorrect proxy settings for Hunting Bugs. Shaurya Sharma (@ShauryaSharma05) - URL validation bypass - 01/25/2021
Sql Injection via hidden parameter Rutvik Hajare (@HajareRutvik) - SQL injection - 01/24/2021
$10,000 for automatic email confirmation bug in Microsoft’s Edge browser Karan Chaudhary (@0xKaran) Microsoft Logic flaw $10,000 01/23/2021
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps CaptainFreak (@0xCaptainFreak) - Local File Read, RCE - 01/23/2021
CSRF Protection Bypass in Atlassian Confluence Server yeuchimse (@yeuchimse) Atlassian CSRF $3,600 01/22/2021
Page Admin Disclosure When Replying Comments Prakash Panta (@prakashpanta268) Facebook Information disclosure $500 01/22/2021
Staff Information Disclosure on Support Ticketing System ($x,xxx) Ph.Hitachi - Information disclosure - 01/22/2021
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card Yogev Bar-On Amazon RCE $18,000 01/21/2021
Story Behind Sweet SSRF. Rohit Soni (@streetofhacker) - SSRF, XSS - 01/21/2021
SSRF Exploitation in Libreoffice Spreadsheet File Converter R4id3n (@R4id3n__) - SSRF - 01/21/2021
[Bug Bounty] 600$ Info Disclosure: obtain any user’s backup data Tommaso De Ponti - Information disclosure, IDOR - 01/19/2021
Open-redirect [in email] Akhil - Open redirect - 01/19/2021
Simple & Sweet: Bypass email update restriction to change emails of team members Sunil Yedla (@sunilyedla2) - Logic flaw, Authorization flaw - 01/19/2021
The Embedded YouTube Player Told Me What You Were Watching (and more) David Schütz (@xdavidhu) Google Information disclosure $1,337 01/18/2021
How I was rewarded a $1000 bounty after abusing File Upload functionality to Stored XSS Vulnerability leading to credential theft of a vistor in a website. Kunal Khubchandani (@iamkun4l) - Unrestricted file upload, Stored XSS $1,000 01/18/2021
Let’s know How I have explored the buried secrets in React Native application secureITmania (@secureitmania) - Information disclosure, Hardcoded credentials - 01/18/2021
ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792 Ashley King (@AshleyKingUK) Apple, Google Insecure deeplink, Information disclosure $0 01/17/2021
Strange Admin Panel Bypass Story | | Bug Bounty Ranjeet Kumar Singh (@geekboyranjeet) - Authentication bypass, Account takeover - 01/17/2021
My first and last crit of 2020 on Hackerone Takester (@dhiraj_ramteke) - Lack of rate-limiting, Bruteforce, IDOR, Password reset flaw, Account takeover - 01/16/2021
Finding 0day to hack Apple Harsh Jaiswal (@rootxharsh) &Rahul Maini (@iamnoooob) Apple RCE $50,000 01/16/2021
Weaponizing Apify for mass bug bounty $$$ Randy Gingeleski (@gingeleski) - Akamai ARL attack - 01/16/2021
Hacking naked Akamai ARL at scale Randy Gingeleski (@gingeleski) - Akamai ARL attack - 01/15/2021
BitLocker Lockscreen bypass Jonas L (@jonasLyk) Microsoft Lockscreen bypass, Local privilege escalation - 01/15/2021
Attack of the clones 2: Git CLI remote code execution strikes back Vitor Fernandes (@Rapt00rVF) GitHub RCE - 01/15/2021
How I hijacked the top-level domain of a sovereign state Fredrik N. Almroth (@Almroot) Internet Bug Bounty Domain takeover - 01/15/2021
Insertion Of Malicious Links For Execution In Profile Picture - Unvalidated User Input In MS Sharepoint 2019 (CVE-2020-1456) David (@slashcrypto) & user_x73x76x6E Microsoft XSS - 01/15/2021
Irremovable Facebook group album photos and entire album under certain circumstances (Bounty: 1000 USD) Shubham Bhamare (@theshubh77) Facebook Logic flaw $1,000 01/14/2021
Tale of 2 TOOTB Bugs: Google and WhatsApp Circle Ninja (@circleninja) Google, Facebook Information disclosure, Logic flaw $0 01/14/2021
How I managed to trigger a Stored-XSS in an online store with the help of Cache Poisoning Schizo! - Web cache poisoning, Stored XSS N/A (VDP) 01/14/2021
Story of a really cool SSRF bug. Vedant Tekale (@_justYnot) - SSRF - 01/13/2021
Making Clouds Rain :: Remote Code Execution in Microsoft Office 365 Steven Seeley (@steventseeley) Microsoft RCE - 01/12/2021
Stealing User Information Via XSS Via Parameter Pollution Hamza Avvan (@hamzaavvan) - Open redirect, XSS $1,250 01/12/2021
CSRF with IDOR - A Deadly Combo Jerry Shah (@Jerry) - CSRF, IDOR - 01/12/2021
Unrestricted File Upload Binamra Pandey - Unrestricted file upload - 12/12/2021
Guest Blog Post: Leaking silhouettes of cross-origin images Aleksejs Popovs (@aleksejspopovs) Mozilla, Chrome Side-channel information leakage, Browser bug - 01/11/2021
Stealing Your Private YouTube Videos, One Frame at a Time David Schütz (@xdavidhu) Google IDOR $5,000 01/11/2021
UNEP Breached, 100K+ Employee Records Accessed Jackson Henry (@JacksonHHax), John Jackson (@johnjhacking), Nick Sahler (@nicksahler) & Aubrey Cottle United Nations Information disclosure N/A (VDP) 01/11/2021
Weblogic Remote Code Execution (Exploiting CVE-2019-2725) Mahmoud Gamal (@Zombiehelp54) - RCE - 01/10/2021
Unauthorized Access to OData Entities + $2K Bounty From Microsoft Borna Nematzadeh (@LogicalHunter) Microsoft Authorization flaw, Information disclosure $2,000 01/10/2021
How I was able to Regain access to account deleted by Admin leading to $$$ Rajesh Ranjan (@rajesh_ranjan) - Logic flaw, Authorization flaw - 01/10/2021
A ‘Novel’ Way to Bypass Executable Signature Checks with Electron Parsia Hackerman (@cryptogangsta) - Local privilege escalation - 01/08/2021
Create post on any Facebook page Pouya Darabi (@Pouyadarabi) Facebook IDOR $30,000 01/08/2021
Exploiting Application-Level Profile Semantics (APLS) Niemand (@niemand_sec) - APLS misconfiguration, API misconfiguration - 01/08/2021
Blind XSS in Google Analytics Admin Panel — $3133.70 Ashish Dhone Google Blind XSS $3,133.70 01/08/2021
Information Disclosure through Signup Endpoint Sunil Yedla (@sunilyedla2) - Information disclosure - 01/08/2021
Facebook: Linkshim protection bypass using fb://webview Rahul Kankrale (@RahulKankrale) Facebook Open redirect - 01/08/2021
$10,000 for a vulnerability that doesn’t exist Valeriy Shevchenko (@Krevetk0Valeriy) - Path traversal $10,500 01/07/2021
Github Organization Takeover By Claiming Owner Invitation Abss (@absshax) Github Account takeover, Logic flaw $5,000 01/07/2021
Stored XSS on Product Description [HIGH] — $400 Emanuel Beni Harijanto - Stored XSS $400 01/07/2021
Subdomain Take Over Worth 100£ c0d3x27 (@c0d3x27) - Subdomain takeover £100 01/07/2021
Finding bugs on Chess.com Seqrity (@seqrity9) Chess.com Lack of rate limiting, Bruteforce, CSRF $180 01/07/2021
Nick’s infrequently updated blog Nick Booher Cloudflare WAF bypass, IP spoofing - 01/06/2021
Achieving Remote Code Execution By Exploiting Variable Check Feature Shawar Khan (@ShawarkOFFICIAL) - RCE - 01/06/2021
Incident Response during Christmas TMO - Subdomain takeover - 01/05/2021
Each and every request make sense… Akshar Tank - Privilege escalation, Exposed JWT generation endpoint - 01/05/2021
Privilege Escalation: From being a normal user to admin Akshar Tank - Privilege escalation, Broken access control - 01/05/2021
Exploiting Max. Character Limitation Sunil Yedla (@sunilyedla2) - Logic flaw, DoS $400 01/05/2021
Patch. Bypass. Repeat: Story of a FaceBook Page Admin Disclosure bug worth $5000 Shubham Bhamare (@theshubh77) Facebook Information disclosure $5,000 01/04/2021
Expose the email address of Workplace users Youssef Sammouda (@samm0uda) Facebook IDOR, Information disclosure $5,000 01/03/2021
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers Youssef Sammouda (@samm0uda) Facebook XSS, Account takeover $30,000 01/01/2021
API based IDOR to leaking Private IP address of 6000 businesses Rafi Ahamed (Leonidas D. Ace) - IDOR - 01/01/2021

Bug bounty writeups published in 2020

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it Youssef Sammouda (@samm0uda) Facebook Account takeover, Parameter pollution $21,000 12/31/2020
Facebook bug bounty (500 USD) : A blocked fundraiser organizer would be unable to view or remove themselves from the fundraiser. Vivek ps (@vivekps143) Facebook DoS, Logic flaw $500 12/31/2020
Cross Domain Referrer Leakage Mohsinalibukc - Cross-Domain Referrer Leakage $300 12/31/2020
Replying Comments On Someone’s Livestream From Page Is Posted As Personal Identity Prakash Panta (@prakashpanta268) Facebook Information disclosure $500 12/30/2020
Group Admin Can’t Able To Moderate Comments When Posted Through Page : Facebook Bug Bounty 2020 Prakash Panta (@prakashpanta268) Facebook Logic flaw - 12/30/2020
Event Creator Is Not Able To Block The Attacker During Event Livestream Prakash Panta (@prakashpanta268) Facebook Logic flaw $0 (Informative) 12/30/2020
Cache-Key Normalization - What could go wrong? youstin (@iustinBB) - Web cache poisoning, DoS - 12/29/2020
Sensitive data leak using IDOR in integration service Ronak Patel (@ronak_9889) - IDOR - 12/29/2020
Facebook page admin disclosure by “Create doc” button (Bounty: 5000 USD) Shubham Bhamare (@theshubh77) Facebook Information disclosure $5,000 12/28/2020
How I Got My First Bounty & Hof From Google (CSRF Lead To Account Delete) Bhupendra Rajbhar (@bhupendra1238) Google CSRF - 12/28/2020
[Google VRP] Hijacking Google Docs Screenshots Sreeram KL (@kl_sree) Google PostMessage bug, XSS - 12/27/2020
Regular expression injection, a code review low hanging fruit Dominic (@dee__see) - ReDoS - 12/27/2020
Chaining CORS by Reflected xss to Account takeover #My first Blog Santosh Kumar Sha (@killmongar1996) - CORS misconfiguration, Reflected XSS, Account takeover - 12/26/2020
Facebook page admin disclosure by “Message Seller” button (Bounty: 1500 USD) Shubham Bhamare (@theshubh77) Facebook Information disclosure $1,500 12/26/2020
Full Address Bar Spoofing On Opera Mini Android Piyush Raj ~ Rex (@0x48piraj) Opera, Google Address Bar Spoofing - 12/26/2020
EN | Account Takeover via Web Cache Poisoning based Reflected XSS Lütfü Mert Ceylan (@lutfumertceylan) - Reflected XSS, Web cache poisoning, Account takeover - 12/26/2020
Hiding from custom story privacy list is possible in FBlite making the victim unable to remove you from the list. Baibhav Anand (@SpongeBhav) Facebook Logic flaw $500 12/24/2020
Supply Chain Pollution: Hunting a 16 Million Download/Week npm Package Vulnerability for a CTF Challenge Eugene Lim (@spaceraccoonsec) Node.js third-party modules Prototype pollution - 12/23/2020
Cookie Tossing to RCE on Google Cloud JupyterLab s1r1us (@S1r1u5_) Google Self-XSS, DoS, CSRF, RCE $3133.70 12/23/2020
Hack crypto secrets from heap memory to exploit Android application secureITmania (@secureitmania) - Cryptographic issues - 12/22/2020
SSTI in Google Maps s1r1us (@S1r1u5_) Google SSTI $0 (Informative) 12/22/2020
This is how I was able to view anyone’s private email and birthday on Instagram Saugat Pokharel (@saugatpk5) Facebook Information disclosure, Logic flaw $13,125 12/20/2020
Facebook bug Bounty -Finding the hidden members of the private events. Vivek ps (@vivekps143) Facebook Information disclosure, Logic flaw $1,000 12/20/2020
Worth $1,500 IDOR (Access Unauthorize Data) Muhammad Asim Shahzad (@protector47) - IDOR $1,500 12/20/2020
Write Up: Google VRP N/A – Sandboxed Rce As Root On Apigee API Proxies Omar Espino (@omespino) Google RCE $0 (N/A) 12/19/2020
Broken Access Control on samsung.com subdomain leads to Mass Account Takeover of Samsung employees application accounts Gal Nagli (@naglinagli) Samsung Information disclosure, Account takeover, Authorization flaw $0 (OOS) 12/18/2020
Misconfigured s3 bucket leads to Sensitive Data exposure(No super controls ) Virdoexhunter - AWS misconfiguration $400 12/18/2020
My Bug Bounty Journey and My First Critical Bug — Time Based Blind SQL Injection Marx Chryz - SQL injection $3,500 12/17/2020
How I hacked IBM and got full access on many services? Abdullah Mohamed (@3bodymo_) IBM Information disclosure - 12/16/2020
JavaScript analysis leading to Admin portal access Rikesh Baniya / NotRickyy (@rikeshbaniya) - Authorization flaw, Broken access control - 12/16/2020
TikTok Careers Portal Account Takeover Lauritz (@lauritz) TikTok CSRF, Open redirect, Account takeover $2,373 12/15/2020
Download Filename Manipulation due to improper rendering of RTLO characters Jayateertha Guruprasad (@JayateerthaG) - RTLO - 12/15/2020
Disclosing the members of private Facebook Group as a non-member. Baibhav Anand (@SpongeBhav) Facebook Authorization flaw, Logic flaw $4,500 12/15/2020
Confirm an email address belonging to a specific user abdellah yaala (@yaalaab) Facebook Information disclosure $5,000 12/12/2020
How I hacked Facebook: Part One Alaa Abdulridha (@alaa0x2) Facebook Lack of authentication, Authentication bypass, Account takeover $7,500 12/11/2020
How i got my First Bug Bounty in Intersting Target (LFI to SXSS) Ph.Hitachi - LFI, Stored XSS $250 12/11/2020
How I dumped PII information of customers in an ecommerce site? Rikesh Baniya / NotRickyy (@rikeshbaniya) - AWS misconfiguration - 12/11/2020
Exploiting new-era of Request forgery on mobile applications Sayed Abdelhafiz (@dPhoeniixx) Pinterest CSRF, Account takeover - 12/11/2020
Hiding from a custom list is possible on who sees our post is possible making victim not remove them from the list. Baibhav Anand (@SpongeBhav) Facebook Logic flaw $500 12/11/2020
Game On – Finding vulnerabilities in Valve’s “Steam Sockets” Eyal Itkin Eyal Itkin (@EyalItkin) Valve Memory corruption bug - 12/10/2020
Content-Security-Policy Bypass to perform XSS using MIME sniffing Kleitonx00 - XSS, CSP bypass - 12/10/2020
Hacking — Tamper with the URL Parameters, especially if they modify the page Jack - HTTP Parameter pollution - 12/09/2020
Facebook leak referrer data Neilmark Ochea (@PhClownX) Facebook Open redirect - 12/08/2020
How I Was Able To Take Over One Of Dell’s Subdomains Taha Bıyıklı (@tahabykl) Dell Subdomain takeover - 12/08/2020
Facebook push notification linkshim bypassed Neilmark Ochea (@PhClownX) Facebook Open redirect - 12/07/2020
“Important, Spoofing” - zero-click, wormable, cross-platform remote code execution in Microsoft Teams Oskars Vegeris Microsoft RCE, Stored XSS, CSP bypass, CSTI - 12/07/2020
Story of the best vulnerability I’ve found so far… Vedant Tekale (@_justYnot) - Self-XSS, Blind XSS, Account takeover - 12/07/2020
RCE via LFI Log Poisoning - The Death Potion Jerry Shah (@Jerry) - RCE, LFI, Log poisoning N/A (VDP) 12/06/2020
How Redirects work on Facebook? Technical breakdown Abhisek R (@abh1sek_r) Facebook Open redirect $0 12/06/2020
Opera Browser (XSS) Neilmark Ochea (@PhClownX) Opera XSS - 12/05/2020
$10000 Facebook SSRF (Bug Bounty) Amine Aboud (@amineaboud) Facebook SSRF $10,000 12/03/2020
Leaking Credit card Activity in logs? Yes Sir! Rody Shahnazarian (@Komradz86) - Information disclosure $800 12/03/2020
Cross Site Scripting (XSS) Reflected in one of the subdomains of “General Motors”(Bugbounty) - General Motors Reflected XSS N/A (VDP) 12/03/2020
Site Wide CSRF On Glassdoor Tabahi (@_tabahi) Glassdoor CSRF $3,000 12/03/2020
Leaking Browser URL/Protocol Handlers Tabahi (@_tabahi) Google, Microsoft, Mozilla Information disclosure $0 (Informative) 12/03/2020
SSTI to Local File Read Demon (@R29k_) - SSTI, LFI - 12/02/2020
Hacking — Always check out the Images Jack GitLab Information disclosure $500 12/02/2020
An iOS zero-click radio proximity exploit odyssey Ian Beer (@i41nbeer) Apple Buffer overflow - 12/01/2020
Chaining vulnerabilities lead to account takeover Ahmed (@ahzsec) - Account takeover, Password reset flaw, Open redirect, Lack of rate limiting $0 (Duplicate) 12/01/2020
Exploiting Blind Postgresql Injection And Exfiltrating Data In Psycopg2 Shawar Khan (@ShawarkOFFICIAL) - SQL injection $3,000 11/30/2020
AliExpress Captcha Reuse Unicorn Security AliExpress Captcha bypass - 11/30/2020
Chaining Multiple Requests to Achieve Rate Limiting Vulnerabilities Ahmad Halabi (@Ahmad_Halabi_) - Rate limiting bypass $1,000 11/29/2020
Bcrypt — Account TakeOver Due To Weak Encryption — #HR51KDB DarkLotus (@darklotuskdb) - Information disclosure, Account takeover - 11/29/2020
The Story of my first critical bug Shellbr3ak (@0xShellbr3ak) - SQL injection - 11/29/2020
How i got easy $$$ for SQL Injection Bug Rafi Andhika Galuh - SQL injection - 11/26/2020
Pre-Account Takeover using OAuth Misconfiguration the_unluck_guy (@7he_unlucky_guy) - OAuth flaw $800 11/26/2020
How images on Github will leak your private information fuomag9 (@fuomag9) Github Information disclosure $0 (Informative) 11/24/2020
Reflected Cross Site Scripting on REDACTED Program (Bounty: 750$) can1337 (@canmustdie) - Reflected XSS $750 11/23/2020
Fixing a Google Vulnerability I (@InsecureNature) & Allison Donovan (@matter_of_cat) Google Privilege escalation - 11/22/2020
Escalating XSS to Account Takeover Aditya Verma (@0cirius0) - Reflected XSS, Account takeover - 11/22/2020
Weird (im)possible XSS on error page Rody Shahnazarian (@Komradz86) - Reflected XSS - 11/21/2020
2 Reflected XSS In Razer Mostafa Razer Reflected XSS - 11/21/2020
Turning Blind Error Based SQL Injection into Exploitable Boolean One Ozgur Alp (@ozgur_bbh) - SQL injection - 11/21/2020
Exploiting dynamic rendering engines to take control of web apps Vasilii Ermilov (@ermil0v) - SSRF, Open redirect $5,000 11/19/2020
Bypassing the Redirect filters with 7 ways ElMahdi Mrhassel (@ElMrhassel) - Open redirect, OAuth flaw - 11/19/2020
Arbitrary File Write On Client By ADB Pull Serafina (Sera) Tonin Brocious (@daeken) Google Arbitrary file write $0 11/19/2020
Out of Band XXE in an E-commerce IOS app Gaurang Bhatnagar (@0xgaurang) - XXE - 11/19/2020
GraphQL IDOR in Facebook streamer dashboard. Kailash (@Corrupted_brain) Facebook IDOR, GraphQL bug $2,000 11/18/2020
Server Side Misconfigurartion - A Funny Fix Jerry Shah (@Jerry) Basecamp Information disclosure $100 11/18/2020
Tale of 3 vulnerabilities to account takeover! Avinash Jain (@logicbomb_1) - SSRF, Account takeover - 11/17/2020
Firefox: How a website could steal all your cookies Pedro Oliveira (@kanytu) Mozilla Arbitrary file read $5,000 11/16/2020
Stealing User’s PII info by visiting API endpoint directly Kunal pandey (@kunalp94) - Information disclosure, Logic flaw $500 11/16/2020
RCE via Server-Side Template Injection Gaurav Mishra (@gmishra010) - SSTI, RCE - 11/15/2020
Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data YoKo Kho (@YokoAcc) - Information disclosure, Broken access control, IDOR, SQL injection $4,750 11/15/2020
Microsoft Bug Bounty Writeup – Stored XSS Vulnerability Pethuraj (@Pethuraj) Microsoft Stored XSS - 11/15/2020
Weak Cryptography to Account Takeover’s letmeslidein (@VasuYadaav) - Cryptographic issues, Account takeover, IDOR - 11/15/2020
Exploiting API with AuthToken Rafi Ahamed (Leonidas D. Ace) - Token leak, Information disclosure - 11/15/2020
Account takeover through password reset Omar Hamdy (@seaman00o) - Account takeover, Password reset flaw $2,000 11/14/2020
Theoretically Possible To Practical Account Takeover Mukul Lohar (@ironfisto) - IDOR, Account takeover - 11/14/2020
Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity Prakash Panta (@Prakashpanta268) Facebook Logic flaw $500 11/13/2020
Smuggling an (Un)exploitable XSS Julien Ahrens (@MrTuxracer) - HTTP Request Smuggling, XSS - 11/13/2020
How I Found The Facebook Messenger Leaking Access Token Of Million Users Guhan Raja (@havocgwen) Facebook Information disclosure $16,125 11/13/2020
Interesting case of SQLi Nik srivastava (@niksthehacker) - SQL injection $3,000 11/13/2020
Commenting on a post by opening it via page’s news-feed goes from a wrong actor (i.e. admin’s personal account) Samip Aryal Facebook Information disclosure $500 11/13/2020
User’s private watched videos/saved videos exposed through a messenger call from a locked smartphone. Samip Aryal Facebook Information disclosure, Authorization flaw $500 11/13/2020
Evading Filters to perform the Arbitrary URL Redirection Attack Harsh Bothra (@harshbothra_) - Open redirect - 11/12/2020
Bounty $1000 — Critical Business Logic Flaw leads to Account Takeover & Product Order Amount Manipulation Muhammad Asim Shahzad (@protector47) - Logic flaw, Account takeover, Price tampering $1,000 11/12/2020
Evernote: Universal-XSS, theft of all cookies from all sites, and more Oversecured (@OversecuredInc) Evernote UXSS - 11/12/2020
31k$ SSRF in Google Cloud Monitoring led to metadata exposure David Nechuta (@david_nechuta) Google SSRF $31,337 11/10/2020
SSRF (Server Side Request Forgery) worth $4,913 | My Highest Bounty Ever ! Sayaan Alam (@ehsayaan) Dropbox SSRF $4,913 11/10/2020
Chaining password reset link poisoning, IDOR, and information leakage to achieve account takeover at api.redacted.com Jadek Mark (@mase289) - HTTP header injection $0 (Duplicate) 11/10/2020
Firefox for Android: LAN-Based Intent Triggering initstring (@init_string) Mozilla Insecure intents - 11/10/2020
Facebook iOS address bar spoofing Rahul Kankrale (@RahulKankrale) Facebook Address Bar Spoofing $1,500 11/10/2020
How i could take over any Account on a USA Department of Defense Website due to a simple IDOR Gal Nagli (@naglinagli) U.S. Dept Of Defense IDOR, Account takeover - 11/07/2020
Facebook DOM Based XSS using postMessage Samm0uda (@samm0uda) Facebook DOM XSS, postMessage bug $25,000 11/07/2020
Attack of the clones: Git clients remote code execution Vitor Fernandes (@Rapt00rVF) & Julio Fort GitHub RCE $0 (Duplicate) 11/06/2020
Story of a Pre-Account Takeover Kushal Dhakal (@dhakal0kushal) - Account takeover, OAuth flaw - 11/06/2020
1000$ for Open redirect via unknown technique [BugBounty writeup] ruvlol GitLab Open redirect $1,000 11/05/2020
How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day sickcodes (@sickcodes) Brave Software Information disclosure $100 11/05/2020
Delete Any Photos In Facebook Lokesh Kumar (@lokeshdlk77) Facebook Authorization flaw, Logic flaw $10,750 11/04/2020
From a 500 error to Django admin takeover Shashank (@cyberboyIndia) - Authorization bypass, Account takeover $3,000 11/03/2020
Forcing for a bounty$$ Rafi Ahamed (Leonidas D. Ace) - Authorization flaw $500 11/03/2020
Reveal the page admin that uploaded a video on the page in comment section Lokesh Kumar (@lokeshdlk77) Facebook Information disclosure, Logic flaw $4,838 11/02/2020
Reveal the page admin that uploaded a video on the page in comment section Lokesh Kumar (@lokeshdlk77) Facebook Information disclosure, Logic flaw $4,838 11/02/2020
CVE-2020-13294 Lauritz (@lauritz) - Authentication flaw, OpenID Connect vulnerability - 11/01/2020
Subdomain Takeover in Azure: making a PoC Diego Bernal Adelantado (@secfaults) - Subdomain takeover - 11/01/2020
Leaked .git folder leads to RCE James Clee (@jtcsec) - RCE - 11/01/2020
CVE-2020-13294 Lauritz (@lauritz) GitLab OAuth misconfiguration $0 (Duplicate) 11/01/2020
An often overlooked Oauth misconfiguration. & Payload VipItHunter (@VipItHunter1) - OAuth misconfiguration - 11/01/2020
How i got 7000$ in Bug-Bounty for my Critical Finding. Kishan Kumar / Noobie BoY (@hst_kishan) - Information disclosure $7,000 10/31/2020
Abusing ‘Report Abuse’ Aseem Shrey (@AseemShrey) - Logic flaw, Authorization flaw $200 10/31/2020
Beyond the wall: command injection still alive. Ahmed Constant (@a_Constant_) - Command injection - 10/31/2020
Hinge Hackerone Writeup Tyler Butler (@tbutler0x90) Hinge Broken access control - 10/31/2020
Ability To Backdoor Facebook For Android Ashley King (@AshleyKingUK) Facebook Insecure deeplink - 10/30/2020
Wormable remote code execution in Alien Swarm mev Valve RCE - 10/30/2020
Rate Limit Bypassing Allowing Identity Spoofing Mohamed Talaat (@T4144t) - Rate limiting bypass, OTP bypass - 10/29/2020
Manual broken link monitoring GrumpinouT (@RVerwilghen) - Broken link hijacking - 10/29/2020
Story of an interesting bug. Vedant Tekale (@_justYnot) - Lack of rate limiting, DoS - 10/28/2020
Error-Based SQL Injection on a WordPress website and extract more than 150k user details Ynoof Alassiri - SQL injection - 10/27/2020
Automating xss identification with Dalfox & Paramspider Paras Arora (@parasarora06) - Reflected XSS - 10/27/2020
The YouTube bug that allowed unlisted uploads to any channel Ryan Kovatch Google IDOR, Information disclosure $6,337 10/27/2020
How i got 250$ in 5 munites using my phone telaviv_h4x0r Basecamp HTML injection $250 10/26/2020
TikTok fixes privacy issue discovered by Check Point Research Eran Vaknin & Alon Boxiner TikTok Information disclosure - 10/26/2020
Link Previews: How a Simple Feature Can Have Privacy and Security Risks Talal Haj Bakry (@parasarora06) & Tommy Mysk Discord, Facebook, Google, LINE, LinkedIn, Slack, Twitter, Zoom Information disclosure - 10/25/2020
Perform substring search for emails even if Workplace admin hides email profile field. Rahul Kankrale (@RahulKankrale) Facebook Broken access control, Authorization flaw $1,000 10/25/2020
My first bug on Google Manas Harsh (@ManasH4rsh) Google IDOR - 10/25/2020
Accidental Observation to Critical IDOR Harsh Bothra (@harshbothra_) - IDOR - 10/24/2020
Samsung S20 - RCE via Samsung Galaxy Store App F-Secure Samsung RCE $0 10/23/2020
300$ P3 Easy Bug in 30 Seconds Omar Hamdy (@seaman00o) - Lack of authentication, Broken access control $300 10/22/2020
Perform substring search for emails even if Workplace admin hides email profile field. Rahul Kankrale (@RahulKankrale) Facebook Authorization flaw $2,000 10/21/2020
Facebook Page Admin Disclosure Rahul Kankrale (@RahulKankrale) Facebook Information disclosure $3,000 10/21/2020
GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty William Bowling / vakzz (@wcbowling) GitHub RCE, Path traversal $25,000 10/20/2020
Back to 2019: Disclosure Employers PII and Credentials Saneklarek (@wh11tew0lf) - Information disclosure $1,000 10/20/2020
GitHub Gist - Account takeover via open redirect - $10,000 Bounty William Bowling / vakzz (@wcbowling) GitHub Open redirect, Account takeover $10,000 10/19/2020
GitHub - RCE via git option injection (almost) - $20,000 Bounty William Bowling / vakzz (@wcbowling) GitHub RCE $20,000 10/18/2020
Discord Desktop app RCE Masato Kinugawa (@kinugawamasato) Discord RCE $5,000 10/17/2020
Weaponizing XSS For Fun & Profit Saad Ahmed (@XSaadAhmedX) - XSS, CSRF $2,200 10/14/2020
I had fun with this XSS yappare (@yappare) - XSS - 10/13/2020
Blind SSRF - The Hide & Seek Game Shrey Shah (@ShreySh43332033) - Blind SSRF $400 10/13/2020
How I find my first P1 level Bug. $$$ Harsh - XSS - 10/13/2020
Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account Mustafa Ahmed (@mustafa0x2021) Facebook Information disclosure $500 10/12/2020
Guest Blog Post: Rollback Attack Xiaoyin Liu (@general_nfs) Mozilla Local Privilege Escalation - 10/12/2020
Unauthorized access to all the user’s account. Rahul Naidu - Account takeover, Authentication bypass, JWT misconfiguration - 10/12/2020
Leveraging XSS to Read Internal Files Aditya Dixit (@zombie007o) - XSS, LFI - 10/09/2020
JS is l0ve ❤️. Shivam Kamboj Dattana (@sechunt3r) - Information disclosure, API key leakage $5,000 10/09/2020
Weak Password Setting function on practo.com dark-haxor Practo Authorization flaw $0 (Won’t fix) 10/09/2020
CVE-2018–5230 | JIRA Cross Site Scripting Paras Arora (@parasarora06) - Reflected XSS - 10/09/2020
Exploiting Admin Panel Like a Boss Shivam Kamboj Dattana (@sechunt3r) - Authorization bypass, Weak credentials $1,500 10/08/2020
ATO via Host Header Poisoning Shivam Kamboj Dattana (@sechunt3r) - Host header injection, Account takeover, Password reset flaw $2,000 10/08/2020
Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure Intezer Microsoft Privilege escalation, RCE - 10/08/2020
SVE-2020-18025: Unauthorised access to Samsung secure folder files Rahul Kankrale (@RahulKankrale) Samsung Authorization flow $3,750 10/07/2020
Research: The mass CSRFing of .google.com/ products. Missoum Said (@missoum1307) Google CSRF $30,000 10/07/2020
6k$ Worth Account Takeover via IDOR in Starbucks Singapore Kamil Onur Özkaleli (@ko2sec) Starbucks IDOR, Account takeover $6,000 10/07/2020
Sensitive Info Leak in Curve App [Bug Bounty] ΡRΛSΞUDΟ ® (@praseudo) Curve Information disclosure $1,500 10/07/2020
6k$ Worth Account Takeover via IDOR in Starbucks Singapore/a> Kamil Onur Özkaleli (@ko2sec) Starbucks IDOR, Account takeover $6,000 10/07/2020
Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program McAfee Advanced Threat Research (ATR) Microsoft Local privilege escalation, RCE, Security Feature bypass $160,000 10/06/2020
90 days, 16 bugs, and an Azure Sphere Challenge Cisco Talos Microsoft Local privilege escalation, RCE, DoS, Information disclosure - 10/06/2020
Watch your requests! Open redirect to a complete account takeover ninetynine (@ninetyn1ne_) - Path traversal, Open redirect, SSRF, Account takeover - 10/05/2020
Easy wins : verbose error worth Facebook HOF Mukul Lohar (@ironfisto) Facebook Information disclosure $500 10/05/2020
Leveraging LFI to RCE in a website with +20000 users Kleitonx00 - LFI, RCE - 10/04/2020
Spend more time doing recon, you’ll find more BUGS. Vedant Tekale (@_justYnot) - Reflected XSS, Information disclosure - 10/03/2020
Exploiting Payment Gateways letmeslidein (@VasuYadaav) - Payment tampering - 10/03/2020
Journey Of My First Bug Bounty (Nov 2018) Harsh Tyagi (@harshtya9i) Samsung Authentication bypass $200 10/02/2020
Arbitrary code execution on Facebook for Android through download feature Sayed Abdelhafiz (@dPhoeniixx) Facebook Arbitrary code execution $10,000 10/02/2020
The Powerful HTTP Request Smuggling 💪 Ricardo Iramar dos Santos (@ricardo_iramar) - HTTP Request Smuggling $17,050 10/01/2020
Write Up – Google Bug Bounty: XSS To Cloud Shell Instance Takeover (Rce As Root) – $5,000 USD Omar Espino (@omespino) Google XSS, RCE $5,000 10/01/2020
Story of a weird vulnerability I found on Facebook Amine Aboud (@amineaboud) Facebook Authentication bypass, Information disclosure - 09/30/2020
The Art of IDOR: 7 IDORs in Edm0d0 Pratyush Anjan Sarangi Edmodo IDOR - 09/29/2020
Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts Thomas Orlita (@ThomasOrlita) Google GCP bucket misconfiguration, Information disclosure - 09/29/2020
Taking down the SSO, Account Takeover in the Websites of Kolesa due to Insecure JSONP Call Yasho (@YShahinzadeh) - Account takeover - 09/28/2020
P1: Critical - Discovering and Foiling a Threat Actor Jackson Henry (@JacksonHHax) & John Jackson (@johnjhacking) - Information disclosure $1,550 09/27/2020
5 Ways to do Account Takeover in a Single Website letmeslidein (@VasuYadaav) - Account takeover, OAuth misconfiguration, Lack of rate limiting, OTP bypass, IDOR, JWT misconfiguration - 09/27/2020
Chains on Chains: Chaining multiple low-level vulns into a Critical. Daniel Marte (@Masonhck3571) - Blind XSS, CSP bypass, Lack of rate limiting, Exposed JWT generation endpoint - 09/26/2020
Hacking the Medium partner program Mohammad-Ali Bandzar Medium Logic flaw - 09/26/2020
Parameter Tampering ₹→$ SuneetSingh - Parameter tampering - 09/26/2020
Advisory: security issues in AWS KMS and AWS Encryption SDKs Thai Duong (@XorNinja) Amazon Cryptographic issues, Information disclosure - 09/25/2020
PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover Pradeep Kumar (@Killer007p) - IDOR, Information disclosure - 09/25/2020
Dangling DNS: AWS EC2 Mohamed Elbadry (@_melbadry9) - Dangling DNS records, Subdomain takeover $2,900 09/24/2020
VMware Workstation: Attack surface through Virtual Printer Lê Hữu Quang Linh (@linhlhq) VMware Memory corruption bug, Integer overflow - 09/23/2020
#Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$ ganiganesh (@ganiganeshss79) - IDOR, Information disclosure $800 09/22/2020
Fun with Header and Forget Password Vuk Ivanovic - HTTP Header Injection - 09/22/2020
suPHP - The vulnerable ghost in your shell🎯Business Logic Flaw in Google Acquisition! (Hall Of Fame)🎯 Ritesh Gohil (@RiteshG37659480) Google Logic flaw - 09/21/2020
suPHP - The vulnerable ghost in your shell Maxime (@punkeel) & (@swapgs) - Local privilege escalation - 09/21/2020
Unauthenticated File upload Vulnerability on Synology Sub-domain Touhid Shaikh Synology Unrestricted file upload $2,000 09/20/2020
How I earned $500 from Google - Flaw in Authentication Hemant Patidar (@HemantSolo) Google Authentication flaw $500 09/20/2020
$25K Instagram Almost XSS Filter Link — Facebook Bug Bounty Andres Alonso (@al0nnso) Facebook Stored XSS $25,000 09/20/2020
How I By-pass the login page and 2FA authentication….. Harsh - Authentication bypass, OTP bypass, 2FA bypass - 09/20/2020
Emoji error handling shesha sai_c (@Cyb3r_4ss4s1n) - ssss - 09/19/2020
CVE-2020-9964 - An iOS infoleak Muirey03 (@Muirey03) Apple Memory initialisation issue - 09/19/2020
Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$) — CVE-2020–15149 Muhammed Eren Uygun (@erenuyguun) NodeBB IDOR, Account takeover $512 09/19/2020
Reflected XSS via a hidden parameter on Dutch Gov. website Supras (@LdrTom) Dutch Government Reflected XSS N/A (VDP) 09/19/2020
My First Bug Bounty From Bug Bounty Platform redstorm.io Novan Aziz Ramadhan (@novan_rmd) RedStorm CSRF - 09/17/2020
Dropbox Escalation of Privileges to SYSTEM on Windows Teresa Alberto Dropbox Local privilege escalation $0 (Duplicate) 09/17/2020
Res-block: Extension Resources Block Attack on Chrome’s Incognito Mode Piyush Raj (@0x48piraj) Google Browser bug - 09/16/2020
Exploiting a “Useless” Cookie-Based XSS and Making it Useful Daniel Thatcher - XSS - 09/16/2020
How I Accidentally Got My First Bounty From Facebook Bishal Shrestha (@bishal0x01) Facebook Logic flaw - 09/15/2020
Firefox for Android: LAN Based Intent Triggering initstring (@init_string) Mozilla Insecure intents - 09/15/2020
Account takeover by OTP bypass Bhavarth Kandoria/td> <td markdown="span">- OTP bypass - 09/13/2020
Business logic vulnerabilities — Low-level logic flaw Harry D - Logic flaw - 09/13/2020
SQL Injection & Remote Code Execution - Double P1 Shrey Shah (@ShreySh43332033) - SQL injection, RCE N/A (VDP) 09/13/2020
How I hacked redbus [An online bus-ticketing application] Sangeetha Rajesh S(@rajesh_sangi12) redBus LFI, SSRF/td> <td markdown="span">- 09/12/2020
How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM Orange Tsai (@orange_8361) Facebook RCE, JNDI Injection - 09/12/2020
Universal XSS in Android WebView (CVE-2020-6506) Alesandro Ortiz (@AlesandroOrtizR) Google, Microsoft, Twitter UXSS $15,560+ 09/10/2020
Unintended Behaviour of domain got me P4 Takester (@dhiraj_ramteke) - Logic flaw - 09/10/2020
How often do we overlook vulnerabilities? Baibhav Anand (@SpongeBhav) Hackerone Information disclosure - 09/09/2020
How often do we overlook vulnerabilities? Baibhav Anand (@SpongeBhav) HackerOne IDOR, Information disclosure - 09/09/2020
CVE-2020-8150 – Remote Code Execution as SYSTEM/root via Backblaze Jason Geffner (@JasonGeffner) Backblaze RCE, Elevation of Privilege - 09/09/2020
XSS->Fix->Bypass: 10000$ bounty in Google Maps Zohar Shachar Google XSS $10,000 09/07/2020
From Android Static Analysis to RCE on Prod Aditya Dixit (@zombie007o) - RCE, Directory listing, Lack of authentication - 09/07/2020
My first bug in google and how i got CSRF token for victim account rather than bypass it ($1337)! Oday Alhalbe Google CSRF $1,337 09/07/2020
How response Manipulation got me a little, but sweet Bounty Tommaso De Ponti (@heytdep) - 2FA bypass - 09/07/2020
Never Give Up, The Story Behind a Dupe-To-Triaged Alan Brian (@soyelmago) - XSS, OAuth flaw, Account takeover - 09/06/2020
XSS that can pay your Bills :) Smile Hacker (@smile_hacker) - Reflected XSS €500 09/05/2020
How_i_was_able_to_pawned_website_via_escilating_webcache deception to rce mohit (@mohit29295572) - Web Cache Deception, SSRF, RCE - 09/05/2020 Archived page
Account Takeover via IDOR Roma Ramazanoff (@r0hack) - IDOR, Account takeover $25,000 09/04/2020
Denial of Service in the protection service provided by Avast Security Premium. Silton Santos Avast DoS - 09/01/2020
Stop scratching the surface, and hack the dependencies Rotem Reiss (@rotem_reiss) - Stored XSS - 08/31/2020
Page shops with a hidden Product in “Featured product section” which could be controlled by attacker (Ex Editor). Rohit kumar (@rohitcoder) Facebook Logic flaw $0 (Informative) 08/31/2020
Unhiding the hidden I am Broot - Client-side enforcement of server-side security, Authorization flaw, CSRF $530 08/30/2020
The Importance of keeping up to date, or how I found an interesting bug thanks to a tweet Vuk Ivanovic - Stored XSS - 08/29/2020
Oversecured automatically discovers persistent code execution in the Google Play Core Library Oversecured Google Arbitrary code execution in Android app - 08/28/2020
My Hacking Adventures With Safari Reader Mode Nikhil Mittal (@c0d3G33k) Apple CSP bypass, SOP bypass - 08/27/2020
Accessing the website directly through its IP address, a case of a poorly hidden sql injection Vuk Ivanovic - SQL injection - 08/27/2020
Delete IDOR on a Fashion eCommerce Website Amey Anekar (@ameyanekar) - IDOR - 08/26/2020
Auth bypass: Leaking Google Cloud service accounts and projects Ezequiel Pereira (@epereiralopez) Google Authentication bypass - 08/26/2020
Bug Bounty Failsx101[4] ArcherL (@realArcherL) - 2FA bypass $0 (Informative) 08/26/2020
Waze: How I Tracked Your Mother Peter Gasper (@malgregator) Waze Logic flaw, Information disclosure $1,337 08/25/2020
Stealing local files using Safari Web Share API Pawel Wylecial (@h0wlu) Apple Browser bug $0 08/24/2020
Account Takeover For The Win 🏆 Ricardo Iramar dos Santos (@ricardo_iramar) - Account takeover, Authentication flaw, Password reset flaw $2,225 08/24/2020
$$ Bounties for Unauthenticated file read in Cisco ASA CVE-2020–3452 Supun Halangoda (@halangoda_supun) - LFI - 08/23/2020
How I was able to find easy P1 just by doing Recon Kirtan Patel (@kirtanpatel9111) - LFI - 08/22/2020
The Short tale of two bugs on Google Cloud Product— Google VRP [Resolved] Sriram Kesavan (@sriramoffcl) Google IDOR, Privilege of escalation - 08/22/2020
Upload to the future Vuk Ivanovic - IDOR - 08/22/2020
How I Found My First Bug Stored Xss and Earned My First Bounty 1000$ Nazmul Haque (@0xnazmul) Badoo Stored XSS $1,000 08/21/2020
(Shopify.com) Blind Stored XSS Via Staff Name \(\) Rio Mulyadi (@riomulyadi_) Shopify Stored XSS $0 (Out of scope) 08/19/2020
The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer Allison Husain (@ezhes_) Google Email spoofing $0 (Out of scope) 08/19/2020
A perfect duplicate or how to send an email with a spoofed invoice’s content Mateusz Olejarka (@molejarka) - Email spoofing, Open mail relay, Lack of authentication $0 (Duplicate) 08/19/2020
Django debug mode to RCE in Microsoft acquisition Syed Abuthahir (@writerabu) Microsoft Information disclosure, RCE - 08/19/2020
Escalating a GitHub leak to takeover entire organization Shashank (@cyberboyIndia) - Information disclosure $4,000 08/18/2020
Fun with header and forget password, with a twist: Vuk Ivanovic - Password reset flaw, Host header injection - 08/18/2020
How to contact Google SRE: Dropping a shell in cloud SQL [email protected] (@wtm_offensi) & Ezequiel Pereira (@epereiralopez) Google SQL injection, Privilege escalation, Parameter injection, RCE - 08/18/2020
How could I Tag Photo to any user’s Scrapbook on Facebook Raja Sudhakar (@Rajasudhakar) Facebook Authorization flaw - 08/18/2020
From SQL Injection to Hall Of Fame Jadek Mark (@mase289) - SQL injection N/A (VDP) 08/18/2020
Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488 ACTIVELabs Microsoft Local privilege escalation - 08/18/2020
Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties Abss (@absshax) Google, [Undisclosed programs] Hardcoded API keys, Information disclosure $30,000+ 08/17/2020
Account Takeover Using Re-Register [ Bug Bounty ] Myo Min Thu (@myominthu1337) - Account takeover $2,048 08/17/2020
Stealing your data using XSS Viren Pawar (@VirenPawar_) - XSS - 08/17/2020
Witnet Network Bug Bounty: DOS Bug from Harsh Jain Harsh Jain Witnet DoS - 08/17/2020
InfluxDB Access at redact.8x8.com Myo Min Thu (@myominthu1337) 8x8 Lack of authentication - 08/16/2020
How I got 450$ just in one Google search (SQLi + RXSS)? Zhenwar Hawlery - XSS, SQL injection $450 08/16/2020
Disclosing wifi password via content provider injection in Xiaomi Vishwaraj Bhattrai (@vishwaraj101) Xiaomi Content provider injection, Vulnerable Android content provider - 08/16/2020
How I was able to send Authentic Emails as others — Google VRP [Resolved] Sriram Kesavan (@sriramoffcl) Google Logic flaw, HTML injection, Email spoofing, Open mail relay - 08/15/2020
How recon helped me to find an interesting bug… Vedant Tekale (@_justYnot) - Open redirect N/A (VDP) 08/15/2020
Open Sesame: Escalating Open Redirect to RCE with Electron Code Review Eugene Lim (@spaceraccoonsec) - Open redirect, RCE - 08/14/2020
Crowdsource Success Story: From an Out-of-Scope Open Redirect to CVE-2020-1323 Ozgur Alp (@ozgur_bbh) Microsoft Open redirect - 08/14/2020
Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020 Saugat Pokharel (@saugatpk5) Facebook Logic flaw, Privacy issue $6,000 08/14/2020
Improper Implementation of My Status video time limit in WhatsApp Vishal Ranjan Facebook Logic flaw, Privacy issue $0 08/14/2020
False2True, Match and Replace bug hunting — A cautionary tale Vuk Ivanovic - Privilege escalation - 08/14/2020
From Copy&Paste XSS To Full Account Takeover! be1807v (@BE1807V) - CSRF, Account takeover, XSS - 08/13/2020
Leaking AWS Metadata - The Unusual Way Shubham Garg (@nullb0t) - Information disclosure, RCE - 08/13/2020
Journey to my First Bug Hunt\(\) Bala Praneeth (@Begin_hunt) - CSRF $900 08/13/2020
Blind OS Command Injection Ashik B - Command injection - 08/12/2020
Cache poisoning of wget Vuk Ivanovic - Web cache poisoning $0 08/12/2020
Cracking the 2FA Rushikesh Gaikwad (@rsg_1212) - 2FA bypass - 08/12/2020
How I made $2000 with URL REDIRECTION? Simran Singh - Open redirect, SQL injection $2,000 08/12/2020
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon! Paolo Stagno (@Void_Sec) Microsoft Local privilege escalation - 08/11/2020
How I was able to find page/personal account disclosure on Instagram Ajay Gautam (@evilboyajay) Facebook Information disclosure $2,000 08/11/2020
Group Admin Can’t Able to Moderate Comments When Posted Through Page : Facebook Bug Bounty 2020 Prakash Panta (@Prakashpanta268) Facebook Logic flaw - 08/11/2020
CVE-2020-11518: how I bruteforced my way into your Active Directory Pieter Hiele (@honoki) - RCE, Insecure deserialization, Arbitrary file upload, Bruteforce - 08/10/2020
CSP Bypass Vulnerability in Google Chrome Discovered - Almost Every Website In The World Was At Risk Gal Weizman (@WeizmanGal) Google CSP bypass $3,000 08/10/2020
My 2nd 4digit Bug Bounty From Facebook Sudip Shah Facebook Logic flaw, Information disclosure - 08/10/2020
Bypassing 403 Michael Hyndman (@michaelhyndman) - Authentication bypass - 08/09/2020
Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom Mazin Ahmed (@mazen160) Zoom Information disclosure, RCE, Memory leak $0 08/08/2020
Bypassing Google Maps API Key Restrictions Aditya Dixit (@zombie007o) Google Logic flaw $0 08/08/2020
Bug Hunting with Param Miner: Cache poisoning with XSS, a peculiar case Vuk Ivanovic - XSS, Web cache poisoning - 08/08/2020
Reflected XSS in Facebook’s mirror websites Sudhanshu Rajbhar (@sudhanshur705) Facebook Reflected XSS $500 08/08/2020
The feature works as intended, but what’s in the source? Zseano (@zseano) - Information disclosure - 08/08/2020
How Our Co-Founder Earned $10.6K in just 10 Hours Tensecure Systems - Information disclosure $10,600 08/07/2020
Exploiting JWT - Lack of Signature Verification Aditya Dixit (@zombie007o) - Account takeover - 08/07/2020
Smear phishing: a new Android vulnerability Jim Fisher (@MrJamesFisher) Google Smear phishing/td> <td markdown="span">$0 08/06/2020
Reflected XSS at fotoservice.hema.nl Jonathan Bouman (@JonathanBouman) Hema Reflected XSS, Open redirect - 08/06/2020
Blind SQL Injection at fasteditor.hema.com Jonathan Bouman (@JonathanBouman) Hema SQL injection - 08/06/2020
Stored XSS on Slack, Bug Bounty Tommysuriel Slack Stored XSS $4,875 08/06/2020
Apache Example Servlet leads to \(\) Debangshu Kundu (@debangshu_kundu) - Clickjacking - 08/06/2020
CSRF PoC mistake that broke crucial functions for the end user/victim Vuk Ivanovic - Logic flaw - 08/05/2020
I want all these features Mohamed Ayad - Logic flaw, Payment tampering - 08/05/2020
How I was able to do Mass Account Takeover[Bug Bounty] Not Rickyy (@RickyyNot) - Password reset flaw - 08/05/2020
Vulnerability in new TouchID feature put iCloud accounts at risk of being breached Thijs Alkemade (@xnyhps) Apple OAuth flaw, Account takeover - 08/03/2020
Rare Race Condition — P3 Mohammed Ehssan (@alone_Wwolf) - Race condition $0 (Duplicate) 08/03/2020
Account takeover in cups.mail.ru kminthein / weev3 (@kyawminthein99) Mail.ru Logic flaw, Password reset flaw, Account takeover $1,500 08/03/2020
Banning users Race condition Saddam Hussain (@wisdomfreak1) - Race condition - 08/02/2020
Multi-factor Auth Bypass with Password Reset Function Vaibhav Joshi (@vj0shii) - 2FA bypass, Password reset flaw, Account takeover - 08/02/2020
Refocusing in bug hunting, Bonus: An interestingly simple to test CSRF bypass Vuk Ivanovic - CSRF - 08/01/2020
CVE-2020-13379 Unauthenticated Full-Read SSRF in Grafana Justin Gardner (@Rhynorater) - SSRF, Open redirect - 08/01/2020
CVE-2020–9854: “Unauthd” - (three) logic bugs ftw! Ilias Morad (@A2nkF_) Apple Local Privilege Escalation, Logic flaw - 08/01/2020
Unauthd - Logic bugs FTW Ilias Morad (@A2nkF_) Apple Logic flaws - 07/31/2020
Bypassing OTP via reset password Ahmed Cj (@0x0Cj) - OTP bypass - 07/30/2020
Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code Zseano (@zseano) - Information disclosure - 07/30/2020
New features means new bugs Zseano (@zseano) - Logic flaw, Authorization flaw, Payment bypass - 07/30/2020
Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook Ashok Chapagai (@ashokcpg) Facebook Logic flaw - 07/30/2020
Exploiting Business Logic — Wallet Money Keshav Malik (@g0t_rOoT_) - Payment tampering, Logic flaw - 07/30/2020
One Click to Compromise – Fun With ClickOnce Deployment Manifests Dave Cossa (@G0ldenGunSec) Microsoft NTLMv2 hash disclosure, One-click execution of arbitrary .Net assemblies $0 07/30/2020
Zoom Security Exploit – Cracking private meeting passwords Tom Anthony (@TomAnthonySEO) Zoom CSRF, Lack of rate limiting $0 07/29/2020
THE NOOB WAY OF TAKING OVER ACCOUNTS Mudassir Sharief - Authorization flaw, Account takeover, Homograph attack $955 07/29/2020
Stealing your Paytm information using XSS Viren Pawar (@VirenPawar_) Paymt XSS INR 94,700 (~ $1,261) 07/29/2020
XSS, RCE & HTML File Upload in same endpoint TariKul IsLam (@sa1tama0) - XSS, RCE, Unrestricted file upload $1,200 07/29/2020
FFUF and my first bounty Suryansh Mansharamani - Information disclosure $300 07/29/2020
Authorization bypass in Google’s ticketing system (Google-GUTS) Zohar Shachar Google Authorization flaw $1,337 07/28/2020
Authentication_token_bypass Leads Too_idor mohit (@mohit29295572) - Authentication bypass - 07/28/2020
Pre-Access to Victim’s Account via Facebook Signup Akshansh Jaiswal (@Akshanshjaiswl) - OAuth flaw, Account takeover $500 07/28/2020
Bug HTML Injection On Tokopedia ! jowi Tokopedia HTML injection - 07/28/2020
CSRF + Open Redirect To Account Takeover R29k (@R29k_) - CSRF, Open redirect, Account takeover - 07/28/2020
CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data Matt Shockley(@mattshockl) Apple MacOS privilege escalation, Authorization flaw - 07/27/2020
Exploiting popular macOS apps with a single “.terminal” file. Vladimir Metnew (@vladimir_metnew) The Internet, Slack, Keybase, Telegram File Quarantine bypass $750 07/27/2020
An unreproducable bug due to the load balancer, an unusual Open Redirect bug tololovejoi (@tolo7010) - Open redirect - 07/27/2020
How I bypassed 2fa in a 3 years old private program! Shivangx01b (@shivangx01b) - 2FA bypass, Bruteforce, Lack of rate limiting - 07/26/2020
Obtained a bunch of sensitive data in just few steps — Hacking Airlangga Visnhu Murthi - AWS misconfiguration, Information disclosure $550 07/26/2020
A Simple IDOR which should not be missed on dating site ;) neelam - IDOR, Information disclosure - 07/26/2020
DNS Rebinding, The treacherous attack it can be Vuk Ivanovic - DNS Rebinding $0 (OOS) 07/25/2020
A $5000 Account Takeover neelam - Account takeover, Password reset flaw $5,000 07/25/2020
Hunting Android Application Bugs Using Android Studio. Tarek Mohammed (@Conan0x3) - Authorization flaw, Client-side enforcement of server-side security, Information disclosure $3,000 07/24/2020
HTTP Parameter Pollution - It’s Contaminated Shrey Shah (@ShreySh43332033) - HTTP parameter pollution - 07/24/2020
Disclose content of internal Facebook javascript modules ( Revisited ) Samm0uda (@samm0uda) Facebook Information disclosure, Authorization flaw - 07/23/2020
Hack Till Your Last Breath mechboy / m.u.h.e (@Muhe76355002) - IDOR $200 07/21/2020
Increasing reward points N number of time Saddam Hussain (@wisdomfreak1) - Logic flaw - 07/21/2020
Denial of Service(DoS) By Regex Ashik B - DoS - 07/20/2020
The $1,000 worth cookie Jadek Mark (@mase289) Mail.ru XSS $1,000 07/19/2020
DOS over wep application Mohamed Ayad - DoS - 07/19/2020
Chaining rate limiting for account lockout Sandip Oli - Lack of rate limiting - 07/19/2020
bypass user-restriction registration Mohamed Ayad - Logic flaw, Payment tampering - 07/18/2020
How I landed on my first bounty : No SPF / DMARC Record Found leading to Social Engineering Attack Fardeen Ahmed Lululemon No valid SPF records, No DMARC records $250 07/18/2020
Unique Case for Price Manipulation | BugBounty | VAPT Harshit Sengar (@sengarharshit1) - Payment tampering - 07/18/2020
Creative Android pin bypass with Race conditon Baluz (@t3chman) - Race conditon, Authentication bypass - 07/18/2020
Android pin bypass with rate limiting Baluz (@t3chman) - Lack of rate limiting, Authentication bypass - 07/18/2020
Idor in google product Baluz (@t3chman) Google IDOR $5,000 07/17/2020
How I lost my followers on Medium Florian (@fh4ntke) Medium GraphQL bug, Authorization flaw - 07/17/2020
The Story of My first 4 digit bounty from Facebook Sudip Shah Facebook Logic flaw, Information disclosure - 07/17/2020
I am able to see user’s sensitive data through JSON file. Saurabh siddharam sanmane (@saurabhsanmane2) - Information disclosure, Authorization flaw $150 07/17/2020
The 3 Day Account Takeover Mr. Beast (@mr_beast) - Logic flaw, Password reset flaw, Account takeover, Bruteforce, Lack of rate limiting - 07/17/2020
Exploiting Imported Libraries to Bypass WAF Greg Gibson - Reflected XSS - 07/14/2020
SSRF in import file function Rafael Silva - SSRF - 07/14/2020
How An API Misconfiguration Can Lead To Your Internal Company Data Me9187 (@Me9187) - Information disclosure - 07/12/2020
Self stored xss to full account takeover Jatin Aesthetic (@techyfreakk) - XSS, Account takeover - 07/12/2020
Bug Bounty Experience: Unvalidated Redirection Vulnerability Simply Secure - Open redirect - 07/12/2020
How I was able to change victim’s password using IDN Homograph Attack Abhishek Karle (@AbhishekKarle3) - IDN homograph attack $600 07/11/2020
A tale of critical account take over Shivam Pandey (@shivam31200) - Account takeover, Exposed JWT generation endpoint - 07/10/2020
Phone number validation bypass through url path manipulation . ben aymen (@ben_aymen_182) - OTP bypass $0 (Duplicate) 07/10/2020
Don’t stop at one bug \(\) Dheeraj Madhukar (@Dheerajmadhukar) - Open redirect, XSS, LFI - 07/10/2020
See whether a Hackercup Facebook participant allows recruitment contact Philippe Harewood (@phwd) Facebook Information disclosure, Logic flaw - 07/09/2020
Remote Denial-of-Service with Chrome Dan Lyton Google DoS $0 (OOS) 07/09/2020
Exploiting Application Logic to Referral Code Disclosure Vaibhav Joshi (@vj0shii) - Logic flaw, Information disclosure - 07/09/2020
Global grant uri in Android 8.0-9.0 (2018 year) Dzmitry Lukyanenka (@vulnano) Google Authorization flaw $0 (Duplicate) 07/09/2020
From N/A to Resolved For BackBlaze Android App[Hackerone Platform] Bucket Takeover Sahil Tikoo (@viperbluff) BackBlaze Hardcoded credentials, Information disclosure - 07/09/2020
Journey from low to critical bug $$$ Dheeraj Madhukar (@Dheerajmadhukar) - IDOR - 07/09/2020
From . in regex to SSRF — part 3 Niemiec Marcin (@xvnpw) - SSRF $400 07/07/2020
How I found 10 Remote Code Execution in 10 minutes CVE-2020–5902 Saransh Srivastav (@malfuncti0n_) - RCE - 07/07/2020
XSS in Zoom.us Signup Flow Eduardo Vela (@sirdarckcat) Zoom XSS - 07/07/2020
Free blockchain storage – Tale of a bug in Substrate’s FRAME runtime Mudit Gupta (@Mudit__Gupta) Parity Technologies Blockchain bug $250 07/07/2020
From . in regex to SSRF - part 1, Part 2 & Part 3 Marcin (@xvnpw) - SSRF, CRLF injection $400 07/07/2020
How i was able to bypass Email Confirm — P4 Mohammed Ehssan (@alone_Wwolf) - Information disclosure - 07/06/2020
Issue 1040755: Security: Another “universal” XSS via copy&paste Michał Bentkowski (@SecurityMB) Google Universal XSS, Browser bug $2,000 07/06/2020
My First Bug: Blind SSRF Through Profile Picture Upload swaysthinking (@swaysThinking) - SSRF - 07/05/2020
RCE via image upload functionality Adwaith KS - Unrestricted file upload, RCE - 07/05/2020
Case Study I - Browser Anomaly with Facebook Apps -1500$ easySIEM (@easySIEM) Facebook Authorization flaw $1,500 07/05/2020
Taking Over Files in a chat —IDOR in Microsoft Teams Aly Anwar (@alyanwarr) Microsoft IDOR $0 (N/A) 07/05/2020
From Host Header injection to SQL injection Daoud Youssef / smacker dodi (@daoud_youssef) - Host header injection, SQL injection - 07/05/2020
Why I paid 3.5K to become a TLD registrar reseller when doing bug bounty hg_real (@hgreal1) - XXE $7,500 07/05/2020
BBC Bug Bounty Write-up | XSS Vulnerability Pethuraj (@Pethuraj) BBC Reflected XSS $0, Swag 07/05/2020
How I got hall of fame in Microsoft Akash basnet (@noneofyou007) Microsoft XSS - 07/04/2020
EN | Account Takeover and Sensitive Data Leakage via CORS Misconfiguration Lütfü Mert Ceylan (@lutfumertceylan) - CORS misconfiguration, CSRF, Account takeover - 07/04/2020
CSRF Attack!!! Bala Praneeth (@Begin_hunt) - CSRF $500 07/04/2020
Bug bounty write-up: From SSRF to $4000 & Video thehackerish (@thehackerish) - SSRF, RCE $4,000 07/03/2020
[Writeup][Bug Bounty][Tokopedia] Manipulate Other User’s Cart and Wishlist on Tokopedia [EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Tokopedia IDOR $135 07/03/2020
Breaking Business Logic via Coupons — The Story of my 1st Valid Bug Bounty Dominic Ifediri (@Edi4all) - Payment tampering, Logic flaw - 07/03/2020
How i got 200$ with an out of the box open redirect vulnerability Tarek Galleze - Open redirect, Token theft $200 07/03/2020
Price Tampering due to Improper checks on applying Coupon Vaibhav Joshi (@vj0shii) - Payment tampering, Logic flaw - 07/03/2020
Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page. Samm0uda (@samm0uda) Facebook Information disclosure $5,500 07/02/2020
Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text Yasho (@YShahinzadeh) Virgool SSRF $2,500 07/02/2020
How I made $1500 dollars using base64 decoder :) Dilip (@dilip_spartn) - Information disclosure $1,500 07/02/2020
Misconfigured S3 Bucket Access Controls to Critical Vulnerability Harsh Bothra (@harshbothra_) - AWS misconfiguration - 07/02/2020
Blast from the past: Cross Site Scripting on the AWS Console Johann Rehberger (wunderwuzzi23) Amazon DOM XSS - 07/01/2020
Art of bug bounty: a way from JS file analysis to XSS Jakub Żoczek (@zoczus) Verizon Media, Tumblr XSS $1,000 07/01/2020
ZombieVPN, Breaking That Internet Security 0xSha (@0xsha) Bitdefender, AnchorFree RCE, Deserialization - 07/01/2020
Stored XSS with Password Recovery Page Lütfü Mert Ceylan (@lutfumertceylan) - Stored XSS - 07/01/2020
Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run CertiK (@certik_io) Symbol XSS, RCE - 07/01/2020
Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS kminthein / weev3 (@kyawminthein99) Mail.ru Stored XSS $1,000 06/30/2020
Using Inspect Element to Bypass Security restrictions | Bug Bounty POC Muhammad Khizer Javed (@khizer_javed47) - Client-side enforcement of server-side security - 06/30/2020
Patched Zoom Exploit: Altering Camera Settings via Remote SQL Injection Keegan Ryan (@inf_0_) Zoom SQL injection $2,000 06/29/2020
API Endpoint leads to Account Takeover In Android Application Adesh Nandkishor kolte (@AdeshKolte) - Exposed token generation endpoint, Information disclosure - 06/28/2020
Taking over Azure DevOps Accounts with 1 Click Sean Yeoh (@seanyeoh) Microsoft Subdomain takeover, Account takeover $3,000 06/28/2020
How I hacked a bank their application using it for hacking another bank company — 10K XSS hg_real (@hgreal1) - XSS $10,000 06/28/2020
How I was able to take over any account via the Password Reset Functionality. Firas Fatnassi (@Fatnass1F1ras) - Password reset flaw, Account takeover - 06/28/2020
An attempt to escalate a low-impact hidden input XSS Ayush Ojha (@officialaimm) - XSS - 06/28/2020
How I Bypassed open redirect and i have get reward from yandex Mino Metidji (@minometidjii) Yandex Open redirect $100 06/27/2020
How i hacked worldwide ZOOM users s3c (@s3c_krd) Zoom OAuth flaw, Account takeover - 06/27/2020
Create hidden comment by blocking an Admin: Facebook Bug Bounty 2020 Saugat Pokharel (@saugatpk5) Facebook Logic flaw - 06/25/2020
Bug Bounty in Lockdown (SQLi and Business Logic) Abhishek Yadav (@abhishake100) - SQL injection, Logic flaw - 06/24/2020
All About Getting First Bounty with IDOR Mukul Trivedi (@M0hn1sh) - IDOR - 06/23/2020
Exploiting Bitdefender Antivirus: RCE from any website Wladimir Palant (@WPalant) Bitdefender RCE, Information disclosure $0 (Declined by bug hunter) 06/22/2020
A tale of my first ever full SSRF bug Jadek Mark (@mase289) - SSRF $1,000 06/22/2020
Leveraging an SSRF to leak a secret API key Julien Cretel (@jub0bs) - SSRF $1,000 06/22/2020
API Token Hijacking Through Clickjacking DarkLotus (@darklotuskdb) - Clickjacking - 06/22/2020
How i was able to chain bugs and gain access to internal okta instance Mmohammed Eldeeb (@malcolmx0x) - Lack of authentication - 06/22/2020
It took me only 5 minutes to find an RCE on Bentley Divyansh Sharma Bentley RCE, Weak credentials $300 06/21/2020
Simple story of some complicated XSS on Facebook Bipin Jitiya (@win3zz) Facebook Reflected XSS - 06/21/2020
Bypass 2FA like a Boss Seqrity (@seQrity) - Lack of rate limiting, Bruteforce $0 (Duplicate) 06/20/2020
How did i find information Disclosure on Facebook-Writeup Alaa Abdulridha (@Madrid89001310) Facebook Information disclosure $1,500 06/20/2020
Hacking Starbucks and Accessing Nearly 100 Million Customer Records Sam Curry (@samwcyo) Starbucks Path traversal $4,000 06/20/2020
From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration YoKo Kho (@YokoAcc) - Information disclosure, MFA bypass $500 06/19/2020
One Token to leak them all : The story of a $8000 NPM_TOKEN Aseem Shrey (@AseemShrey) Google Information disclosure $8,000 06/19/2020
Replying on LiveStream leading to Page Admin Disclosure: Facebook Bug Bounty Saugat Pokharel (@saugatpk5) Facebook Information disclosure - 06/18/2020
Hackerone Bug Bounty Report: Hinge Tyle Butler (@tbutler0x90) Hinge Information disclosure $250 06/18/2020
A subtle stored-XSS in WordPress core Sam Thomas (@_s_n_t) Wordpress Stored XSS, RCE - 06/17/2020
Bug bounty bout report 0x01 - WebRTC edition Enable Security (@enablesecurity) - Outdated component with a known vulnerability, DoS, RCE, Default credentials, SSRF - 06/16/2020
How I made more than $30K with Jolokia CVEs Patrik Fehrenbach (@ITSecurityguard) - Reflected XSS, RCE, Information disclosure $33,500 06/16/2020
How I managed to Escalate privilege as admin Abisheik Magesh (@AbisheikMagesh) - Lack of rate limiting, Bruteforce, Weak credentials - 06/16/2020
How I was able to buy t-shirt for €1 — Payment Price Manipulation Muztahidul Tanim (@TheMuztahidul) - Payment tampering $2,000 06/16/2020
All *.intercom.help subdomains vulnerable to Subdomain Takeover from intercom Service Mohamed Haron (@m7mdharon) Intercom Subdomain takeover $0 (N/A) 06/16/2020
Tail of IDOR Saddam Hussain (@wisdomfreak1) - IDOR $300 06/16/2020
SMTP Injection in Gsuite Zohar Shachar Google SMTP injection $3,133.7 06/15/2020
Reflected User Input == XSS! Silent Bronco (@silentbronco) - Reflected XSS $50 06/15/2020
Business logic flaw in the invitation system allows to Takeover any account at a private company Daniel V. (@d4niel_v) - Account takeover, IDOR - 06/15/2020
Another “Fappening” on the Horizon? Sociosploit Apple Account takeover, Phishing - 06/15/2020
How to Secure AWS ServerLess Lambda from ReDoS(Regular Expression Denial-of-Service) & Resultant Financial Impact Ddigvijay (@itsdig) - ReDoS - 06/14/2020
Privilege escalation in Partners Portal to Admin access Samm0uda (@samm0uda) Facebook Privilege escalation - 06/14/2020
Disclose internal files related to testing of some Facebook tools Samm0uda (@samm0uda) Facebook Information disclosure - 06/14/2020
Disclose the Instagram account linked to a Facebook user account or page Samm0uda (@samm0uda) Facebook Information disclosure - 06/14/2020
Internal directories enumeration in www Samm0uda (@samm0uda) Facebook Information disclosure, Internal directories enumeration - 06/14/2020
From . in regex to SSRF — part 1 & From . in regex to SSRF — part 2 Niemiec Marcin (@xvnpw) - SSRF - 06/14/2020
RACE Condition vulnerability found in bug-bounty program Pravinrp - Race condition - 06/13/2020
Account Takeover via OTP Bruteforce (Apigee API) Vishnuraj - OTP bypass, Bruteforce, Lack of rate limiting - 06/13/2020
DoS and BugBounties :A series of DoS attacks on HackerOne Ninad Mishra (@iamr000t) - DoS $500 06/12/2020
Let’s Bypass CSRF Protection & Password Confirmation to Takeover Victim Accounts :D Harsh Bothra (@harshbothra_) - CSRF - 06/12/2020
Race Conditions - Exploring the Possibilities Milind Purswani (@MilindPurswani) Reddit, [Private programs] Race condition - 06/11/2020
HUNT for SQL Injection- The Smart Way! Mudassir Sharief - SQL injection - 06/11/2020
The Frustrating XSS Mr. Beast (@mr_beast) - XSS - 06/11/2020
Guest Blog: From File Upload to RCE Lukasz Wierzbicki (@v13rs8a) - Unrestricted file upload, RCE - 06/10/2020
Privilege Escalation by Changing HTTP Response (Admin Access) Bachrudin Ashari Pujakusuma (@Bachrudinashari) - Privilege Escalation IDR 8.000.000 (~ $563) 06/10/2020
Utilizing Lockdown: Blind Sqli leads to Account Takeover & Data Extraction Shakti Mohanty (@3ncryptSaan) - Blind SQL injection, Account takeover $1,400 06/10/2020
The “P5” Link Injection Story Silent Bronco (@silentbronco) - Link injection - 06/10/2020
Abusing Microsoft Teams rate limiting for DDoS Omayr Zanata (@omayrzanata) Microsoft DoS $0 (Informative) 06/10/2020
Cmd Hijack - a command/argument confusion with path traversal in cmd.exe Julian Horoszkiewicz Microsoft OS Command injection, Path traversal $0 (Informative) 06/10/2020
The Accidental RCE Mr. Beast (@mr_beast) - Unrestricted file upload $4,800 06/09/2020
This is fine 🐶 Ricardo Iramar dos Santos (@ricardo_iramar) - Information disclosure $0 (Informative, Won’t fix) 06/08/2020
Different host header injection worth 2k Imran Nissar (@Imrannissar3) - Host header injection $2,000 06/07/2020
How i earned $500 from google by change one character . Oday Alhalbe Google CSRF $500 06/06/2020
XSS to Database Credential Leakage & Database Access — Story of total luck! Harsh Bothra (@harshbothra_) - Reflected XSS, Information disclosure - 06/06/2020
From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response YoKo Kho (@YokoAcc) - Privilege Escalation $1,000 06/06/2020
Multiple Information exposed due to misconfigured Service-now ITSM instances Th3G3nt3lman - Lack of authentication, Information disclosure $30,000 06/05/2020
Account takeover via postMessage socket (@yxw21) - Account takeover, postMessage bug $1,500 06/05/2020
Local file read via XSS using PDF generate functionality Sanjay Singh Jhala (@lordjerry0x01) - XSS, LFI - 06/05/2020
Story of Blind SQL with a typo error. Amyrahm (@Amyrahm11) - SQL injection - 06/05/2020
[IDOR] Delete saved credit cards from any Business Manager Account — Facebook Bug Bounty Rohit kumar (@rohitcoder) Facebook IDOR - 06/05/2020
Three Privilege Escalation Bugs in Google Cloud Platform’s OS Login initstring (@init_string) Google Local privilege Escalation - 06/04/2020
Another image removal vulnerability on Facebook Pouya Darabi (@Pouyadarabi) Facebook IDOR $10,000 06/04/2020
Privilege Escalation in Google Cloud Platform’s OS Login Chris Moberly (@init_string) Google Privilege escalation - 06/04/2020
How I got my first big bounty payout with Tesla CJ Fairhead (@xyantix) Tesla Information disclosure $5,000 06/04/2020
From CRLF to Account Takeover Valeriy Shevchenko (@Krevetk0Valeriy) - CRLF, HTTP response splitting, Reflected XSS, Account takeover - 06/03/2020
IP-in-IP protocol routes arbitrary traffic by default yannayl (@Yannayli) The Internet DoS, Spoofing $750 06/02/2020
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers Michał Bentkowski (@securitymb) Google, Mozilla XSS $30,000 06/02/2020
Double URL-encoded XSS vict0ni (@vict0ni) - Reflected XSS - 06/02/2020
When it’s not only about a Kubernetes CVE… Reever Zax (@ReeverZax) & Hach (@_hach) Microsoft SSRF +$40,000 06/02/2020
Information disclosure and reflected XSS on Tokopedia wis4nggeni Tokopedia Reflected XSS, Information disclosure - 06/01/2020
How I leveraged an interesting CSRF vulnerability to turn self XSS into a persistent attack? Akash Methani (@0xAkash) - Self XSS, CSRF - 06/01/2020
How I made $31500 by submitting a bug to Facebook Bipin Jitiya (@win3zz) Facebook SSRF $31,500 05/31/2020
h1{Error based XXE - bug bounty writeup} f4d3 (@f4d3_cl) - XXE - 05/31/2020
Hunting on ASPX Application For P1’s [Unauthenticated SOAP,RCE, Info Disclosure] ElMahdi Mrhassel (@ElMrhassel) - RCE, Information disclosure, IDOR - 05/31/2020
Weird “Subdomain Take Over” pattern of Amazon S3 Simgamsetti Manikanta (@zaheckmania) - Subdomain takeover - 05/31/2020
The story of My First $xxx Bug Bounty From Facebook Sudip Shah Facebook Logic flaw, Information disclosure - 05/31/2020
Cross-site scripting: The power of the hidden parameters. Kassih Mouhssine (@KassihMouhssine) Sony Reflected XSS - 05/30/2020
Zero-day in Sign in with Apple Bhavuk Jain (@bhavukjain1) Apple Account takeover $100,000 05/30/2020
Microsoft’s first bug Lê Hữu Quang Linh (@linhlhq) Microsoft File format vulnerability - 05/30/2020
Weak Cryptography Leads To Open Redirect DarkLotus (@darklotuskdb) - Open redirect - 05/30/2020
Analysis of CVE-2020-13693 Raphael Karger (@aptNum) Wordpress Privilege escalation - 05/29/2020
My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft Ben Sadeghipour (@nahamsec) & Serafina (Sera) Tonin Brocious (@daeken) Lyft SSRF - 05/29/2020
IDOR in session cookie leading to Mass Account Takeover Zonduhackerone (@zonduu1) - IDOR, Account takeover $2,000 05/29/2020
XSS Stored On Messages In [ Outlook Web — Outlook Android App ] ElMahdi Mrhassel (@ElMrhassel) Microsoft Stored XSS - 05/28/2020
Bypassing WAF to perform XSS Kleitonx00 - XSS - 05/28/2020
How I was able to see Private Video Uploader Via Facebook Rights Manager.[Responsible Disclosure] Kishore TK (@kishoretk_off) Facebook Information disclosure - 05/28/2020
A Long Overdue Write-up: How I got into the Oppo Hall of Fame Shibin B. Shaji (@shibinbshaji06) Oppo Login screen bypass, Authentication bypass 10,000 INR (~ $133) 05/28/2020
Clickjacking to Account Takeover Abhishek Yadav (@abhishake100) - Clickjacking - 05/28/2020
iOS Outlook Stored XSS Write-Up($3000) kminthein (@kyawminthein99) Microsoft XSS $3,000 05/28/2020
Stored XSS in Microsoft outlook kminthein (@kyawminthein99) Microsoft Stored XSS - 05/28/2020
Stored XSS in Yahoo mail IOS app($3500) kminthein (@kyawminthein99) Yahoo Stored XSS $3,500 05/28/2020
Android : SOP Bypass to steal system files. Rahul Kankrale (@RahulKankrale) - SOP bypass - 05/28/2020
Bug Hunting Stories: Schneider Electric & The Andover Continuum Web.Client Niv Levy (@restr1ct3d) Uber XXE, Reflected XSS - 05/27/2020
No-Rate and Input limitations on password reset page chained into Denial Of Service attack on one of US Dept of Defense website. Gal Nagli (@naglinagli) U.S. Dept Of Defense Password reset flaw, DoS, Lack of rate limiting - 05/27/2020
Chaining an IDOR with a business-logic error to achieve critical impact Julien Cretel (@jub0bs) - IDOR, Logic flaw - 05/26/2020
How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber Andrey Abakumov (@andrewaeva) Uber HTTP request splitting, SSRF, CRLF, RCE - 05/25/2020
Story About OTP Bypass To Stored XSS PJ Borah (@PJBorah1) - OTP bypass, Stored XSS - 05/23/2020
Using P3 Bug to escalate other P4 to P3 Saddam Hussain (@wisdomfreak1) - Information disclosure - 05/22/2020
How Source code reading helped me find an IDOR Sanjay Verdu (@codersanjay) - IDOR, Information disclosure $0 (Swag) 05/22/2020
My First Bug Bounty — 2 Factor Authentication Bypass Talatmehmood - OTP bypass $100 05/22/2020
Parsing the DOM elements of Other pages via XSS: A Bug Bounty Story Mandeep Jadon (@1337tr0lls) - XSS, Information disclosure - 05/22/2020
RCE in Google Cloud Deployment Manager Ezequiel Pereira (@epereiralopez) Google SSRF, RCE $31,337.00 05/21/2020
Bypassing Message Request inbox Abdellah Yaala (@yaalaab) Facebook Authorization flaw, Logic flaw - 05/21/2020
Change any link at https://fbwat.ch/ Philippe Harewood (@phwd) Facebook Authorization flaw, Logic flaw $1,000 05/20/2020
Become member of close & public group abdellah yaala Facebook Authorization flaw, Logic flaw $7,500 05/20/2020
Easy bounties with subdomain discovery - Using Project Sonar for bug bounty Torben Capiau (@TorbenCapiau) Bpost Broken access control, Authorization flaw $100 05/20/2020
How I got 200$ in 5 minutes – Sensitive data leak Sanjay Verdu (@codersanjay) - Information disclosure $200 05/19/2020
How I was Able To Bypass Email Verification Saddam Hussain (@wisdomfreak1) - Email verification bypass $0 (Duplicate) 05/19/2020
Teradici and CVE-2020-10965: An issue of routing. Benjamin Heald (@heald_ben) Teradici, [Private program] Lack of authentication $1,350 05/18/2020
FB & Messenger for iOS : Address Bar spoofing using data uri Rahul Kankrale (@RahulKankrale) Facebook Address Bar Spoofing, URL spoofing $3,000 05/18/2020
CVE-2020–1088 — Yet another arbitrary delete EoP Søren Fritzbøger (@fritzboger) Microsoft Windows privilege escalation - 05/18/2020
Multiple flaws leads to Account Takeover within an Application Harshit Sengar (@sengarharshit1) - Account takeover, Password reset flaw, Sign-up flaw - 05/18/2020
My first 10k bdt bounty from an e-commerce site Md Saikat - IDOR 10,000 BDT (~ $117) 05/18/2020
Tale of Account Takeovers (Part-2) Vijaysimha Reddy Bathini (@fatratfatrat) - Account takeover - 05/17/2020
Stored XSS Leads to Plaintext Password Disclosure bad5ect0r (@bad5ect0r) - Stored XSS, Information disclosure, Unrestricted file upload - 05/17/2020
One Param => $10k Bilal Khan (@bilalmerokhel) - IDOR, XSS, Account takeover $10,000 05/17/2020
Account takeover CSRF Misconfiguration Saddam Hussain (@wisdomfreak1) - CSRF, Account takeover - 05/17/2020
Logical Bug which let me stop Users from Creating Ads at a Website Merbin Russel (e_23_e) - Logic flaw, DoS - 05/17/2020
Vulnerability – Account takeover using OAuth Misconfiguration Saddam Hussain (@wisdomfreak1) - OAuth misconfiguration, Account takeover, CSRF $300 05/16/2020
How I was able to make users loss of money on Google Pay santuySec (@santuySec) Google Clickjacking $0 (Duplicate) 05/16/2020
Chained Bugs [ Account TakeOver ] Bilal Khan (@bilalmerokhel) - IDOR, XSS, Account takeover $1,050 05/16/2020
Password Reset Poisoning leading to Account Takeover Swapnil Maurya (@swapmaurya20) - Password reset flaw, Account takeover - 05/16/2020
How I got my first swag on Edmodo with a simple XSS. Sanjay Verdu (@codersanjay) Edmodo Stored XSS $0 (Swag) 05/16/2020
Weak Cryptography in Password Reset to Full Account Takeover Harsh Bothra (@harshbothra_) - Account takeover, Password reset flaw, Cryptographic issues - 05/15/2020
Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability Talatmehmood - Payment tampering - 05/14/2020
$3000 Bug Bounty Award from Mozilla for a successful targeted Credential Hunt Johann Rehberger (wunderwuzzi23) - Information disclosure $3,000 05/13/2020
Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click Merbin Russel (e_23_e) - SQL injection - 05/13/2020
Change the profanity filter for any Facebook page Philippe Harewood (@phwd) Facebook Authorization flaw, Logic flaw $750 05/12/2020
Magic of the Back Slash Anil Tom (mr_4nk) - Path traversal $2,100 05/11/2020
How I made $10K in bug bounties from GitHub secret leaks Tillson Galloway (tillson_) - Information disclosure $10,000 05/10/2020
Bypass XSS filter using HTML Escape Syahri Ramadan (@adonkidz7) Google XSS $4,133.70 05/08/2020
$20000 Facebook DOM XSS Vinoth Kumar (@vinodsparrow) Facebook DOM XSS $20,000 05/07/2020
I Found XSS Security Flaws in Rails – Here’s What Happened. Jesse Campos Ruby on Rails XSS $500 05/07/2020
DOM-Based XSS at accounts.google.com by Google Voice Extension. missoum1307 (@missoum1307) Google DOM XSS $3,133.7 05/07/2020
How we Hijacked 26+ Subdomains Aishwarya Kendle (@aish_kendle) - Subdomain takeover - 05/07/2020
DOM XSS Walkthrough Youssef Lahouifi (@YLahouifi) - DOM XSS - 05/06/2020
Google Acquisition XSS (Apigee) TnMch (@TnMch_) Google XSS - 05/06/2020
A tale of verbose error message and a JWT token Marek Geleta (@marek_geleta) - Information disclosure, Authorization flaw - 05/05/2020
Cool paste jacking attack earned me $$$ Aman Rawat (@theamanrawat) - Paste jacking - 05/04/2020
DOM XSS in Gmail with a little help from Chrome Enguerran Gillier (@opnsec) Google DOM XSS $5,000 05/03/2020
#BugBounty — Adding Money Using Response Modification Line_no 6 - Payment tampering, Logic flaw - 05/03/2020
Private Dashboards were accessible by other Admins in Analytics Dashboard Rohit kumar (@rohitcoder) Facebook Authorization flaw - 05/02/2020
Reflected XSS on Microsoft.com via Angular Js template injection Pratik Dabhi (@impratikdabhi) Microsoft CSTI, XSS - 05/02/2020
Blind SSRF on coda.io Kleitonx00 Coda SSRF $0 (OOS) 05/02/2020
Exposure of Facebook object type by knowing the object ID Samm0uda (@samm0uda) Facebook Information disclosure - 05/02/2020
Add draft subtitles to any Facebook video and Full Path Disclosure Samm0uda (@samm0uda) Facebook Information disclosure - 05/02/2020
Ok Google! bypass ‘flag_secure’ Pankaj Upadhyay (@_pupadhyay) Google Authorization flaw - 05/01/2020
The Story of Blind SSRF leads to internal Host discovery. kaustubh padwad (@s3curityb3ast) - SSRF $0 (OOS) 05/01/2020
Hacking Razer Pay Ewallet App Richard Tan (@sambal0x) Razer IDOR $6,000 04/30/2020
Researching Polymorphic Images for XSS on Google Scholar Lorenzo Stella (@lorenzostella) Google Stored XSS $9,401.1 04/30/2020
[Bug Bounty Writeups] Exploiting SQL Injection Vulnerability Ahmed ElTijani - SQL injection $2,000 04/30/2020
Account taken over in style !!! kishore hariram (@kishorehariram) - Logic flaw, CSRF, Account takeover - 04/30/2020
Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin Florian Courtial (@theflofly) Trello XSS $3,600 04/29/2020
Indirect UXSS issue on a private Android target app Kunal pandey (@kunalp94) - UXSS $1,000 04/29/2020
Recon to Sensitive Information Disclosure in Minutes Harsh Bothra (@harshbothra_) - Information disclosure, Outdated component with a known vulnerability - 04/28/2020
Private giant chat app – Send message to victim while sender blocked Rahul Kankrale (@RahulKankrale) - Authorization flaw, Logic flaw - 04/28/2020
Piercing the Veal: Short Stories to Read with Friends d0nut DuckDuckGo, [Private programs] SSRF $4,800 04/27/2020
Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams Omer Tsarfati (@OmerTsarfati) Microsoft Account takeover, Subdomain takeover - 04/27/2020
Bitrix WAF bypass Roma Ramazanoff (@r0hack) Mail.ru Reflected XSS $300 04/27/2020
1-click RCE on Keybase smaury (@smaury92) Keybase RCE $0 (Duplicate) 04/27/2020
Fun With CORS Misconfiguration — II Aman Gupta (@gupt4j1) - CORS misconfiguration, XSS - 04/25/2020
Web Cache Poisoning in Postmates [$1500] Aung Pyae Ko Ko (@BlcKVRtuL1) Postmates Web cache poisoning $1,500 04/24/2020
From Recon to P1 (Critical) — An Easy Win Harsh Bothra (@harshbothra_) - Exposed registration page - 04/24/2020
Two Factor Authentication Bypass [ $50 ] Aung Pyae Ko Ko (@BlcKVRtuL1) - 2FA bypass $50 04/24/2020
Messenger Rooms Bug Bounty Write-up Jane Manchun Wong (@wongmjane) Facebook Privilege escalation, Authorization flaw - 04/24/2020
Hiding ourself in close friend’s list and avoiding victim to remove us from his close friend’s list. Baibhav Anand (@SpongeBhav) Facebook Authorization flaw, Logic flaw $500 04/23/2020
Misconfigured WordPress takeover to Remote Code Execution Smaran Chand (@smaranchand) - Wordpress takeover, RCE, Security misconfiguration - 04/22/2020
From P5 to P2, from nothing to 1000+$ Mohamed Daher (@DaherMohamed4) - Race condition, Self-XSS, Blind XSS > $1,000 04/22/2020
The Secret sauce of bug bounty Mohamed Slamat (@oxxy37) - CSTI, Stored XSS, CORS policy bypass - 04/22/2020
Exploiting a Race Condition Vulnerability Vivek Kumar Singh (@v7nc3nz) - Race condition - 04/22/2020
CORS bug on GOOGLE’s 404 page REWARDED!!! Jayateertha Guruprasad (@JayateerthaG) Google CORS misconfiguration - 04/21/2020
DOM based open redirect to the leak of a JWT token Adolphoramirez - Open redirect, DOM-based open redirect, OAuth token theft - 04/20/2020
Google Maps API (Not the Key) Bugs That I Found Over the Years Ozgur Alp (@ozgur_bbh) Google Logic flaws - 04/19/2020
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts Sam Curry (@samwcyo) Rocket League HTTP cache poisoning, Open redirect N/A (VDP) 04/19/2020
How was i able to find privilege escalation. Akshar Tank (@Akshar__tank) - IDOR, Authorization flaw - 04/18/2020
Here is the Non Technical write-up on Technical Bug for My Second Bounty of $xxxx From Facebook Ashok Chapagai (@ashokcpg) Facebook Logic flaw, Privacy issue - 04/17/2020
Strange Redirect (Fixed but no bounty) Abhishek Yadav (@abhishake100) - Open redirect - 04/17/2020
OTP Verification Bypass Kanhaiya Kumar Singh - OTP bypass - 04/17/2020
[Writeup][Bug Bounty][Instagram] Instagram Still Send New DMs and Video Calls to Device After Logout [ID][EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Facebook (Instagram) Session management flaw $750 04/16/2020
Tricky Oracle SQL Injection Situation yappare (@yappare) - SQL injection - 04/16/2020
Netflix Party — XSS Vulnerabilities kr-b (@pirxcy) Netflix XSS - 04/14/2020
$55,000 Facebook token leak vs Funny Airline token leak. MasterSEC (@MasterSEC_AR) - XSS $0, 50,000 miles 04/14/2020
Business Logic Errors - A New Look Shrey Shah (@ShreySh43332033) - Logic flaw - 04/14/2020
Bounty Tip !! Easiest way to bypass API’s Rate Limit. Shaurya Sharma (@ShauryaSharma05) - Rate limiting bypass - 04/14/2020
Hacking a Telecommunication company(MTN) Afolic MTN Group OTP bruteforce - 04/13/2020
How i Unlocked the blocked accounts? Maria Zulfiqar - Password reset flaw, HTTP parameter pollution, IDOR - 04/11/2020
The story of a fuzzing integration reward Andrea Brancaleoni (@nJoyneer) Google Memory corruption bug $10,000 bounty 04/08/2020
Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs Thomas Orlita (@ThomasOrlita) Google IDOR - 04/07/2020
Unrestricted CV File Upload vict0ni (@vict0ni) - Unrestricted file upload - 04/07/2020
Stored XSS in Google Nest Harikrishnan Chandraganesan (@hari_cybex) Google Stored XSS - 04/07/2020
$3K Bounty For Elastic-Search Takeover Ashish Kunwar (@D0rkerDevil) - Elastic-Search Takeover $3,000 04/06/2020
How we abused Slack’s TURN servers to gain access to internal services Sandro Gauci (@sandrogauci) Slack SSRF $3,500 04/06/2020
How a Simple CSRF Attack Turned into a P1 Level Bug Lady Secspeare (@bejuveria_) - CSRF, Account takeover - 04/05/2020
Page Admin Disclosure: Facebook Bug Bounty 2020 Saugat Pokharel (@saugatpk5) Facebook Information disclosure, Logic flaw - 04/04/2020
Cannot Delete Post on Facebook Group: Facebook Bug Bounty Saugat Pokharel (@saugatpk5) Facebook Logic flaw - 04/04/2020
Playing with JSON Web Tokens for Fun and Profit Muhammad Qasim Munir (@MeetAn0nym0us) - Password reset flaw, Email confirmation bypass - 04/04/2020
Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps Sahil Tikoo (@viperbluff) Evernote, Dropbox Authentication bypass - 04/03/2020
iPhone Camera Hack Ryan Pickren Apple Zero-Click Unauthorized Access to Sensitive Data $75,000 04/02/2020
Hundreds of internal servicedesks exposed due to COVID-19 Inti De Ceukelaire (@securinti) - Security misconfiguration >$10,000 04/02/2020
Always escalate! From Self-XSS to Persistent XSS on Login Portal Phuriphat Boontanon (@zanezenzane) - Self XSS, CSRF $650 04/02/2020
Account Take Over without user Interaction Ravilla Bharath - Password reset flaw, Information disclosure, Account takeover $0 (Duplicate) 04/02/2020
Privilege Escalation - Hello Admin Shrey Shah (@ShreySh43332033) - Privilege escalation - 04/02/2020
The story of my first ever, 1500$, bounty from Facebook. Ashok Chapagai (@ashokcpg) Facebook Logic flaw $1,500 04/01/2020
$3133.7 Google Bug Bounty Writeup- XSS Vulnerability! Pethuraj (@Pethuraj) Google Reflected XSS $3,133.7 04/01/2020
Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Microsoft RCE $0 03/31/2020
Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability Duc Nguyen (@ducnt_) - SQL injection - 03/31/2020
Hacking makes me forget my pain Abida Fahd - SQL injection - 03/31/2020
Limited freemarker ssti to arbitrary liql query and manage lithium cms Mert (@mertistaken) & F. Celal Erdik (@celalerdik) - SSTI - 03/30/2020
Restriction is not a promise : Privilege escalation on Google. Hariharan.s (@DJHARIZ1) Google Privilege escalation, Authorization flaw $500 03/30/2020
CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS cliqz (@cliqz) Mozilla, Brave Universal XSS - 03/30/2020
OTP Bruteforce- Account Takeover Ranjit Kumar - OTP bruteforce, Account takeover - 03/29/2020
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study Abdulrahman Nour (@aboodnour) Bitdefender RCE $5,000 03/28/2020
Executing scripts in Safari Reader Mode to CSP Bypass Nikhil Mittal (@c0d3G33k) Apple XSS, CSP bypass - 03/28/2020
I Want that Cookie !!! Adnan Malik (@infoadnanmalik) - Logic flaw - 03/27/2020
Exploiting magic links, critical bugs are one line away 0xSha (@0xsha) Razer Information disclosure, Lack of authentication $0 (Duplicate) 03/27/2020
1st Bug Bounty Write-Up — Open Redirect Vulnerability on Login Page Phuriphat Boontanon (@zanezenzane) - Open redirect $250 03/27/2020
Getting lucky in bug bounty — shamelessly profiting off of other’s work Jeppe Bonde Weikop - Authentication bypass, Lack of rate limiting, Credentials sent over unencrypted channel $3,200 03/26/2020
Account Takeover Flow In Mail.ru ‘s Ext.A Domain [ $150 ] Myo Min Thu (@myominthu1337) - Logic flaw, Account takeover $150 03/26/2020
Exploitation of the CVE-2018-15961 – Unrestricted File Upload in Adobe ColdFusion Supras (@LdrTom) - Unrestricted file upload - 03/26/2020
Stealing Videos From VLC Dhiraj (@RandomDhiraj) The Internet IDOR - 03/26/2020
XSS WAF & Character limitation bypass like a boss Prial Islam Khan (@prial261) - XSS - 03/25/2020
Self XSS to Account Takeover Ch3ckM4te - Account takeover, XSS, CSRF - 03/24/2020
Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image) Muhammad R. Maulana - RCE, Unrestricted file upload - 03/21/2020
API DOCS takeover on Readme.io Oktavandi (@0ktavandi) - Subdomain takeover - 03/19/2020
EN | Administrator level Privilege Escalation story Samet Sahin (@sametsahinnet) - Privilege escalation $0 (Duplicate) 03/19/2020
Reflected XSS on microsoft.com subdomains Raimonds Liepins (@lv_linkers) Microsoft Reflected XSS $0 03/19/2020
Hacking — Always Check the Cross-domain Policy Jack Starbucks SOP bypass, CSRF $750 03/19/2020
XXE-scape through the front door: circumventing the firewall with HTTP request smuggling Pieter Hiele (@honoki) - XXE - 03/18/2020
Where is my Train : Tracking to Hacking ! Anil Tom (mr_4nk) Google Reflected XSS, SQL injection - 03/17/2020
How I was able to verify any contact number for my account? Paras Arora (@parasarora06) - OTP bypass, 2FA bypass - 03/17/2020
Razer mobile PIN verification bypass $1k Bug Sourav Sahana (@kernel_rider) Razer OTP bypass, 2FA bypass $1,000 03/17/2020
How I Earned $1750 at Shopify Bug Bounty Program Ashish Dhone Shopify XSS, Open redirect $1,750 03/16/2020
Weak session validation bug let you login even after changing the session IDs and logging out from the accounts Manasjha (@manas_hunter) viator.com Logic flaw, Session management flaw - 03/16/2020
Using Vulnerability Analytics Feature Like a Boss Ozgur Alp (@ozgur_bbh) - SSRF, Reflected XSS, Authentication bypass $8,600 03/15/2020
How I earned $800 for Host Header Injection Vulnerability Pethuraj (@Pethuraj) - Host header injection, Password reset flaw $800 03/15/2020
My Weirdest Bug Bounty — Getting PII from O365. Omaid Faizyar (@rulesofthetrade) Microsoft Subdomain takeover $1,000 03/14/2020
Blocked User Can Send Notification Due to Logical Bug in Instagram | First Instagram Bug Divyanshu Shukla Facebook Logic flaw $0 (Duplicate) 03/14/2020
What is your GCP infra worth?…about ~$700 [Bugbounty] Chris Gates (@carnal0wnage) Tokopedia Information disclosure $700 (Never paid) 03/13/2020
User’s email disclosure via invalid password reset link [$250] Myo Min Thu (@myominthu1337) - Password reset flaw, Information disclosure $250 03/13/2020
API secret key Leakage leads to disclosure of Employee’s Information Ace Candelario (@phspades) - Information disclosure $2,000 03/13/2020
Generate valid signatures for FBCDN urls Philippe Harewood (@phwd) Facebook Logic flaw, Authorization flaw - 03/13/2020
How I got access to critical data of a Company in no time ? Kaustubh Kale - Information disclosure, Lack of rate limiting, Bruteforce - 03/12/2020
[Bug Bounty] Email Content Injection Navneet (@na5n33t) - Email content injection $25 03/12/2020
How I Reported a DoS Vulnerability to AWS Amey Anekar (@ameyanekar) Amazon DoS - 03/11/2020
Generate valid signatures for files hosted in Facebook CDNs Samm0uda (@samm0uda) Facebook Authorization flaw, Logic flaw - 03/11/2020
Ability to bruteforce Instagram account’s password due to lack of rate limitation protection Samm0uda (@samm0uda) Facebook Lack of rate limiting, Bruteforce $3,000 03/11/2020
How I was able to bypass the current password? Ninad Mathpati (@ninad_mathpati) - Account takeover, CSRF - 03/11/2020
OTP Bypass - Developer’s Check Shrey Shah (@ShreySh43332033) - OTP bypass - 03/11/2020
Finding a P1 in one minute with Shodan.io (RCE) sw33tLie (@sw33tLie) - RCE - 03/11/2020
Got Easiest Bounty with HTML injection via email confirmation! Shaurya Sharma (@ShauryaSharma05) - HTML injection - 03/11/2020
Vulnerable design leads to personal data leakage- yet another case of an inter-application vulnerability… Marcin Szydlowski (@SecurityKsl) - Logic flaw - 03/09/2020
Broke limited scope with a chain of bugs (tips for every rider CORS) Valeriy Shevchenko (@Krevetk0Valeriy) - CORS misconfiguration, RCE - 03/09/2020
The unexpected Google wide domain check bypass David Schütz (@xdavidhu) Google Logic flaw $6,000 03/08/2020
Breaking the Competition (Bug Bounty Write-up) George O (@georgeomnet) - Race condition, DoS, Logic flaw, Session management flaw $0, Swag 03/08/2020
$5,005 worth vulnerability Duplicated, How I loose $5,005 in a day? Denial of Service - Billion LAUGH Attack (XXE) Muhammad Asim Shahzad - DoS, XXE $0 (Duplicate) 03/08/2020
Google Ads Self-XSS & Html Injection $5000 Syahri Ramadan (@adonkidz7) Google Self XSS, HTML injection $5,000 03/07/2020
How I exploit the JSON CSRF with method override technique Simgamsetti Manikanta (@zaheckmania) - CSRF - 03/07/2020
Google Bug Bounty: Clickjacking on Google Payment (1337$) santuySec (@santuySec) Google Clickjacking $1,337 03/06/2020
Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision ! Shaurya Sharma (@ShauryaSharma05) - Account takeover - 03/05/2020
Bug Bounty catches part -1 Bijan Murmu (@0xBijan) - Lack of authentication, Information disclosure, Authorization flaw - 03/04/2020
Abusing Slack for Offensive Operations Cody Thomas (@its_a_feature_) Slack Logic flaw $0 (Informative) 03/04/2020
SOP Bypass Kenan (@kenanistaken) - SOP Bypass - 03/03/2020
Exploiting an SSRF: Trials and Tribulations A Bug’z Life (@abugzlife1) - SSRF $0 (Duplicate) 03/03/2020
ManageEngine ServiceDesk Plus: Arbitrary File Upload Duc Anh Bui - Arbitrary file upload, RCE - 03/03/2020
How I CSRF’d My First Bounty! Rajesh Ranjan (@rajesh_ranjan4) - CSRF $500 03/03/2020
SQL Injection Via Stopping the redirection to a login page Abde Ouabala (@4mgh0z) - SQL injection, Authorization flaw - 03/03/2020
SSRF on PDF generator. John Michael (@michan2514) - SSRF - 03/02/2020
Discord embed spoofing DarkMatterMatt Discord Phishing $0 03/02/2020
Facebook OAuth Framework Vulnerability Amol Baikar (@AmolBaikar) Facebook OAuth flaw $55,000 03/01/2020
A mysterious bug in the firmware of Google’s Titan M chip (CVE-2019-9465) Alexander Bakker Google Cryptographic issues - 02/29/2020
Account Hijack using Authorization bypass \(\) Bhavesh Thakur (@Bhavesh_Thakur_) - Account takeover, Authorization flaw - 02/28/2020
Page Admin Disclosure via an Upgraded Page Post Dan Fabro (@0x61_) Facebook Authorization flaw, Information disclosure $3,000 02/28/2020
The Tricky XSS Smaran Chand (@smaranchand) - XSS $0 (Won’t fix) 02/28/2020
Facebook CSRF bug which lead to Instagram Partial account takeover. Samm0uda (@samm0uda) Facebook CSRF, OAuth flaw $12,500 02/28/2020
RCE via Apache Struts2 - Still out there. Abhishek (@abhishake100) - RCE - 02/27/2020
Write-up: AWS Document Signing Security Control Bypass Ozgur Alp (@ozgur_bbh) - AWS flaw $1,000 02/26/2020
Long String DoS Shrey Shah (@ShreySh43332033) - DoS $100 02/26/2020
How I Get my first P1 (Sensitive Information Disclosure) using WPScan Harrmahar (@harrmahar) - Information disclosure - 02/26/2020
How i found 3 SSRF in one day on different bug bounty targets Damanpreet Singh (@MrDamanSingh) - SSRF - 02/25/2020
Mail.Ru Ext.B Scope Account Takeover [ $1500 ] Myo Min Thu (@myominthu1337) Mail.ru Account takeover, OAuth flaw $1,500 02/25/2020
Stored-XSS-on-groups-google-com Alessandro Rumampuk (@Rando02355205) Google Stored XSS $0 (Won’t fix) 02/25/2020
Discord DoS with a single message DarkMatterMatt Discord DoS $0 02/24/2020
Reflected XSS In AT&T Myo Min Thu (@myominthu1337) AT&T Reflected XSS - 02/23/202c0
Tale of Account Takeovers (Part-1) Vijaysimha Reddy Bathini (@fatratfatrat) - Account takeover, HTTP Parameter pollution, Password reset flaw, OTP bypass $5,000 02/22/2020
Hunting Tesla Model Y Secrets in the Parts Catalog Evan Connelly (@Evan_Connelly) Tesla Authorization flaw - 02/22/2020
Exploiting Jira for Host Discovery Alex Peña Atlassian CSRF - 02/20/2020
Hacking SMS API Service Provider of a Company |Android App Static Security Analysis | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Information disclosure, Hardcoded credentials - 02/19/2020
A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell Eugene Lim (@spaceraccoonsec) - XXE, RCE, Directory Traversal - 02/18/2020
From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World YoKo Kho (@YokoAcc) - Information disclosure, RCE - 02/18/2020
My First Bounty From Google. Syahri Ramadan (@adonkidz7) Google Self XSS, HTML injection $5,000 02/18/2020
How We Found Another XSS in Google with Acunetix Andrey Leonov (@4lemon) Google XSS $5,000 02/17/2020
Plan Change Logic in Google Fiber (Webpass) Craig Arendt (@signalchaos) Google Logic flaw, Payment tampering - 02/17/2020
Exploiting WebSocket [Application Wide XSS / CSRF] Osama Avvan (@osamaavvan) - XSS, CSRF - 02/17/2020
How I Gain Unrestricted File Upload Remote Code Execution Bug Bounty Shay Grant (@kidshay) - Unrestricted file upload - 02/17/2020
Uploading Backdoor For Fun And Profit. Mohammed Abdul Raheem (@mohdaltaf163) - Unrestricted file upload, RCE - 02/17/2020
How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties Red Timmy Security (@redtimmysec) - RCE - 02/16/2020
Open-redirect Vulnerability on Facebook dw1 Facebook Open redirect $500 02/16/2020
Blind IDOR in LinkedIn iOS application Hailstorm (@hailstorm1422) LinkedIn IDOR $0 02/16/2020
A Simple IDOR to Account Takeover Swapnil Maurya (@swapmaurya20) - IDOR, Account takeover $4,500 02/11/2020
Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches Ozgur Alp (@ozgur_bbh) - Information disclosure $1,500 02/11/2020
How I discovered an SSRF leading to AWS Metadata Leakage Amey Anekar (@ameyanekar) - SSRF - 02/10/2020
A step-by-step walk-through of an Invalid Endpoint Mohammed Israil (@mdisrail2468) - Information disclosure - 02/09/2020
External XML Entity via File Upload (SVG) Atul (@0xatul) - XXE, Unrestricted file upload - 02/08/2020
Determine users with detailed role model on behalf of any Facebook Application Amol Baikar (@AmolBaikar) Facebook IDOR - 02/08/2020
IDOR leads to Data leakage and Profile Update vict0ni (@vict0ni) - IDOR, Bruteforce - 02/07/2020
How Inspect Element Got me a Bounty Aditya Soni (@hetroublemakr) - Client-side enforcement of server-side security - 02/06/2020
Simple Remote Code Execution Vulnerability Examples for Beginners Ozgur Alp (@ozgur_bbh) - RCE, Unrestricted file upload $15,000 02/05/2020
Google APIS ClickJacking ( $1337) Myo Min Thu (@myominthu1337) Google Clickjacking $1,337 02/05/2020
Site wide CSRF on a popular program Ajinkya Pathare (@fellchase) - CSRF - 02/05/2020
How I Made $600 in Bug Bounty in 15 Minutes with Contrast CE – CVE- 2019-8442 David Lindner (@golfhackerdave) Atlassian (Jira) Information disclosure $600 02/05/2020
Using CSRF I Got Weird Account Takeover Mohamed Sayed (@FlEx0Geek) - CSRF, Account takeover - 02/05/2020
An Unexpected Bounty — Email Bounce Issues Keshav Malik (@g0t_rOoT_) - DoS, Email Bounce Issue - 02/05/2020
Hijacking shared report links in Google Data Studio sushiwushi (@sushiwushi2) Google Authorization flaw - 02/05/2020
How, I dumped crypto data by chaining directory listing to open S3 Bucket Ddigvijay - AWS misconfiguration, Directory listing, Information disclosure - 02/05/2020
Arbitary File Upload too Stored XSS - Bug Bounty m0chan (@m0chan98) - Arbitrary file upload, Stored XSS - 02/04/2020
Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access Gal Weizman (@WeizmanGal) Facebook (WhatsApp) Stored XSS, CSP bypass, Open redirect, RCE $12,500 02/04/2020
Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE Jatin Dhankhar (@jatindhankhar_) HackerEarth RCE - 02/04/2020
Exploiting Insecure Firebase Database! Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Insecure Firebase database - 02/04/2020
Easily leaking passenger information on an Airline Zseano (@zseano) - IDOR - 02/04/2020
CSRF CSRF CSRF… Navneet (@na5n33t) - CSRF $50 02/03/2020
Tumblr Bug Bounty ( $200) Myo Min Thu (@myominthu1337) Automattic (Tumblr) Unrestricted file upload, XSS, Authorization flaw $200 02/02/2020
Disclose Full Admin List of any Facebook Applications Amol Baikar (@AmolBaikar) Facebook IDOR - 02/02/2020
OK Google: bypass the authentication! Mattia Vinci Google Authentication bypass $0 (Wontfix) 01/31/2020
2FA Bypass via Logical Rate Limiting Bypass Jeppe Bonde Weikop - 2FA bypass, Logic flaw $500 01/30/2020
How I was able to takeover the company’s LinkedIn Page Vijaysimha Reddy Bathini (@fatratfatrat) - Broken Link Hijacking $500 01/29/2020
How I get my first SWAG from SIDN (Sensitive Data Expose) Mehedi Hasan Remon (@mehedi1194) SIDN Broken access control, Information disclosure $0, Swag 01/29/2020
Vimeo Livestream Bug Bounty WriteUp Mohamed Slamat (@oxxy37) Livestream IDOR, Parameter tampering - 01/29/2020
Hyperlink Injection - Easy Money (sometimes) Abhishek Yadav (@abhishake100) - Hyperlink injection $450 01/28/2020
Tale of a Misconfiguration in Password Reset Naveenroy - Password reset flaw, Information disclosure - 01/27/2020
Escalating reflected XSS with HTTP Smuggling Hazana (@HazanaSec) - Reflected XSS, HTTP Request Smuggling - 01/27/2020
XSS on Facebook-Instagram CDN Server bypassing signature protection Amol Baikar (@AmolBaikar) Facebook XSS - 01/26/2020
Disclose Facebook Business Account ID Amol Baikar (@AmolBaikar) Facebook Information disclosure $1,500 01/26/2020
XSS on Facebook’s acquisition Oculus CDN Server Amol Baikar (@AmolBaikar) Facebook XSS - 01/26/2020
Improper Input Validation | Add Custom Text and URLs In SMS send by Snapchat | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook (Snapshat) Parameter tampering $1,000 01/26/2020
Accidental IDOR that Deleted Admin Account. Sayaan Alam (@ehsayaan) - IDOR $325 01/25/2020
The unexpected bounty: A story of Zendesk takeover on REDACTED.com wis4nggeni - Subdomain takeover - 01/25/2020
Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover Samm0uda (@samm0uda) Facebook Cross-Site Websocket Hijacking (CSWH), Account takeover $12,500 01/23/2020
How I was able to take over any users account with host header injection Ajay Gautam (@evilboyajay) - Host header injection $900 01/23/2020
CORS Misconfiguration leading to Private Information Disclosure Virus0X01 (@Virus0X01) - CORS misconfiguration - 01/23/2020
A Less Known Attack Vector, Second Order IDOR Attacks Ozgur Alp (@ozgur_bbh) - IDOR - 01/22/2020
Password Reset Token Leak Via Referrer Shrey Shah (@ShreySh43332033) - Password reset flaw, Information disclosure - 01/22/2020
Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic Ritish Kumar Singh Facebook Logic flaw $500 01/22/2020
User Account Takeover via Signup Feature | Bug Bounty POC Muzammil Kayani (@muzammilabbas2) - Account takeover, Logic flaw, Authorization flaw - 01/22/2020
Google Bug Bounty: CSRF in learndigital.withgoogle.com santuySec (@santuySec) Google CSRF $0 (Duplicate) 01/21/2020
Cross Site Request Forgery vulnerability Leads to User Profile Change in Microsoft Express Logic Adesh Nandkishor kolte (@AdeshKolte) Microsoft CSRF - 01/21/2020
How i bought my way to subdomain takeover on Tokopedia wis4nggeni Tokopedia Subdomain takeover - 01/20/2020
GGvulnz — How I hacked hundreds of companies through Google Groups Milan Magyar Google Logic flaw - 01/20/2020
How I accidentally found Bug in Google Search Console Tomi (@noobe_io) Google Logic flaw, Authorization flaw $1,337 01/18/2020
Adding a malicious notebook to be treated like a trusted notebook in Google Colab — 1337$ Raushan Raj (@raushan_rajj) Google Authorization flaw, Logic flaw $1,337 01/17/2020
How I discovered an interesting account takeover flaw? Akash Methani (@0xAkash) - Account takeover, Password reset flaw, Lack of rate limiting - 01/14/2020
No Rate Limit - 2K Bounty Shrey Shah (@ShreySh43332033) Yahoo Lack of rate limiting $2,000 01/12/2020
How I earn $500 from Razer open S3 bucket Sourav Sahana (@kernel_rider) Razer AWS misconfiguration $500 01/12/2020
My First RCE (Stressed Employee gets me 2x bounty) Abhishek Yadav (@abhishake100) - RCE, Unrestricted file upload $900 01/10/2020
Hunting Good Bugs with only <HTML> Ak1T4 (@akita_zen) - Open redirect, HTML injection, SSRF - 01/10/2020
Google Chrome display locking fuzzing Pawel Wylecial (@h0wlu) Google Heap Use-After-Free $5,000 01/08/2020
The Bug That Exposed Your PayPal Password Alex Birsan Paypal XSSI $15,300 01/08/2020
Update: Want to take over the Java ecosystem? All you need is a MITM! Jonathan Leitschuh (@jlleitschuh) Github Insecure communications $2,300 01/08/2020
HTML Injection(Unique Exploitation) Pratik Yadav (@PratikY9967) - HTML injection $250 01/07/2020
Saying Goodbye to my Favorite 5 Minute P1 Allyson O’Malley (@ally_o_malley) Microsoft Information disclosure - 01/06/2020
How I found a Privilege Escalation Bug in a private Ecommerce? Baibhav Anand (@SpongeBhav) - Privilege escalation - 01/06/2020
XSS on Sony subdomain Gökhan Güzelkokar (@gkhck_) Sony Reflected XSS - 01/06/2020
Account takeover via HTTP Request Smuggling hipotermia (@hipotermia) - HTTP request smuggling, Account takeover, Open redirect, Internal header disclosure - 01/03/2020
Bypass 2FA in a website Sourav Sahana (@kernel_rider) - 2FA bypass - 01/01/2020
Bypass Mobile PIN Verification Sourav Sahana (@kernel_rider) - Authentication bypass $100 01/01/2020

Bug bounty writeups published in 2019

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date Link 2 / Archived page
Story of an IDOR via HTTP Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 12/31/2019
Exploiting HTML Injection in Email Shuaib Oladigbolu (@_sawzeeyy) - HTML injection - 12/31/2019
From POST to GET Open redirect Sourav Sahana (@kernel_rider) - Open redirect $450 12/31/2019
Bug Hunting Journey of 2019 Sudhanshu Rajbhar (@sudhanshur705) Alibaba, Verizon Media, [Private program] XSS, Privilege escalation, Information disclosure $2,500 12/31/2019
Exploiting a Self Stored XSS with an IDOR Shuaib Oladigbolu (@_sawzeeyy) - Self XSS, Stored XSS, IDOR - 12/31/2019
How did I earn $3133.70 from Google Translator? Beri Bey (@uppmen) Google XSS $3,133.70 12/30/2019
Facebook Bug bounty Story: $X000 for an Information Disclosure Bug Circle Ninja (@circleninja) Facebook Information disclosure - 12/29/2019
How I made $7500 from My First Bug Bounty Found on Google Cloud Platform James Grunewald Google Logic flaw $7,500 12/29/2019
Drop the mic?! no! Drop the connection ;) Sasi Levi (@sasi2103) Google DOM XSS - 12/29/2019
Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty Omkar Bhagwat (@th3_hidd3n_mist) - XSSI $0 (Duplicate) 12/27/2019
Bypassing Brand Collabs Manager Eligibility on Facebook Ajay Gautam (@evilboyajay) Facebook Authorization flaw $0 12/26/2019
Subdomain takeover via pantheon Smaran Chand (@smaranchand) - Subdomain takeover - 12/26/2019
Microsoft Edge (Chromium) - EoP via XSS to Potential RCE Abdulrahman Al-Qabandi (@Qab) Microsoft XSS, RCE $40,000 12/24/2019
SOP Bypass via browser-cache Aaron Costello (@ConspiracyProof) Keybase SOP bypass $1,500 12/24/2019
Abusing ImageMagick to obtain RCE Strynx (@Strynx_Security) - ImageMagick, RCE $5,000 12/24/2019
How we hacked one of the worlds largest Cryptocurrency Website Strynx (@Strynx_Security) - SQL injection, RCE - 12/24/2019
Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR) Vijay Kumar (@IndoAppSec) Airbnb IDOR $3,000 12/24/2019
Bugbounty | A Dom Xss Jinone (@jinonehk) - DOM XSS $500 12/24/2019
GraphQL IDOR leads to information disclosure Eshan Singh (@R0X4R) - IDOR - 12/24/2019
CSRF Token Bypasss — A Tale of my $2k bug Adeyefa Oluwatoba (@adeyefa_codes) - CSRF, Account takeover $2,000 12/23/2019
reCAPTCHA Exploits Dr. Neal Krawetz (@hackerfactor) Google reCAPTCHA bypass $0 12/23/2019
From broken link to subfolder takeover on Bukalapak wis4nggeni Bukalapak AWS flaw - 12/23/2019
2 FA Bypass via CSRF Attack Vishal Bharad Mail.ru 2FA bypass, CSRF $0 (Out of scope) 12/23/2019
Full Account Takeover (Android Application) Vishal Bharad - Information disclosure, Account takeover - 12/21/2019
Bypassing Captcha ! Abhishek Yadav (@abhishake100) - Captcha bypass $200 12/20/2019
Account Takeover Through Password Reset Poisoning Vishal Bharad - Password reset flaw, Account takeover - 12/19/2019
#BugBounty — How Snapdeal (India’s Popular E-commerce Website) Kept their Users Data at Risk! Nanda Kumar (@nk00_nk) Snapdeal Insecure storage of sensitive information - 12/19/2019
[Google VRP] SSRF in Google Cloud Platform StackDriver Ron Chan (@ngalongc) Google SSRF - 12/19/2019
Abusing feature to steal your tokens Harsh Jaiswal (@rootxharsh) - OAuth flaw $3,750 12/17/2019
BreakingApp – WhatsApp Crash & Data Loss Bug Dikla Barda, Roman Zaikin & Yaara Shriki Facebook DoS - 12/17/2019
[email protected] Disclosure via IDOR Pratyush Anjan Sarangi - IDOR $750 12/16/2019
Stored Iframe Injection + CSRF = Account Takeover 😎😎 Rounak Dhadiwal (@XploiteR_D) - HTML injection, CSRF - 12/16/2019
How I Took Over 2 Subdomains with Azure CDN Profiles m0chan (@m0chan98) - Subdomain takeover - 12/16/2019
4 Google Cloud Shell bugs explained [email protected] (@wtm_offensi) Google RCE - 12/16/2019
Authorization bug that every bug hunter missed on a popular program Ajinkya Pathare (@fellchase) - Authorization flaw - 12/15/2019
Vimeo upload function SSRF Sayed Abdelhafiz (@dPhoeniixx) - SSRF $5,000 12/13/2019
How I was able to find a logical bug on Instagram? Jabir Khan (@Jabirkhan0x0) Facebook Logic flaw - 12/13/2019
Facebook New Account Verification Bypass Santosh Baral (@santoshbrl5) Facebook Authentication bypass $0 (Internal duplicate) 12/13/2019
Multiple Host Header Attacks after bypassing protection with… a Header Attack vict0ni (@vict0ni) - Host header injection - 12/12/2019
A $25 Easy Bug. Navneet (@na5n33t) - Session management flaw $25 12/12/2019
SSRF via FFmpeg HLS processing Pflash Punk (@PflashPunk) - SSRF $0 (Duplicate) 12/11/2019
Blind Xss (A mind game to win the battle) Dirtycoder (@dirtycoder0124) - Blind XSS $1,000 12/11/2019
AirDoS: Remotely render any nearby iPhone or iPad unusable Kishan Bagaria (@KishanBagaria) Apple DoS - 12/10/2019
Get pwned by scanning QR Code Nikhil Mittal (@c0d3G33k) Mozilla XSS, CSP bypass - 12/10/2019
Authentication Bypass Rushiikesh (@u1tran00b) - 2FA bypass $700 12/09/2019
Media deletion CSRF vulnerability on Instagram Pouya Darabi (@Pouyadarabi) Facebook CSRF $3,000 12/09/2019
Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution. Vladimir Metnew (@vladimir_metnew) Telegram RCE $500 12/08/2019
Spilling Local Files via XXE when HTTP OOB fails Rahul Maini - XXE - 12/07/2019
Reusing Cookies Ricardo Iramar dos Santos - Session management flaws $400 12/07/2019
HTML Injection to XSS bypass in [REDACTED.com] Evan Ricafort (@evanricafort) - Reflected XSS $600 12/07/2019
$150 XSS at Error Page of Respository Code Navneet (@na5n33t) - Reflected XSS $150 12/07/2019
Google Chrome portal element fuzzing Pawel Wylecial (@h0wlu) Google RCE, Heap Buffer Overflow, Heap Use-After-Free $8,000 12/06/2019
HTTP Request Smuggling + IDOR hipotermia (@hipotermia) - HTTP request smuggling, IDOR - 12/05/2019
XSS like a Pro Anas Mahmood (@AnasIsHere) - XSS $450 12/05/2019
Dank Writeup On Broken Access Control On An Indian Startup Divyanshu Shukla - Unrestricted file upload, Authorization flaw - 11/30/2019
My first RCE: a tale of good ideas and good friends rez0 (@rez0__) - RCE, ImageTragick - 11/29/2019
How I turned Self XSS to Stored via CSRF Abhishek Yadav (@abhishake100) - Self XSS, CSRF $550 11/29/2019
Hacking GitHub with Unicode’s dotless ‘i’ John Gracey (@jagracey) Github Logic flaw - 11/28/2019
XSS Stored On [ Outlook Web — Outlook Android App ] ElMahdi Mrhassel (@ElMrhassel) Microsoft Stored XSS $2,400 11/28/2019 Archived page
Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge Samm0uda (@samm0uda) Facebook Reflected XSS, Account takeover $5,000 11/27/2019 Archived page
Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings Johns Simon (@Johnssimon22) - Authorization flaw - 11/27/2019 Archived page
How Did Tons of People Like Me on Tinder? Mustafa iran (@Mustafaran) - HTTP request smuggling $2,500 11/25/2019
Finding a security bug in Discord and what it taught me Tristan Farkas (@TristanAtFarkas) Discord OAuth flaw - 11/24/2019
CORS Misconfiguration to Account TakeOver [Out of scope to grab items In-Scope] Mashoud1122 (@mashoud1122) - CORS misconfiguration, Open redirect, Reflected XSS, Session management flaw $1,500 11/24/2019
The AccountTakeOver Killing Chain أنس روبي (@xhzeem) - Account takeover, CSRF, Self-XSS - 11/23/2019
Exploiting padding oracles with fixed IVs Teddy Katz (@not_aardvark) - Padding oracle, Account takeover - 11/23/2019
IDOR via Websockets Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 11/23/2019
Stories Of IDOR-Part 2 Shivbihari Pandey (@ninja_pandit_) - IDOR $3,650 11/21/2019
Disable Any Unconfirmed Account in Facebook Lokesh Kumar (@lokeshdlk77) Facebook Bruteforce $1,000 11/21/2019
700$ Denial of Service(DoS) vulnerability in script-loader.php (CVE-2018-6389) Pankaj Thakur (@Nep_1337_1998) - DoS $700 11/21/2019
Reply To Instagram Stories where privacy of who can reply is set to ‘Nobody’. (Part 2) Baibhav Anand (@SpongeBhav) Facebook Authorization flaw $1,000 11/21/2019
How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads Mohamed Daher (@DaherMohamed4) - XSS $1,054 11/20/2019
Cracking reCAPTCHA, Turbo Intruder style James Kettle (@albinowax) Google Race condition $0 11/20/2019
Subdomain Takeover via Campaignmonitor.com Mohamed Haron (@m7mdharon) - Subdomain takeover $900 11/20/2019
How I could delete Facebook Ask for Recommendations post’s place objects in comments Raja Sudhakar (@Rajasudhakar) Facebook IDOR - 11/20/2019
Broken session management leads to bypass 2FA and Permanent access to Facebook user’s Mahmoud Barakat (@0xBarakat) Facebook Authentication bypass - 11/19/2019
Disclose the owner of a recruiting manager in Jobs Beta Philippe Harewood (@phwd) Facebook Information disclosure - 11/19/2019
Million Users PII Leak Data Leak Shivbihari Pandey (@ninja_pandit_) - Information disclosure, Blind XSS $3,250 11/18/2019
XSS in GMail’s AMP4Email via DOM Clobbering Michał Bentkowski (@securitymb) Google XSS, DOM Clobbering - 11/18/2019
This is How I was able to hunt a rare bug in a private program Abida Fahd - Lack of authentication, Privilege escalation - 11/18/2019
My First Bug ($500) Abhishek Yadav (@abhishake100) - No valid SPF records $500 11/18/2019
Bypassing the patch for my previous Instagram bug. Baibhav Anand (@SpongeBhav) Facebook Authorization flaw, Logic flaw - 11/18/2019
Privilege Escalation with simple recon Mayur Gupta (@RisingHunter_) - Privilege Escalation, Blind XSS - 11/16/2019
LDAP Admin Account Bypassed :) Himanshu Pdy (@himanshu_pdy_01) - LDAP injection, Authentication bypass - 11/16/2019
View the ranked messenger users for any page Philippe Harewood (@phwd) Facebook Information disclosure, Authorization flaw - 11/16/2019
[Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Tokopedia IDOR $135 11/15/2019
Authenticated CORS with Access-Control-Allow-Origin: * BitK (@BitK_) Chromium Caching issue, Browser bug $0 (won’t fix) 11/15/2019
Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE) Daniel Marte (@DanielM59720745) - IDOR - 11/15/2019
Taking over Facebook Page Tabs Sagar Tanur (@Sagarvd01) Facebook Broken link hijacking $0 (informative) 11/14/2019
[Server Side Request Forgery] Blind SSRF due to Sentry Misconfiguration Kent Bayron (@bayronkentoy) - SSRF $300 11/14/2019
Command Injection Through BLH Shankar R (@trapp3r_hat) Facebook Broken link hijacking $0 (informative) 11/14/2019
Mass XS-Search using Cache Attack terjanq (@terjanq) Google XS-Search - 11/12/2019
How I accidentally took down GitHub Actions Teddy Katz (@not_aardvark) GitHub Denial of Service, Commit Hash Collisions $5,000 11/12/2019
Bug Bounty: Broken API Authorization Th3hidd3nmist (@th3_hidd3n_mist) - Authorization flaw $440 11/12/2019
How i Bought VPS, Hosting, Domain only $0.01 Zerb0a - Payment tampering $500 11/12/2019
Keylogging users via Slack themes Matt Langlois (@fletchto99) Slack CSS injection $500 11/11/2019
My First SSRF Using DNS Rebinding Marek Geleta (@marek_geleta) - SSRF, DNS rebinding - 11/11/2019
DOM-Based XSS | Bug Bounty Writeup HacknPentest (@HacknPentest) - DOM XSS $100 11/10/2019
BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎 Akash Agrawal (@akashmagrawal) - 2FA bypass, Lack of rate limiting - 11/08/2019
How I Hacked Dutch Government in 5 Minutes? Twitter Account Takeover Numan ÖZDEMİR (@numanozdemircom) Dutch Government Broken link hijacking $0, Swag 11/06/2019
A simple post auth bypass leads to unauthorized web server access Hein Thant Zin (@H3Lowr) - Default credentials $750 11/08/2019
Bypassing GitHub’s OAuth flow Teddy Katz (@not_aardvark) GitHub OAuth flaw, Authorization bypass $25,000 11/05/2019
BugBounty | A Simple SSRF Jinone (@jinonehk) - SSRF, DNS Rebinding $1,500 11/05/2019
XSS will never die Oleksandr Opanasiuk (@Lekssik2) - XSS - 11/02/2019
Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty Sam Curry (@samwcyo) - Null byte buffer overflow $40,000 11/01/2019
Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security&section=sessions&view Naufal Septiadi Facebook Logic flaw $500 10/30/2019
GraphQL introspection leads to sensitive data disclosure. Eshan Singh (@R0X4R) - Information disclosure - 10/30/2019
5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!) YoKo Kho (@YokoAcc) Avast Reflected XSS $5,000 10/29/2019
Cross Site Request Forgery Critical Exploitable IN Infected Site? Hossam Mesbah - CSRF - 10/29/2019
XSS to Account Takeover Tomi (@noobe_io) - XSS, CSRF - 10/29/2019
[Leak] Can I take the user information, please?!! Mohamed Sayed (@FlEx0Geek) - Information disclosure - 10/29/2019
How I hacked 50+ Companies in 6 hrs Vignesh C (@pwn_r00t) - SSTI, RCE - 10/29/2019
[Writeup — FB] Crash web — app through application form of job application pages TienDat Facebook DoS - 10/28/2019
Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO) YoKo Kho (@YokoAcc) Opera RTLO - 10/26/2019
How to Takover a ldap server. Ashish Kunwar (@D0rkerDevil) - Exposed LDAP server - 10/25/2019
Session Expiration Bypass in Facebook Creator App Ajay Gautam (@evilboyajay) Facebook Session expiration bypass $1,500 06/22/2019
How I earned \(\) by finding confidential customer data including plain-text passwords! Sushant Soni (@sushantsoni5392) - Directory listing, Information disclosure - 10/24/2019
NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] Nightwatch Cybersecurity (@nightwatchcyber) Google NFC - 10/24/2019
(POC) Disclose members in any closed Facebook group Ahmad Talahmeh Facebook Information disclosure $3,000 10/22/2019
[ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google ) Danang Tri Atmaja (@danangtriatmj) Google Authentication flaw - 10/21/2019
How PayPal helped me to generate XSS Pflash Punk (@PflashPunk) Paypal Reflected XSS $250 10/20/2019
Escalating Privileges like a Pro Gaurav Narwani (@gauravnarwani97) - Privilege escalation - 10/20/2019
Hunting for bounties antihack.me case study 0xSha (@0xsha) AntiHack.me RCE, XSS, Logic flaw, Information disclosure - 10/20/2019
[email protected] Disclosure via IDOR Pratyush Anjan Sarangi - IDOR, Information disclosure $750 10/18/2019
1-800-Flowers Credentials and message log leak via facebook.com/facebook Philippe Harewood (@phwd) Facebook AWS misconfiguration - 10/17/2019
How I was able to bypass OTP code requirement in Razer [The story of a critical bug] Ananda Dhakal (@dhakal_ananda) Razer OTP bypass $1,000 10/16/2019
How I found RCE But Got Duplicated Smile Hacker - Unrestricted file upload, RCE - 10/15/2019
[ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint. TienDat Facebook Information disclosure $500 10/15/2019
How I bypassed 2 Factor Authentication Hemant Singh Manral - 2FA bypass $250 10/15/2019
An inconsistent CSRF Smaran Chand (@smaranchand) - CSRF $0 10/15/2019
Finding SQL injections fast with white-box analysis — a recent bug example frycos (@frycos) Zoho SQL injection - 10/13/2019
Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. Rohit kumar (@rohitcoder) Facebook Authorization flaw - 10/12/2019
Bypass Uppercase filters like a PRO (XSS Advanced Methods) MasterSEC (@MasterSEC_AR) - XSS $1,000 10/11/2019
How i Hacked BASF Company !! Murtada Kamil BASF Lack of authentication - 10/10/2019
EXIF Geolocation Data Not Stripped From Uploaded Images Sourav Newatia (@souravnewatia) - Information disclosure $500 10/09/2019
How “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce / eStores Prateek Tiwari Samsung Information disclosure - 10/05/2019
From Multiple IDORs leading to Code Execution on a different Host Container Rahul (@Rahul_R95) - IDOR, RCE - 10/04/2019
How I made 1000$ with AT&T Bug Bounty(H1) Adesh Nandkishor kolte (@AdeshKolte) AT&T CSRF, Account takeover $1,000 10/02/2019
REST framework Admin Panel bypass and how I recon for this vulnerability Aziz Hakim (@hackerb0y_) - Authentication bypass - 10/02/2019
GraphQL Introspection leads to Sensitive Data Disclosure. Pranay Bafna - Information disclosure - 10/02/2019
How a double-free bug in WhatsApp turns to RCE Awakened Facebook (WhatsApp) Memory corruption bug, RCE, Android app bug - 10/02/2019
How to get RCE on AEM instance without Java knowledge byq (@ByQwert) - RCE $1,000 10/01/2019
Stealing login credentials with Reflected XSS mehulpanchal007 (@007_sharky) - Reflected XSS $100 10/01/2019
One Way to Find Hidden IDOR Vulnerability Vulkey_Chen (@Vulkey_Chen) - IDOR ¥3,000 (~ $28) 10/01/2019
Bug Hunting: Xss On Cookie Popup Warning vict0ni (@vict0ni) - Reflected XSS - 09/30/2019
Spear texting via parameter injection Kyle (@B3nac) - Parameter tampering $900 09/29/2019
XSS Is Love <3 ! Nirmal Dahal (@TheNittam) - XSS - 09/29/2019
Stories Of IDOR Shivbihari Pandey (@ninja_pandit_) - IDOR - 09/28/2019
OnePlus Open/Unvalidated Redirects & Forwards Mainak Sadhukhan OnePLus Open redirect - 09/26/2019
Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure Sam Curry (@samwcyo) Atlassian Path traversal $11,000 09/25/2019
Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork - 1,000 USD YoKo Kho (@YoKoAcc) Paypal Information disclosure $1,000 09/24/2019
ONEPLUS XSS vulnerability in Customer Support Portal Mainak Sadhukhan OnePLus XSS - 09/24/2019
Fuzzing Till Verneet (@err0rrrrr) - SSTI - 09/23/2019
Broken Link Hijacking - s3 buckets Tutorgeeks (@tutorgeeks) Google Broken link hijacking - 09/22/2019
[Bug Bounty] Exploiting Cookie Based XSS by Finding RCE Tomi (@noobe_io) - Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE, XSS - 09/22/2019
[Case Study] OAuth Misconfiguration leads to Account Takeover Gaurang Bhatnagar (@0xgaurang) - OAuth flaw, Account takeover - 09/21/2019
Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public Guhan Raja (@havocgwen) Facebook Privilege escalation $500 09/21/2019
A Simple bypass of Registration Activation that Lead to many Bug - YoKo Kho (@YoKoAcc) - Information disclosure, IDOR, CSRF - 09/21/2019
Bug or Feature? GitHub Adventure #001 Dominik Opyd (@oad_earth) - OAuth flaw, Open redirect $0 09/21/2019
Stored XSS on Zendesk via Macro’s PART 2 Hariharan.s (@DJHARIZ1) Zendesk Stored XSS - 09/20/2019
IDOR in One plus leads to leak User personal Info. Aditya Sharma (@Assass1nmarcos) OnePlus IDOR $0, Swag 09/20/2019 Archived page
How I able to Takeover 10 subdomains in a Private Program ? Mohamed Haron (@m7mdharon) - Subdomain takeover $500 09/20/2019
Business ID leak via Creative Hub redirect Philippe Harewood (@phwd) Facebook Open redirect - 09/20/2019
Admin hijacked by Sea Surf Pirates Gaurav Narwani (@gauravnarwani97) Dolibarr Stored XSS, CSRF, Account takeover - 09/19/2019
SSRF | Reading Local Files from DownNotifier server Dr.FarFar (@3XS0) - SSRF - 09/18/2019
RCE with Flask Jinja Template Injection AkShAy KaTkAr (@AkShAy KaTkAr) - SSTI, RCE - 09/17/2019
Client, not client! Tung Pun - LFI $1,000 09/15/2019
Google Referer Leak Bug Jayateertha Guruprasad (@JayateerthaG) Google Referer leakage, Information disclosure - 09/15/2019
How I found a simple and weird Account takeover bug Bijan Murmu (@0xBijan) - Account takeover, Lack of authentication - 09/14/2019
OTP Manipulation Kishan choudhary (@choudhary_1337) - OTP bypass $300 09/14/2019
Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3) YoKo Kho (@YoKoAcc) - Race condition, RCE, Unrestricted file upload - 09/14/2019
I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead Anand Prakash (@sehacure) Uber Information disclosure $6,500 09/13/2019 Mirror link
How two dead accounts allowed remote crash of any instagram android user Valerio brussani (@val_brux) Facebook DoS - 09/13/2019
Unauthorized access to all user information leaks C1h2e1 (@C1h2e11) - Information disclosure - 09/13/2019
HTTP Request Smuggling CL.TE memN0ps (@memN0ps) - HTTP request smuggling - 09/13/2019
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. HackerOn2Wheels (@HackerOn2Wheels) - RCE, Unrestricted file upload $3,000 09/13/2019
Facebook employee internal tool and conversations leaked in Facebook video Philippe Harewood (@phwd) Facebook Information disclosure - 09/12/2019
How does my recon win $250 in 15 minutes Hein Thant Zin (@H3Lowr) - Open redirect $250 09/12/2019
Add users to roles on Facebook pages without an invitation consent Philippe Harewood (@phwd) Facebook Authorization flaw - 09/12/2019
Pwn Them All #BugBounty Bilal Khan (@bilalmerokhel) - Host header injection, Password reset flaw - 09/11/2019
Subscribe to the list of requesters to join a Facebook live video using MQTT Philippe Harewood (@phwd) Facebook Authorization flaw - 09/10/2019
H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress Julien Ahrens (@MrTuxracer) Uber Stored XSS, SQL injection - 09/10/2019
Telegram addresses another privacy issue Dhiraj (@RandomDhiraj) Telegram Logic flaw, Privacy issue €2,500 09/09/2019
Accessing 2 million Verizon Pay Monthly contracts Daley Bee (@daley) Verizon Information disclosure, Authentication bypass, IDOR - 09/09/2019
Oculus identity verification bypass through brute-force karthik kumar reddy (@karthiksunny007) Facebook OTP bypass, Lack of rate limiting $750 09/09/2019
XSS in Zoho Mail Anas Mahmood (@AnasIsHere) Zoho Mail XSS $200 09/08/2019
Exploiting JSONP and Bypassing Referer Check Osama Avvan (@osamaavvan) - Information disclosure, JSONP flaw - 09/07/2019
Write up of two HTTP Requests Smuggling C1h2e1 (@C1h2e11) - HTTP request smuggling - 09/07/2019
Finding Gem in Someone’s Report: Instant $500USD at HackerOne Platform Hisoka Morou - Information disclosure $500 09/07/2019
DOM Based XSS in Private Program Mohamed Haron (@m7mdharon) - DOM XSS $500 09/05/2019
Readme.com Account Takeover Ankush Goel (@0xankush) Readme.com Password reset flaw $0 09/05/2019
Exposed Jenkins to RCE on 8 Adobe Experience Managers Corben Leo (@hacker_) - RCE - 09/04/2019
Add new user with Admin permission and takeover the organization Tarek Mohamed (@Conan0x3) - Authorization flaw, Privilege escalation - 09/04/2019
RCE using Path Traversal inc0gbyt3 (@incogbyte) - RCE, Path traversal - 09/02/2019
HTML to PDF converter bug leads to RCE in Facebook server Samm0uda (@samm0uda) Facebook RCE $1,000 09/02/2019 Archived page
Google Cloud Blog platform vulnerability Alexandru Coltuneac (@dekeeu) Google XSS - 09/01/2019
Graphql Bug to Steal Anyone’s Address Pratik Yadav (@PratikY9967) - Information disclosure, GraphQL bug - 09/01/2019
My First LFI Tirtha Mandal (@tirtha_mandal) - LFI $1,000 08/31/2019
Shodan is your friend!!! If you ignore him you will lose many… Vijaysimha Reddy Bathini (@fatratfatrat) - SQL injection, Authentication bypass - 08/28/2019
Address bar spoofing in Firefox Lite for Android …and the idiocy that followed Piyush Raj (@0x48piraj) Mozilla Address Bar Spoofing, URL spoofing - 08/29/2019
How to look for JS files Vulnerability for fun and profit? Yeasir Arafat - Information disclosure - 08/27/2019
Private bug bounty \(,\)$ USD: “RCE as root on Marathon-Mesos instance” Omar Espino (@omespino) - RCE - 08/27/2019
How I Hacked Instagram Again Laxman Muthiyah (@LaxmanMuthiyah) Facebook Password reset flaw, Account takeover $10,000 08/26/2019
Bug Bounty: Bypassing a crappy WAF to exploit a blind SQL injection Robin Verton (@robinverton) - Blind SQL injection - 08/25/2019
Create living room polls as a Facebook page analyst Philippe Harewood (@phwd) Facebook Authorization flaw $5,000 08/24/2019
From Github Recon To Account Takeover Dipak kumar Das (@d1pakdas) - Information disclosure, Account takeover - 08/24/2019
Cookie worth a fortune Gaurav Narwani (@gauravnarwani97) - Reflected XSS - 08/23/2019
One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse Lorenzo Stella (@lorenzostella) 1Password, Keeper, Dashlane Information disclosure, Content leak - 08/22/2019
Rights Manager Graph API Disclosure of business employee to non business employee Jafar Abo Nada (@Jafar_Abo_Nada) Facebook Information disclosure - 08/22/2019
Instagram account is reactivated without entering 2FA ($500) Aman Shahid (@amansmughal) Facebook 2FA bypass, Authentication flaw $500 08/21/2019
Sending Message as page being an analyst/ advertiser? Baibhav Anand (@SpongeBhav) Facebook Authorization flaw $0 08/21/2019
How I made my first $$$ from finding a bug in Facebook Aayush Pokhrel (@aayushpok) Facebook Authorization flaw - 08/21/2019
How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener Sergey Kashatov (@iframe0x01) ok.ru Privilege escalation $500 08/20/2019
Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device Arvind Facebook Authorization flaw - 08/19/2019
U.S. Department of Defense - Info Disclosure and SQLi Writeup Aaron Esau (@arinerron) U.S. Dept Of Defense Information disclosure, SQL injection - 08/19/2019
Removing profile pictures for any Facebook user Philippe Harewood (@phwd) Facebook IDOR $2,500 08/19/2019
Add users to roles on Facebook pages without an invitation consent (revisited) Philippe Harewood (@phwd) Facebook Logic flaw, Authorization flaw - 08/18/2019
How I was able to earn 1000$ with just 10 minutes of bug bounty? Ninad Mathpati (@ninad_mathpati) - Password reset flaw $1,000 08/17/2019
ByPassing fix of Domain Blocking feature in Business Manager Rohit kumar (@rohitcoder) Facebook Authorization flaw, Logic flaw - 08/15/2019
Facebook Messenger exposing deleted messages using [Remove for Everyone] Renwa (@RenwaX23) Facebook Logic flaw - 08/15/2019
BookMyShow account takeover using social login Sukhmeet Singh (@MadGuyyy) BookMyShow OAuth flaw, Account takeover $₹2000 (~ $28) 08/15/2019
[Business Logic] Bypassing Nickname Feature Kent Bayron (@bayronkentoy) - Logic flaw $50 08/14/2019
[Business Logic Bug] Bypassing Nickname Feature Kent Bayron / kntx (@bayronkentoy) - Logic flaw $50 08/14/2019
BugBounty WriteUp — take attention and get Stored XSS Oleksandr Opanasiuk (@Lekssik2) - Stored XSS - 08/14/2019
How I XSSed Admin Account Gaurav Narwani (@gauravnarwani97) - Stored XSS, Account takeover - 08/13/2019
SSRF Vulnerability in https://app.[REDACTED].com Evan Ricafort (@evanricafort) - SSRF $0 (Duplicate) 08/13/2019
Reporting - Amazon 1 click device XSS Sneakerhax (@sneakerhax) Amazon XSS - 08/12/2019
Clickjacking DOM XSS on Google.org Thomas Orlita (@ThomasOrlita) Google Clickjacking, DOM XSS - 08/12/2019
Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up) Evan Ricafort (@evanricafort) - Application-Level DoS $300 08/10/2019
Two Easy RCE in Atlassian Products Valeriy Shevchenko (@Krevetk0Valeriy) Atlassian RCE - 08/09/2019
Read other user support tickets in https://support..com (Write Up) Evan Ricafort (@evanricafort) - IDOR $120 08/09/2019
Privilege Escalation using Api endpoint Ronak Patel (@ronak_9889) - Privilege Escalation - 08/09/2019
Writing my Medium blog to complete account takeover Rotem Reiss (@rotem_reiss) Medium Stored XSS, Account takeover $1,000 08/09/2019
LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo) initstring (@init_string) Microsoft SSRF $0 (Won’t fix) 08/09/2019
Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) - XXE - 08/06/2019
Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) - XXE - 08/06/2019
BugBounty WriteUp — Creative thinking is our everything (Race Condition + Business Logic Error) Oleksandr Opanasiuk (@Lekssik2) - Race condition, Logic flaw - 08/05/2019
Stored XSS on LaporBug.id rizal (@sayadarijawa) LaporBug.id Stored XSS - 08/05/2019
Vulnerability in Hangouts Chat: from open redirect to code execution VulnerabilityLabs Google Open redirect, RCE $7,500 08/04/2019
Leveraging AngularJS-based XSS to Privilege Escalation Shawar Khan (@ShawarkOFFICIAL) - XSS, Privilege escalation - 08/04/2019
How I Found XSS By Searching In Shodan D1vy4n5hu 5hukl4 (@justm0rph3u5) - Reflected XSS - 08/04/2019
No Rate limiting eligible for bounty ? Smaran Chand (@smaranchand) - Lack of rate limiting - 08/03/2019
From Sub domain Takeover to Open-Redirect Anil Tom (mr_4nk) - Subdomain takeover, Open redirect $150 08/02/2019
One Misconfig (JIRA) to Leak Them All- Including NASA and Hundreds of Fortune 500 Companies! Avinash Jain (@logicbomb_1) - Information disclosure - 08/02/2019
Bypassing CORS VulnerabilityLabs - CORS misconfiguration - 08/01/2019
Complete information disclosure using Broken Access Control Bhavesh Thakur (@Bhavesh_Thakur_) - Information disclosure, Authorization flaw $100 08/01/2019
Download predictions details of ads plans of any business. Samm0uda (@samm0uda) Facebook IDOR - 08/01/2019 Archived page
Internal path disclosure in Instagram server Samm0uda (@samm0uda) Facebook Internal path disclosure, Information disclosure - 08/01/2019 Archived page
Access portal of Facebook mobile retailers and see earnings and referrals reports. Samm0uda (@samm0uda) Facebook IDOR, Authorization flaw $500 08/01/2019 Archived page
View orders and financial reports lists for any page shop. Samm0uda (@samm0uda) Facebook Authorization flaw $500 08/01/2019 Archived page
Bypassing CORS Saad Ahmed (@XSaadAhmedX) - CORS misconfiguration - 08/01/2019
RCE in Ruby using Mustache Templates Rhys Elsmore (@rhyselsmore) - RCE - 08/01/2019
Reposted [2017]: LinkedIn Hacker’s Experience Alexandru Coltuneac (@dekeeu) LinkedIn Stored XSS - 07/30/2019
Reposted [2019]: Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google Authorization flaw - 07/30/2019
Paypal bug $10K - All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts Mohd haji (@mohdhaji24) Paypal IDOR $10,500 07/30/2019
SQL Injection in private-site.com/login.php Mohamed Haron (@m7mdharon) - SQL injection $0 (Out of scope) 07/30/2019
1st Bounty Story | Rewarded 300$ (IDOR) Md Hridoy - IDOR $300 07/29/2019
Story of an IDOR via Email Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 07/29/2019
Old GitHub Profile Takeover! Mohamed Haron (@m7mdharon) - Github account takeover $1,000 07/28/2019
Chaining Cache Poisoning To Stored XSS Rohan aggarwal (@nahoragg) - Web cache poisoning, Stored XSS - 07/28/2019
Solr Injection by abusing Local Parameters on Zomato.com Ronak Patel (@ronak_9889) Zomato Solr Injection $700 07/27/2019
Story about Facebook Oauth Account Takeover Zerb0a iLOTTE Account takeover, OAuth flaw IDR 2.000.000 (~ $150) 07/26/2019
Facebook BugBounty: Tale of an Instagram bug disclosing user’s phone number via checkpoint Bijan Murmu (@0xBijan) Facebook Information disclosure - 07/26/2019
Full Account Takeover via Changing Email And Password of any User through API Parameters Adesh Nandkishor kolte (@AdeshKolte) - IDOR, Password reset flaw, Account takeover - 07/26/2019
Price Parameter Tampering On Bukalapak Apapedulimu (@LocalHost31337) Bukalapak Parameter tampering $150 07/24/2019
How I found the most critical bug in live bug bounty event? Lakshay (@inn0c3ntd3v1L) - Password reset flaw, Account takeover - 07/24/2019
XSS to RCE in … Hungry Bytes (@hungrybytes) Github XSS, RCE - 07/24/2019
Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV - plex.tv (Write Up) Evan Ricafort (@evanricafort) Plex TV Information disclosure, Path disclosure $0 07/24/2019
XX to XXX in one day Baibhav Anand (@SpongeBhav) WePay, [Private program] Account takeover, Parameter tampering - 07/23/2019
Pwning child company to get access to ParentCompany’s Slack Team Parth Malhotra (@Parth_Malhotra) - SQL injection, Default credentials - 07/23/2019
XSS On Twitter [Worth 1120$] Bywalks (@bywalkss) - XSS $1,120 07/22/2019
Reflected XSS in Ebay.com Sukhmeet Singh (@MadGuyyy) Ebay Reflected XSS $0, HoF 07/22/2019
Subscribe to typing notifications for any Instagram user Philippe Harewood (@phwd) Facebook Authorization flaw $5,750 07/21/2019
Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up) Evan Ricafort (@evanricafort) Clause HTML injection $250 07/21/2019
Shopping Products For Free- Parameter Tampering Vulnerability D1vy4n5hu 5hukl4 (@justm0rph3u5) - Parameter tampering, Payment tampering - 07/21/2019
Exploiting a Tricky Blind SQL Injection inside LIMIT clause Rahul Maini - SQL injection - 07/21/2019
Get Page Inbox notifications for any Facebook page Philippe Harewood (@phwd) Facebook Authorization flaw, Information disclosure - 07/20/2019
Microsoft ID Open Redirect Burninator Sec Microsoft Open redirect $0 07/19/2019
Microsoft Office 365 - Outlook XSS Abdulrahman Al-Qabandi (@Qab) Microsoft XSS - 07/19/2019
SQL Injection in Forget Password Function Khaled Gaber - SQL injection - 07/18/2019
How to lock a GitHub user out of their repos (bug or feature?) Teserakt AG Github DoS $0 (Feature) 07/18/2019
Сookie-based XSS exploitation | $2300 Bug Bounty story Max (@iSecMax) - XSS $2,300 07/17/2019
Account Takeover Vulnerability :) Sumit Jain (@sumit_cfe) - Password reset flaw, Account takeover - 07/17/2019
How Recon helped me to to find a Facebook domain takeover Sudhanshu Rajbhar (@sudhanshur705) Facebook Subdomain takeover $500 07/17/2019
Facebook Informative Bug From Triaged Circle Ninja (@circleninja) Facebook Lack of rate limiting $0 07/17/2019
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook Lokesh Kumar (@lokeshdlk77) Facebook CSRF $3,000 07/16/2019
Bypass CSRF With ClickJacking Worth $1250 Injector Pca / SaadAhmed (@XSaadAhmedX) - CSRF, Clickjacking $1,250 07/16/2019
What do Netcat, SMTP and self XSS have in common? Stored XSS Plenum (@plenumlab) - Stored XSS - 07/16/2019
How I Could Get The Instagram Username of Anyone on Tinder Shahar Albeck Tinder Information disclosure - 07/16/2019
The Bugs Are Out There, Hiding in Plain Sight A Bug’z Life (@abugzlife1) - IDOR, SSRF, Information disclosure, CORS misconfiguration $9,000 07/15/2019
500$ bounty: Man in the Middle on Slack Wiard van Rij / Sysrant (@RijWiard) Slack MiTM $500 07/15/2019
Facebook Bug : Sending messages as a page with jobmanager permission Devansh batham (@devanshwolf) Facebook Authorization flaw, Privilege escalation $0 (Duplicate) 07/15/2019
[TOKOPEDIA] Site-wide CSRF through GraphQL request Rafie Muhammad (@rafiem777) Tokopedia CSRF - 07/15/2019
How I Could Have Hacked Any Instagram Account Laxman Muthiyah (@LaxmanMuthiyah) Facebook Race condition, Rate limiting bypass $30,000 07/14/2019
Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program Sam Curry (@samwcyo) Tesla Blind XSS $10,000 07/14/2019
Hacking intoTinder’s Premium Model Sanskar Jethi (@sansyrox) Tinder Authorization flaw $0 07/14/2019
Account takeover on Airbnb acquisition | An Unusual Bug Part-2 🐛 PRince CHaddha (@princechaddha) Airbnb IDOR, Account takeover Swag 07/13/2019
Facebook Bug bounty page admin disclose bug {Facebook Android app} Yusuf Furkan (@h1_yusuf) Facebook Information disclosure $500 07/12/2019
XSS on Google Custom Search Engine KL Sreeram (@kl_sree) Google XSS - 07/11/2019
Story of my Biggest Bounty ever : Command Execution on Jenkin Jay Jani (@JayJani007) - RCE $8,000 07/11/2019
SQL Injection Bug Bounty POC! Arif-ITSEC111 - SQL injection €5,000 07/11/2019
Tale of account takeover — Sensitive info Disclosure + Broken Access Control Md Saqib (@sakyb7) - IDOR, Account takeover $2,650 07/10/2019
OAuth authentication bypass on Airbnb acquisition using 1-char Open Redirect Evgeniy Yakovchuk (@h1_sp1d3r) Airbnb Open redirect, OAuth token theft, Account takeover - 07/10/2019
A malicious editor of a page can support to a community action which can’t be unsupported by the admin! mAshraf Facebook Authorization flaw - 07/09/2019
Information Disclosure via Misconfigured AWS to AWS Bucket Takeover Pratyush Anjan Sarangi - AWS flaw - 07/08/2019
Cleartext password in LocalStorage (Writeup) ruvlol - Violation of secure design principles $1,500 07/07/2019
Blind (time-based) SQLi - Bug Bounty Jspin - SQL injection - 07/05/2019
This is how I managed to win $2000 through Facebook Bug Bounty Saugat Pokharel (@saugatpk5) Facebook Logic flaw $2,000 07/04/2019
Facebook Vulnerability: Unremovable Co-Host in facebook page events Ritish Kumar Singh Facebook Logic flaw, DoS $500 07/04/2019
Account Takeover Using CSRF(json-based) shub rathore (@shub66452) - CSRF, Account takeover $1,000 07/04/2019
Story of a stored xss to full account takeover vulnerability(N/A to accepted) Jatin Aesthetic (@techyfreakk) - Stored XSS - 07/04/2019
Finding hidden gems vol. 4: Rakefile a.k.a. how to get AWS keys again Mateusz Olejarka (@molejarka) - Information disclosure, Github leak - 07/03/2019
Yeah! I got P2 in 1 minute - Stored XSS via Markdown Editor Schopath - Stored XSS - 07/02/2019
Injecting {{6*200}} to $1200 Gaurav Narwani (@gauravnarwani97) - SSTI $1,200 07/02/2019
Another Download Protection Bypass in Google Chrome – BIN files in Mac OS Nightwatch Cybersecurity (@nightwatchcyber) Google Browser flaw $1,000 07/02/2019
How I escalated RFI into LFI Hassan Khan Yusufzai (@Splint3r7) - RFI, LFI - 07/01/2019
Accidental IDOR Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR - 07/01/2019
Stored XSS on Indeed Tirtha Mandal (@tirtha_mandal) Indeed Stored XSS $1,500 06/30/2019
One more Parameter manipulation bug (🤑) Kanchan Singh Yadav (@KanchanSingh0) - Parameter tampering - 06/28/2019
Facebook BugBounty : Short story on Page admin disclosure Bijan Murmu (@0xBijan) Facebook Authorization flaw, Privilege escalation - 06/28/2019
Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution Reegun J (@reegun21) Microsoft RCE - 06/28/2019
Gain adfly SMTP access with SSRF via Gopher Protocol Zerb0a Adf.ly SSRF - 05/27/2019
View Facebook payouts for any Facebook Trivia Game Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 05/27/2019
1-Click Account Takeover in Virgool.io — a Nice Case Study Yasho (@YShahinzadeh) Virgool Account takeover, Open redirect - 06/27/2019
CORS To CSRF Attack Osama Avvan (@osamaavvan) - CORS misconfiguration, CSRF - 06/27/2019
Toggle Group Rules Agreement as a non-member Philippe Harewood (@phwd) Facebook Authorization flaw - 06/26/2019
Sensitive Information Disclosure: Web Cache Deception Attack Wasim Shaikh (@Wa_sim_sim) Intuit Information disclosure $0, HoF 06/26/2019
Download .arexport files for any public AR Studio Effect Philippe Harewood (@phwd) Facebook IDOR - 06/24/2019
CSV injection at Comment Section. Navneet (@na5n33t) - CSV injection N/A (VDP) 06/24/2019
Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference) Muhammad Asim Shahzad - Password reset flaw, IDOR, Account takeover $1,200 06/22/2019
Page Admin Disclosure | Facebook Bug Bounty 2019 Ajay Gautam (@evilboyajay) Facebook Authorization flaw $1,000 06/22/2019
How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105 Bryan Appleby (@bryapp) Microsoft XSS - 06/21/2019
Catching support emails from my internet service provider Sander Lentink T-Mobile Email account takeover N/A (VDP) 06/21/2019
$1800 worth Clickjacking Osama Avvan (@osamaavvan) - Clickjacking $1,800 06/21/2019
About a Sucuri RCE…and How Not to Handle Bug Bounty Reports Julien Ahrens (@MrTuxracer) Sucuri RCE $750 06/22/2019
IDOR: Payment Fraud Vibhurushi Chotaliya (@Vibhurushi) - IDOR, Payment tampering - 06/20/2019
Self XSS To Evil XSS Injector Pca / SaadAhmed (@XSaadAhmedX) - XSS $0 06/20/2019
A Fight For Duplicate Marked Bug: Story of BBC Hall Of Fame Wasim Shaikh (@Wa_sim_sim) BBC XSS $0 (HoF) 06/20/2019
How a classical XSS can lead to persistent ATO Vulnerability? Milind Purswani (@MilindPurswani) & Yash Sodha (@y_sodha) - XSS, Account takeover - 06/19/2019
Facebook Vulnerability: Unremovable Co-Host in facebook group events Ritish Kumar Singh Facebook Logic flaw $500 06/19/2019
Account Takeover with Clickjacking Osama Avvan (@osamaavvan) - Clickjacking - 06/19/2019
XSS Filter Evasion m0z (@LooseSecurity) - XSS - 06/17/2019
Business user Employees could have applied block list to all ad accounts listed in the business manager. Rohit kumar (@rohitcoder) Facebook Authorization flaw, Logic flaw $500 06/17/2019
Reflected XSS in Tokopedia Train Ticket Jon Bottarini (@jon_bottarini) New Relic Reflected XSS IDR 3.000.000 (~ $212) 06/17/2019
Using Burp Suite match and replace settings to escalate your user privileges and find hidden features Jon Bottarini (@jon_bottarini) New Relic Client-side enforcement of server-side security $500 06/17/2019
Parameter Pollution issue in API resulting $XXX Smaran Chand (@smaranchand) - Parameter pollution - 06/17/2019
SQl Injection Injector Pca / SaadAhmed (@XSaadAhmedX) - SQl Injection $500 06/17/2019
Bypassing XSS filter and Stealing User Payment Data Osama Avvan (@osamaavvan) - XSS $0 (Duplicate) 06/17/2019
Password Bypass and Something Else… Vibhurushi Chotaliya (@Vibhurushi) - Authentication bypass $600 06/16/2019
How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration? Muhammad Asim Shahzad Dropbox AWS flaw $1,500 06/16/2019
Account Takeover Worth $900 Injector Pca / SaadAhmed (@XSaadAhmedX) - Account takeover, CSRF $900 06/16/2019
Stealing Cookies to Login in any Account Osama Avvan (@osamaavvan) - Cookie theft $900 06/16/2019
Bug Bounty - Information Disclosure through error message + WAF Bypass led to Local File Inclusion Λявєη (@spenkkkkk) & Çlirim Emini (@0xcela) - WAF bypass, LFI, Information disclosure - 06/15/2019
Complete Web Server Access Injector Pca / SaadAhmed (@XSaadAhmedX) - Unrestricted file upload, RCE $500 06/15/2019
Fullscreen API Attack’s Revisited and the FaceBook NA Story Circle Ninja (@circleninja) Facebook Fullscreen API Attack $0 (N/A) 06/15/2019
XSSing Google Employees — Blind XSS on googleplex.com Thomas Orlita (@ThomasOrlita) Google Blind XSS - 06/15/2019
Admin Account total Information Disclosure Nishant Saurav (@inishantsinha) - Source code disclosure, Information disclosure $200 06/15/2019
IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR $500 06/14/2019
How spending our Saturday hacking earned us 20k Matti Bijnens (@MattiBijnens) - IDOR $20,000 06/14/2019
IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR - 06/14/2019
Chaining Improper Authorization To Race Condition To Harvest Credit Card Details : A Bug Bounty Story Mandeep Jadon (@1337tr0lls) - Authorization flaw, Race condition - 06/13/2019
Redstrom Denial Of Service — Write Up Zerb0a - DoS $0, Swag 06/12/2019
Reflected XSS on Error Page Tomi (@noobe_io) - Reflected XSS - 06/11/2019
Facebook Vulnerability: Non-unfriendable user in /hacked workflow Ritish Kumar Singh Facebook Logic flaw $1,500 06/11/2019
Account takeover using IDOR and the misleading case of error 403. Plenum (@plenumlab) - IDOR - 06/11/2019
IDOR Leads To Project Takeover Hariharan.s (@DJHARIZ1) - IDOR - 06/09/2019
Don’t underestimates the Errors They can provide good $$$ Bounty! Aditya Sharma (@Assass1nmarcos) Mamba Information disclosure, Path disclosure $200 06/07/2019
How I was able to get private ticket response panel and FortiGate web panel via blind XSS Bijan Murmu (@0xBijan) - Blind XSS $1,250 06/06/2019
Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) Nikhil Mittal (@c0d3G33k) Microsoft Browser bug $15,000 06/06/2019
Unicode vs WAF — XSS WAF Bypass Prial Islam Khan (@prial261) - XSS - 06/05/2019
Bypassing CSP with policy injection Gareth Heyes (@garethheyes) Paypal CSP bypass $900 06/05/2019
REMOTE CODE EXECUTION ! 😜 Recon Wins Vishnuraj - RCE - 06/04/2019
Chaining multiple low-impact bugs to arbitrary file read in GitLab Li Rongxi (@nyan_gawa) GitLab Directory traversal - 06/04/2019
Simple PathTraversal bypass fr0stNuLL - Path traversal - 06/03/2019
Missing access control at play store Vishwaraj Bhattrai (@vishwaraj101) Google Authorization flaw - 06/03/2019
The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise Avinash Jain (@logicbomb_1) - RFI, SSRF - 06/02/2019
Story of a uri based xss with some simple google dorking Jatin Aesthetic (@techyfreakk) - XSS - 06/02/2019
Edmodo Account Deactivation Vulnerability Shankar R Edmodo CORS misconfiguration $0 06/01/2019
My First CSRF to Account Takeover worth $750 Nishant Saurav (@inishantsinha) - CSRF, Account takeover $750 05/30/2019
Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty HackerOn2Wheels (@HackerOn2Wheels) - Stored XSS, MIME sniffing - 05/30/2019
Stored XSS on Edmodo Rohit Verma (@rv0x00) Edmodo Stored XSS - 05/28/2019
Source Code disclose Vulnerability Mohamed R. Serwah (@mohamedrserwah) - Source code disclosure - 05/27/2019
An unexploited CORS misconfiguration reflecting further issues. Smaran Chand (@smaranchand) - CORS misconfiguration - 05/27/2019
How did I bypass a Custom Brute Force protection and why that solution is not a good idea? dortz - Bruteforce, Authentication flaw - 05/25/2019
Disclose files content from Facebook internal CDNs Samm0uda (@samm0uda) Facebook Weak encryption $12,500 05/25/2019 Archived page
Google bug bounty: LFI on production servers in “springboard.google.Com” — $13,337 USD VulnerabilityLabs Google LFI $13,337 05/24/2019
Multiple API issues due to Fixed Authorization token. Mustafa Khan (@by6153) - Authorization flaw - 05/24/2019
From file upload to email:pass fr0stNuLL - Unrestricted file upload - 05/24/2019
Security assessment on the staging domains Tutorgeeks (@tutorgeeks) - Lack of authentication - 05/24/2019
Instagram GitHub Token with public_scope found In Travis CI Build Logs Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 05/24/2019
How I acquired $XXX bounty by investing 99 cents Smaran Chand (@smaranchand) - Logic flaw - 05/24/2019
Escalating subdomain takeovers to steal cookies by abusing document.domain Ameya (@iamTakeMyHand) Postmates Subdomain takeover - 05/23/2019
Determine a Facebook user from an email address Philippe Harewood (@phwd) Facebook Information disclosure $1,000 05/22/2019
Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts Family guy Google Privilege escalation, Authorization flaw - 05/21/2019
Local File Inclusion in peering.google.com Jafar Abo Nada (@Jafar_Abo_Nada) Google LFI $3,133.7 05/21/2019
Leaking OpenID tokens with “ — the bug right infront of you Zseano (@zseano) - OpenID flaw - 05/21/2019
WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD Omar Espino (@omespino) Google LFI $13,337 05/21/2019
Open-redirect to Account Takeover. Rishabh (@__cypher__) - Open redirect, Account takeover - 05/19/2019
A base64 encoded parameter. Navneet (@na5n33t) - HTML injection $75 05/19/2019
XSSed my way to 1000$ Gaurav Narwani (@gauravnarwani97) - XSS $1,100 05/17/2019
Stealing Downloads from Slack Users David Wells Slack CSRF - 05/17/2019
Bypassing Instagram’s stories restriction Baibhav Anand (@iBaibhavJha) Facebook Logic flaw $500 05/17/2019
‘Try-Harder’ for XSS Frans Hendrik Botes (@initroott) - Reflected XSS - 05/17/2019
From parameter pollution to XSS Mo’men Basel - Parameter pollution, XSS - 05/16/2019
You do not need to run 80 reconnaissance tools to get access to user accounts Stefano Vettorazzi (@stefanohablando) - Open redirect - 05/15/2019
Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties] Komodo Security Google Stored XSS, MIME sniffing - 05/15/2019
Think Outside the Scope: Advanced CORS Exploitation Techniques Ayoub (@sandh0t) - CORS misconfiguration $1,500 05/14/2019
Stored XSS on Techprofile Microsoft Mohammad Ali Syarief Microsoft Stored XSS - 05/09/2019
BLIND SSRF in *.stripe.com due to Sentry Misconfiguration Oktavandi (@0ktavandi) Stripe Blind SSRF - 05/09/2019
4x CSRFs Chained For Company Account Takeover A Bug’z Life (@abugzlife1) - CSRF, Account takeover $3,000 05/08/2019
pcextreme.nl fake bug bounty Daniel Maksimovic pcextreme.nl SSRF, XSS $0 (150€ + 150€ platform credit promised but not delivered) 05/08/2019
SQL injection through User-Agent fr0stNuLL - SQL injection - 05/08/2019
Subdomain takeover [Awarded $200] Friendly (@SkeletorKeys) ownCloud Subdomain takeover $200 05/07/2019
Server Side Request Forgery(SSRF){port issue hidden approch } Deepak Holani (@w_hat_boy) - SSRF - 05/03/2019
Tale of a Wormable Twitter XSS @0xSobky Twitter XSS $2,940 05/02/2019
Why You Shouldn’t Use a Password Manager For Your Linode Account @0xSobky Linode Account takeover, Information disclosure - 05/02/2019
XSS attacks on Googlebot allow search index manipulation Tom Anthony (@TomAnthonySEO) Google Logic flaw - 05/01/2019
Remote code execution On Microsoft edge using URL Protocol Matt harr0ey (@harr0ey) Microsoft RCE $0 (N/A) 05/01/2019
From NA to $3000 : Facebook’s URL spoofing vulnerability Rahul Kankrale (@RahulKankrale) Facebook URL spoofing $3,000 04/30/2019
Reply To Instagram Stories where privacy of who can reply is set to ‘Nobody’. Baibhav Anand (@SpongeBhav) Facebook Authorization flaw $500 04/30/2019
From Reflected XSS to Account Takeover — Showing XSS Impact A Bug’z Life (@abugzlife1) - Reflected XSS, Account takeover - 04/30/2019
Don’t Follow The Masses: Bug Hunting in JavaScript Engines Dimitri Fourny (@dimitrifourny) Google Buffer overflow $7,500 04/29/2019
Two-Factor Authentication Bypass Gaurav Narwani (@gauravnarwani97) - 2FA bypass - 04/29/2019
Broken Access: Posting to Google private groups through any user in the group Elber Andre (@Elber333) Google Autorization flaw $0 (N/A) 04/27/2019
Denial of Service using Cookie Bombing Ronak Patel (@ronak_9889) - DoS, Cookie bombing $350 04/26/2019
How to bypass a 2FA with a HTTP header Yumi - 2FA bypass - 04/26/2019
for PayPal security team,“get user balances and transaction details” is not a vulnerability! Todaro (@tod4ro) Paypal Information disclosure $0 (N/A) 04/26/2019
Missing Authorization check while deleting App Review for Marketing API Family guy Facebook Authorization flaw - 04/25/2019
Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) - Stored XSS, Account takeover $800 04/25/2019
The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! Avinash Jain (@logicbomb_1) - LFI, SSRF, Cloudflare bypass - 04/25/2019
CSRF Attack can lead to Stored XSS Mohamed Sayed (@FlEx0Geek) - CSRF, Stored XSS - 04/25/2019
A picture that steals data Sergey Kashatov (@iframe0x01) - Information disclosure - 04/24/2019
Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos Ruby Nealon (@_ruby) Zendesk Information disclosure $3,000 04/23/2019
Facebook’s Burglary Shopping List John Moss (@x41x41x41) Facebook Information disclosure $5,000 04/23/2019
The neglected bug that can infect All Facebook users who pay for leads ads. Hesham Watany Facebook CSV injection $0 (Out of scope) 04/23/2019
Yet Other Examples of Abusing CSRF in Logout Soroush Dalili (@irsdl) - CSRF - 04/23/2019
[XSS] Reflected XSS Bypass Filter Mohamed Sayed (@FlEx0Geek) - Reflected XSS - 04/23/2019
Disclose the content of internal Facebook Javascript modules. Samm0uda (@samm0uda) Facebook Authorization flaw - 04/22/2019 Archived page
Ssrf to Read Local Files and Abusing the AWS metadata Pratik Yadav (@PratikY9967) - SSRF - 04/21/2019
[CONFIRMATION BYPASS ] Navneet (@na5n33t) - Email confirmation bypass, Information disclosure N/A (VDP) 04/21/2019
Twitter - protected tweets exposure terjanq (@terjanq) Twitter Information disclosure $560 04/19/2019
Responsible disclosure: improper access control in Gitlab private project. Riccardo Padovani (@rpadovani93) GitLab Authorization flaw $2,000 04/19/2019
Scary Tickets😨 Uranium238 (@uraniumhacker) - Ticket Trick - 04/19/2019
PDFReacter SSRF to ROOT Level Local File Read which led to RCE Armaan Pathan (@armaancrockroax) - SSRF, RCE - 04/18/2019
Code execution - Evernote Dhiraj (@mishradhiraj_) Evernote RCE, Path traversal - 04/17/2019
How I was able to Bypass XSS Protection on HackerOne’s Private Program Security Executions Code BugHunter - XSS - 04/16/2019
Banner Grabbing to DoS and Memory Corruption Daniel V. (@d4niel_v) - DoS, Information disclosure - 04/16/2019
A $5000 IDOR… Mr.Hacker (@mr_hacker0007) - IDOR $5,000 04/16/2019
How i found credential enriched redis dump Ashish Kunwar (@D0rkerDevil) - File disclosure, Information disclosure $0 04/16/2019
Just 5 minute to get my 2nd stored XSS on Edmodo.com ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS $0, Swag 04/15/2019
How I hacked Vending Machine Valeriy Shevchenko (@Krevetk0Valeriy) - Violation of secure design principles €300 gift card 04/15/2019
Google Groups Authorization Bypass Daniel Marad Google Authorization flaw $500 04/15/2019
The Outlook Winner is Dash marcan2020 (@marcan2020) Microsoft Authorization flaw $0 (N/A) 04/15/2019
How I gained access to revenue and traffic data of thousands of Shopify stores Ayoub Fathi (@ayoubfathi) Shopify IDOR $0 (Policy violation) 04/15/2019
Web Cache Deception to API endpoint attack using cached token header Kunal pandey (@kunalp94) - Web cache deception $250 04/13/2019
[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638) Mohamed Haron (@m7mdharon) - RCE $2,250 04/12/2019
Unauthenticated Account Takeover Through HTTP Leak Nik srivastava (@niksthehacker) - HTML injection, HTTP Leak, Account takeover - 04/11/2019
Account Takeover by chaining two vulnerabilities. Sheraz Khalid - CSRF, Open redirect, Account takeover - 04/10/2019
Multiple xss in *.skype.com & Multiple xss in *.skype.com (2) Jayateertha Guruprasad (@JayateerthaG) Microsoft XSS $0, HoF 04/10/2019
Spokeo Bug bounty Experience Nur A Alam Dipu Spokeo XSS $0 (Can’t reproduce) 04/10/2019
Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652 Julien Ahrens (@MrTuxracer) Dropbox (Dell KACE vendor) RCE - 04/09/2019
SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central Elber Andre (@Elber333) Microsoft SSRF, XSPA - 04/09/2019
Obtaining XSS Using Moodle Features and Minor Bugs Daniel Thatcher Moodle Login CSRF, XSS N/A (VDP) 04/09/2019
Obtaining XSS Using Moodle Features and Minor Bugs Daniel Thatcher - CSRF - 04/09/2019
XSS “403 forbidden” bypass (Akamai Security )write up Security Executions Code BugHunter - XSS - 04/08/2019
How I got a trip to amsterdam through bug bounty Ninad Mathpati (@ninad_mathpati) - Bruteforce - 04/07/2019
Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice Ron Chan (@ngalongc) Uber SSRF, Path traversal, Account takeover - 04/07/2019
Email content spoofing at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea Email content spoofing $50 04/06/2019
Edmodo — IDOR to view private files of any class Rohan Pagey (@rohan_x3) Edmodo IDOR - 04/06/2019
Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers Armaan Pathan (@armaancrockroax) PortSwigger MiTM - 04/06/2019
Google Ads — Information Disclosure via null pointer exception Valerio brussani (@val_brux) Google Information disclosure - 04/04/2019
Handlebars template injection and RCE in a Shopify app Mahmoud Gamal (@Zombiehelp54) Shopify SSTI, RCE 10,000 04/04/2019
Leaked Salesforce API access token at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea Information disclosure $250 04/04/2019
DownNotifier SSRF _m_q_t (@_m_q_t) DownNotifier SSRF - 04/04/2019
How I am able to hijack you. terjanq (@terjanq) Google Logic flaw - 04/03/2019
Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow Ritish Kumar Singh Facebook Logic flaw $1,000 04/02/2019
FileZilla Untrusted Search Path & FileZilla ‘fzsftp’ Untrusted Search Path Chris Lyne (@lynerc) FileZilla (EU-FOSSA 2) RCE - 04/02/2019
How I was able to get your facebook private friend list [Responsible Disclosure] Raja Sekar Durairaj Facebook Information disclosure $10,000 04/01/2019
EdM0d0 IDOR Vulnerabilities Pratyush Anjan Sarangi Edmodo IDOR $0, Swag 04/01/2019
Comma is forbidden! No worries!! Inject in insert/update queries without it Ahmed Sultan (@0x4148) - SQL injection $10,000 03/31/2019
Recon in 2 minutes and got $250 easy Cryptographer Snapchat Missing secure flag $250 03/31/2019
How I was able to turn self xss into reflected xss Hein Thant Zin (@H3Lowr) - Reflected XSS $300 03/31/2019
alert(“A tale of 3 XSS!”) Gaurav Narwani (@gauravnarwani97) - XSS - 03/29/2019
My very first bug: a dreaded dupe and then an IDOR jackpot! John H4X00R (@JohnH4X00R) Yahoo IDOR $5,000 03/28/2019
How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup) Yash Sodha (@y_sodha) Google CSRF $3,133.70 03/26/2019
An Unusual Bug 🐛 on Braintree [PayPal] PRince CHaddha (@princechaddha) Paypal DoS $3,200 03/25/2019
Twitter Denial of Service bug or How i could prevent all followers from reading or accessing literally ANY tweets! Seif Elsallamy Twitter DoS $1,120 03/25/2019
Stored (XSS) on [google.com] Security Executions Code BugHunter Google Stored XSS - 03/25/2019
Stored XSS in the guide’s GameplayVersion (www.dota2.com) Security Executions Code BugHunter Dota 2 Stored XSS $750 03/25/2019
Self (XSS) on [komunitas.bukalapak.com] Security Executions Code BugHunter Bukalapak Self XSS $50 03/25/2019
Reflected (XSS)on [alibabacloud.com] Security Executions Code BugHunter Alibaba Reflected XSS - 03/25/2019
Self (XSS) on [komunitas.bukalapak.com] Komodo Security Google Authorization flaw $500 03/25/2019
Facebook Marketing Confidential Call Transcript Philippe Harewood (@phwd) Facebook Information disclosure $500 03/24/2019
Google Books X-Hacking terjanq (@terjanq) Google XS-Search $1,337 03/21/2019
How to hunt for Malvertising ads on Android Kyle (@B3nac) - Android flaw - 03/21/2019
A real XSS in OLX Bug Bounty Paulo Choupina (@PauloChoupina) OLX Reflected XSS N/A (VDP) 03/21/2019
Slack announcement-only channel post restriction bypass Rodney Beede Slack Authorization flaw, Logic flaw $0, Out of scope 03/20/2019
Disclose private/scheduled streams of any Livestream user due to open .m3u8 endpoint Abss TBH @abss_tbh Livestream Information disclosure $1,000 03/20/2019
Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560) Kevin Backhouse (@kevin_backhouse) Facebook Integer overflow $10,000 03/19/2019
Discovering a zero day and getting code execution on Mozilla’s AWS Network Shubham Shah (@infosec_au) & Mathias Karlsson (@avlidienbrunn) Mozilla RCE $500 03/19/2019
DoS Across Facebook Endpoints Max Pasqua Facebook DoS $750 03/19/2019
From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin Heige (@80vul) Microsoft DOM XSS $0 03/19/2019
Should you be concerned about LastPass uploading your passwords to its server? Wladimir Palant (@WPalant) LastPass Information disclosure, Logic flaw - 03/18/2019
Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) OLX Reflected XSS $0, HoF 03/17/2019
Disclosure of Pending Roles for any Facebook Page Avinash Kumar (@itsavinash_) Facebook IDOR $4,000 03/16/2019
Target Finds Cross-Site Scripting in Microsoft SharePoint Target Microsoft XSS - 03/15/2019
How I was able to pwned 30000+ user’s webhook gujjuboy10x00 (@vis_hacker) - IDOR - 03/14/2019
Privilege escalation on private program. Imran Parray (@CreedHackers) - Privilege escalation, Information disclosure - 03/14/2019
User Account Takeover [Password Change]— Nice Catch! Rohit kumar (@rohitcoder) - Account takeover, Password reset flaw - 03/14/2019
Write up – $1,000 usd in 5 minutes, xss stored in outlook.com (ios browsers) Omar Espino (@omespino) Microsoft Stored XSS $1,000 03/14/2019
WordPress 5.1 CSRF to Remote Code Execution Simon Scannell (@scannell_simon) WordPress CSRF, RCE, HTML injection $950 03/13/2019
OLX Bug Bounty: Reflected XSS Mukhammad Akbar (@abaykandotcom) OLX Reflected XSS - 03/13/2019
My First Stored XSS on Edmodo.com ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS - 03/13/2019
Hack Your Form-New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) - Blind XSS, Stored XSS $800 03/13/2019
How I found Blind XSS Vulnerability in redacted.com ssid (@newp_th) - Blind XSS - /27/2019
Inserting malware into anyone’s Google Earth Projects Archive Thomas Orlita (@ThomasOrlita) Google IDOR, XSS, Authorization flaw $0 03/29/2019
Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. Armaan Pathan (@armaancrockroax) - CSRF, Bruteforce - 03/12/2019
Escalating SSRF to RCE Youssef A. Mohamed (@GeneralEG64) - SSRF, RCE - 03/12/2019
CVE-2018-16794 on fs.thefacebook.com Philippe Harewood (@phwd) Facebook SSRF $1,000 03/11/2019
SQL injection for $50 bounty, but still worth reading!! Ronaldo Messi - SQL injection $50 03/10/2019
Account Takeover Using Cross-Site WebSocket Hijacking (CSWH) Sharan Panegav (@PanegavSharan) - Cross-Site WebSocket Hijacking (CSWH), Account takeover - 03/09/2019
Vimeo SSRF with code execution potential. Harsh Jaiswal (@rootxharsh) Vimeo SSRF $5,000 03/08/2019
Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack Ron Masas Facebook Side-channel attack, Cross-Site Frame Leakage (CSFL) - 03/07/2019
Facebook Messenger server random memory exposure through corrupted GIF image Dzmitry Lukyanenka (@vulnano) Facebook Information disclosure $10,000 03/06/2019
3 XSS in ProtonMail for iOS Vladimir Metnew (@vladimir_metnew) Apple XSS $1,000 03/06/2019
Fixed : Register any email address on Facebook Account Sameer Rao Facebook Authorization flow - 03/05/2019
Fixed : Brute-force Instagram account’s passwords Sameer Rao Facebook Bruteforce, Rate limiting bypass - 03/05/2019
Facebook exploit – Confirm website visitor identities Tom Anthony (@TomAnthonySEO) Facebook Information disclosure, IDOR $1,000 03/04/2019
Auditing GitHub Repo Wikis for Fun and Profit Smeege (@SmeegeSec) - Misconfigured Github wiki $500 03/04/2019
XSS in Edmodo within 5 Minute (My First Bug Bounty) Vala Keyur (@valakeyur) Edmodo Reflected XSS - 03/04/2019
A simple Account takeover misusing JWT late expiration Scalar (@mrprajapati_360) - Authorization flaw, Logic flaw - 03/03/2019
Bypassing a restrictive JS sandbox Licencia para Hackear Private program, static-eval library JS sandbox breakout, RCE - 03/01/2019
Yet Another (unexpected) Hack for Bounty Pumudu Ruhunage Sli.do Information disclosure $150 03/01/2019
Horizontal Privilege Escalation on Quora which can compromise all users on Quora SpyD3r (@TarunkantG) Quora Privilege escalation - 02/26/2019
[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com Mohamed Haron (@m7mdharon) Yahoo Reflected XSS - 02/26/2019
How I alert(1) in Azure DevOps SpyD3r (@TarunkantG) Microsoft XSS, CSP bypass - 02/26/2019
Web Cache Deception Attack leads to user info disclosure Kunal pandey (@kunalp94) - Web cache deception, Information disclosure $300 02/25/2019
Chain of hacks leading to Database Compromise! Avinash Jain (@logicbomb_1) - LFI, SSRF - 02/23/2019
Bug Bounty 101 — Always Check The Source Code Mohamed Haron (@m7mdharon) - Lack of rate limiting, Information disclosure - 02/23/2019
Download any organisation Data — S3 amazonaws Misconfiguration Chand Singh (@Chand_42) - Authorization flaw $2,500 02/22/2019
Subdomain Misconfiguration lead to AWS S3 Buckets Reader Mohamed Haron (@m7mdharon) - Subdomain takeover $800 02/22/2019
Exploiting Google Calendars Rojan Rijal (@uraniumhacker) & Brandon Nguyen (@cmdrsnuggle) Uber, Shopify, Netflix Authorization flaw, Information disclosure - 02/22/2019
Swiss_E-Voting_Publications setuid0 (@setuid0) Swiss E-Voting XSS, XXE, RCE, Lack of authentication, Authentication flaw, Hardcoded credentials - 02/21/2019
Abusing autoresponders and email bounces Inti De Ceukelaire (@securinti) Google, Intigriti Information disclosure, Logic flaw - 02/21/2019
Reflected XSS at https://photos.shopify.com/ Ahamed Morad (@Modam3r5 Shopify Reflected XSS $0, Out of scope 02/21/2019
How I Registered Multiple Accounts in PrivateInternetAccess VPN Service for FREE Spade PrivateInternetAccess VPN Logic flaw $1,000 02/20/2019
Bug Writeup: FBCTF IDOR George Osterweil Facebook IDOR $0, Duplicate 02/20/2019
Leakage of Client Secret, Server tokens of all Uber developer applications Anand Prakash (@sehacure) Uber Information disclosure $5,000 02/19/2019
Multiple Stored XSS On Tokopedia Apapedulimu (@Apapedulimu) Tokopedia Stored XSS, Blind XSS - 02/19/2019
Using URI to pop shells via the Discord Client RagSec (@rag_sec) Discord URI abuse, Social engineering $0 (OOS) 02/18/2019
DoS on WAF Protected Sites by Abusing Cookie Anas Mahmood (@AnasIsHere) Upwork DoS $400 02/18/2019
2 Subdomains Takeover via Unbounce in a Private Program Mohamed Haron (@m7mdharon) - Subdomain takeover $0 (Duplicate) 02/18/2019
Stored XSS on Edmodo Rohit kumar (@rohitcoder) Edmodo Stored XSS $0 (Duplicate) 02/18/2019
$1.000 SSRF in Slack Elber Andre (@Elber333) Slack SSRF $1,000 02/17/2019
Bypass password confirmation in Facebook “DYI” feature Samm0uda (@samm0uda) Facebook Authorization flaw, IDOR - 02/16/2019 Archived page
Facebook/Workplace Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk Rohit kumar (@rohitcoder) Facebook Information disclosure $1,000 02/16/2019
Subdomain Takeover via Wufoo Service in a Private Program Mohamed Haron (@m7mdharon) - Subdomain takeover - 02/16/2019
Open Redirect in SLACK Mukhammad Akbar (@abaykandotcom) Slack Open redirect $0 (N/A) 02/16/2019
Bypassing rate limit abusing misconfiguration rules Daniel V. (@d4niel_v) - Rate limiting bypass - 02/15/2019
Subdomain Takeover via HubSpot Mohamed Haron (@m7mdharon) - Subdomain takeover - 02/15/2019
Souq.com Subdomain Takeover via jazzhr.com service Mohamed Haron (@m7mdharon) Souq.com Subdomain takeover $0 (Informative) 02/15/2019
Never Stop at Banner Grabbing Gaurav Narwani (@gauravnarwani97) - Information disclosure $241.93 02/14/2019
Third Party Android App Storing Facebook Data Insecurely (Facebook Data Abuse Program) Nightwatch Cybersecurity (@nightwatchcyber) Facebook Information disclosure, Lack of authentication - 02/14/2019
[SSRF] Server Side Request Forgery in a private Program developers.example.com Mohamed Haron (@m7mdharon) - SSRF $200 02/14/2019
Disclose private attachments in Facebook Messenger Infrastructure - 15,000$ Sarmad Hassan (@JubaBaghdad) Facebook IDOR $15,000 02/13/2019
Facebook CSRF protection bypass which leads to Account Takeover Samm0uda (@samm0uda) Facebook CSRF $25,000 02/12/2019 Archived page
Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google IDOR - 02/12/2019
Export Facebook audience network reports of any business Samm0uda (@samm0uda) Facebook Authorization flaw - 02/12/2019 Archived page
I Found Clickjacking on Google CSE. Is This Important? Mukhammad Akbar (@abaykandotcom) Google Clickjacking $0 02/10/2019
Csrf Bypass Using Cross Frame Scripting Mr.Hacker (@mr_hacker0007) - CSRF - 02/10/2019
How I hacked ASUS? Mustafa Kemal Can (@muskecan) Asus RCE, Unrestricted file upload - 02/09/2019
Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. Sahil Tikoo (@viperbluff) - Information disclosure - 02/09/2019
Design Flaws - Scenario One and Fix Alli-Balogun Faruq (@node_shack) - Logic flaw - 02/08/2019
Paypal’s Security Check Bypassed Anees Khan (@AneesEthical) Paypal Logic flaw $0 (N/A) 02/08/2019
Internal paths disclosure due to improper exception handling Samm0uda (@samm0uda) Facebook Information disclosure - 02/07/2019 Archived page
Leak of private/in-development app ids, names and translation requests Samm0uda (@samm0uda) Facebook IDOR - 02/07/2019 Archived page
LFI To 10 Servers Pwn Nirmal Dahal (@TheNittam) - LFI, RCE - 02/07/2019
How i was able to dump SqlDB | Simple bug clever idi0t - Directory listing, SQL injection, Authentication bypass - 02/07/2019
Cache Deception: How I discovered a vulnerability in Medium and helped them fix it Yuval Shprinz Medium Cache deception $100, Swag 02/06/2019
Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard Lee Christensen (@tifkin_) Microsoft Path traversal, RCE - 02/06/2019
Jumping Over The Fence Shahar Albeck - Open redirect - 02/05/2019
How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com) Vartul Goyal (@hackvartul) Microsoft 2FA bypass $0 02/05/2019
Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages Paul (@padannewitz) - Mass assignment $5,000 02/05/2019
Reverse RDP Attack: Code Execution on RDP Clients Eyal Itkin Microsoft Path traversal $0 02/05/2019
A Unique XSS Scenario in SmartSheet || $1000 bounty Rohan Chavan (@rohanchavan1918) Smartsheet Stored XSS $1,000 02/03/2019
How I was able to Extract Information of Other Users- Exploiting IDOR Rupika Luhach (@Rup_Ki_Rani) Knowyourmeds.com IDOR $0 (Duplicate) 02/02/2019
LFI in Apigee portals [email protected] (@wtm_offensi) Google LFI - 01/31/2019
How I found a simple bug in Facebook without any Test Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw - 01/31/2019
$7.5k Google Cloud Platform organization issue Ezequiel Pereira (@epereiralopez) Google Logic flaw $7,500 01/30/2019
How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds. Piyush Raj (@0x48piraj) WeeQuizz Information disclosure $0 (No response) 01/30/2019
Publish tweets by any other user Kedrisec (@kedrisec) Twitter IDOR $7,560 01/30/2019
Guest blog: Eray Mitrani - Hacking isn’t an exact science Eray Mitrani (@ErayMitrani) - Authorization flaw - 01/29/2019
Protonmail XSS — Stored Chand Singh (@Chand_42) Protonmail Stored XSS, Bruteforce - 01/29/2019
Unsecured access to personal data of a million Leo Express users Thomas Orlita (@ThomasOrlita) Leo Express Authorization flaw, XSS - 01/29/2019
Hijacking accounts by retrieving JWT tokens via unvalidated redirects Shawar Khan (@ShawarkOFFICIAL) - Open redirect, Token theft - 01/27/2019
A short tale of Account verification bypass Satyendra Kumar - Email verification bypass, Authorization flaw - 01/27/2019
Chaining Tricky OAuth Exploitation To Stored XSS Rohan aggarwal (@nahoragg) - Stored XSS, OAuth flaw - 01/27/2019
Misconfiguration-Whatsapp Messenger Pratheesh P Narayanan Facebook Logic flaw $0 (Informative) 01/26/2019
AntiHack IDOR on Create Submission Syahrul Akbar Rohmani (@sahruldotid) AntiHack.me IDOR $0, Swag 01/26/2019
Facebook Change Product Availability as a PageAnalyst onehackzero Facebook Logic flaw, Authorization flaw - 01/25/2019
How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc) Luke Berner Google, Microsoft, Facebook Logic flaw, Authentication flaw - 01/25/2019
Magento – RCE & Local File Read with low privilege admin rights Daniel Le Gall (@Blaklis_) Magento LFI, RCE, Path traversal - 01/24/2019
Antihack.me Blind XSS To PHP File Upload Vulnerability SayCure (@SaycureIO) AntiHack.me Blind XSS - 01/24/2019
Privilege Escalation to Highest Admin Privileges Gaurav Narwani (@gauravnarwani97) - IDOR, Privilege escalation - 01/23/2019
Frappé Technologies ERPNext Server Side Template Injection Brian Hyde ERPNext SSTI $0 01/23/2019
Enroll in Facebook Ad-break program without Facebook approval Samm0uda (@samm0uda) Facebook Logic flaw, Authorization flaw - 01/22/2019 Archived page
Disclose page’s admins and its Monetization payout details Samm0uda (@samm0uda) Facebook IDOR, Information disclosure - 01/22/2019 Archived page
Disclose page violations and its eligibility to use Ad-breaks Samm0uda (@samm0uda) Facebook IDOR, Information disclosure - 01/22/2019 Archived page
Disclose Instagram business account linked to a Facebook page Samm0uda (@samm0uda) Facebook IDOR, Information disclosure - 01/22/2019 Archived page
Change payment account of any Facebook commerce page Samm0uda (@samm0uda) Facebook Logic flaw, Authorization flaw - 01/22/2019 Archived page
Expose business email and payment account balance of any Facebook commerce page. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure - 01/22/2019
Reveal if a Facebook merchant page has pending or completed orders. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure - 01/22/2019
Bruteforce Instagram account’s passwords (lack of rate limiting protection). Samm0uda (@samm0uda) Facebook Bruteforce, Lack of rate limiting - 01/22/2019
Generate Access Tokens for any Facebook user Samm0uda (@samm0uda) Facebook IDOR - 01/22/2019
Modify users profiles of techprep.fb.com Samm0uda (@samm0uda) Facebook Authorization flaw - 01/22/2019
Uploading files to api.techprep.fb.com Samm0uda (@samm0uda) Facebook File upload XSS - 01/22/2019
Reflected XSS in Zomato Sudhanshu Rajbhar (@sudhanshur705) Zomato Reflected XSS $250 01/21/2019
How I Found and Reporting Vulnerabilities to AntiHack.me by Tomi Tomi (@nahoragg) AntiHack.me IDOR, LFI $0, Swag 01/20/2019
A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram Rohan aggarwal (@nahoragg) - CORS miconfiguration - 01/20/2019
Oauth Misconfiguration lead to complete account takeover Jackson kv (@Jacksonkv22) - CSRF, OAuth flaw, Account takeover - 01/20/2019
XSS Through SWF file! Friendly (@SkeletorKeys) - SWF XSS $200 01/18/2019
Bypass Content Security Policy framing restriction rule - OLX Taha Ibrahim Draidia OLX CSP bypass - 01/17/2019
Command Injection PoC NoGe - Command injection - 01/15/2019
Facebook Vulnerability: Unremovable facebook group admin Ritish Kumar Singh Facebook Logic flaw $500 01/15/2019
#BugBounty How I Hack Billion $ Company Sadiq West - Directory listing $500 01/15/2019
Abusing MySQL clients to get LFI from the server/client Jarkko Vesiluoma (@jvesiluoma) - LFI - 01/15/2019
Gaining access to Uber’s user data through AMPScript evaluation Shubham Shah (@infosec_au) Uber AMPScript injection $23,000 01/14/2019
Turning Self XSS to good XSS via access control Yusuf Yazir (@Hacklad) - Stored XSS, Self XSS - 01/13/2019
Hack Your Form – New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) Facebook Blind XSS $800 01/13/2019
Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty Ajay Gautam (@evilboyajay) Facebook IDOR - 01/11/2019
Facebook PageAnalyst Could Add oneself as Moderator on Group onehackzero Facebook Authorization flaw - 01/11/2019
AntiHack.me Multiple Vulnerabilities Tomi AntiHack.me LFI, IDOR $0, Swag 01/11/2019
View the contact list for a Messenger Kid as a parent-approved contact Philippe Harewood (@phwd) Facebook Authorization flaw - 01/08/2019
Tips for bug bounty beginners from a real life experience Renaud Martinet (@karouf) YNAB XSS, SQL injection $1,500 01/08/2019
When Cookie Hijacking + HTML Injection become dangerous Daniel V. (@d4niel_v) - Cookie Hijacking, HTML Injection - 01/07/2019
Reflected XSS ON ASUS. Thejus Krishnan Asus Reflected XSS $0, HoF 01/06/2019
Stored XSS Via Alternate Text At Zendesk Support Hariharan.s (@DJHARIZ1) Zendesk Stored XSS - 01/06/2019
How I hacked Altervista.org Jacopo Tediosi (@jacopotediosi) Altervista Open redirect $0, HoF 01/05/2019
Facebook Android Application Ashley King (@AshleyKingUK) Facebook Authorization flaw $750 01/05/2019
How I could have taken over any Pinterest account Arnold Anthony (@armold9anthony) Pinterest CSRF, Account takeover $2,400 01/05/2019
How I stumbled upon a Stored XSS(My first bug bounty story). Parth Shah Edmodo Stored XSS - 01/04/2019
Cookie Based Self-XSS to Good XSS Brian Hyde - XSS $616 01/04/2019
Stealing Side-Channel Attack Tokens in Facebook Account Switcher Max Pasqua Facebook Token theft $1,000 01/04/2019
Yes I can see your OTP Vulnerables - IDOR - 01/03/2019
A Tricky Open Redirect Anas Mahmood (@AnasIsHere) - Open Redirect $200 01/03/2019
How I was able to Harvest other Vine users IP address Prial Islam Khan (@prial261) Vine IDOR $5,040 01/02/2019
How i found web shell on AntiHack.me and Awarded Gold Coin And SWAG Rudra Sarkar (@rudr4_sarkar) AntiHack.me RCE - 01/01/2019
A Curious Case From Little To Complete Email Verification Bypass Megaman (@N0_M3ga_Hacks) - Email validation bypass, Authorization flaw - 01/01/2019

Bug bounty writeups published in 2018

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date Link 2 / Archived page
Tale of a Misconfiguration in Password Reset Shuaib Oladigbolu (@_sawzeeyy) - Password reset flaw - 12/30/2018
Bypassing Access Control in a Program on Hackerone !! Sahil Tikoo (@viperbluff) Hackerone Authorization flaw - 12/30/2018
How I was able to delete Google Gallery Data [IDOR] Yogesh Tantak Google IDOR - 12/30/2018
Abusing ACL Permissions to Overwrite other User’s Uploaded Files/Videos on s3 Bucket Armaan Pathan (@armaancrockroax) - Unrestricted file upload, Authorization flaw - 12/30/2018
How I Takeover Wordpress Admin fiiipay.my Syahrul Akbar Rohmani (@sahruldotid) FiiiPay Account takeover, Default CMS files S$ 300 (~ $408) 12/28/2018
How I Was Able To Takeover All User Account And Admin Panel Dipak kumar Das (@d1pakdas) - IDOR, Account takeover $1,500 12/28/2018
Reflected XSS on ws-na.amazon-adsystem.com(Amazon) ssid (@newp_th) Amazon Reflected XSS - 12/27/2018
From Hunting for a Laptop to Hunting down Remote Code Execution Anil Tom (mr_4nk) Asus RCE, WebDAV flaw $0, HoF 12/27/2018
RCE in nokia.com Sampanna Chimoriya Nokia RCE $0, HoF 12/27/2018
Unauthenticated user can upload an attachment at HackerOne Ahamed Morad (@Modam3r5 Hackerone Authorization flaw $0 (Duplicate) 12/24/2018
Tokopedia Account Takeover Bug Worth 8 Million IDR Mukul Lohar (@ironfisto) Tokopedia Password reset flaw, Account takeover - 12/24/2018
Server-side Request Forgery in OpenID support Putra Adhari Liberapay SSRF - 12/24/2018
Client side validation strikes again: PIN code bypass ! Davy (@RandoriSec) Netflix, Linxo Client-side validation bypass, Authentication bypass, Authorization flaw - 12/22/2018
How I accidentally found a clickjacking “feature” in Facebook Lasq (@lasq88) Facebook Clickjacking $0 12/21/2018
XSS worm – A creative use of web application vulnerability Nicolas Heiniger (@NicolasHeiniger) Swisscom XSS - 12/21/2018
Facebook BugBounty — Disclosing page members Nirmal Thapa (@tnirmalz) Facebook Information disclosure - 12/20/2018
Facebook BugBounty - Disclosing page members Nirmal Thapa / mpz (@tnirmalz) Facebook Information disclosure - 12/20/2018
Story of my two (but actually three) RCEs in SharePoint in 2018 Soroush Dalili (@irsdl) Microsoft RCE $0 12/19/2018
Exploiting Two Endpoints to get Account Takeover Hritik Sharma - Authorization flaw, Privilege escalation - 12/19/2018
Asus’S Admin Panel Auth Bypass Mustafa Khan (@by6153) Asus Authentication bypass - 12/18/2018
WordPress Privilege Escalation through Post Types Simon Scannell Wordpress Privilege escalation, Stored XSS, Object Injection - 12/17/2018
Subdomain Takeover — New Level Valeriy Shevchenko (@Krevetk0Valeriy) - Subdomain Takeover - 12/17/2018
Reading ASP secrets for $17,000 Sam Curry (@samwcyo) - Local file disclosure (LFD) $17,000 12/16/2018
Accessing VoIP Internal service via Port 8009: Routing traffic through local Apache proxy Ahmed A. Sherif - Information disclosure - 12/16/2018
Self XSS to Interesting Stored XSS Rohan aggarwal (@nahoragg) - Stored XSS - 12/15/2018
How i hacked help desk of a Company Ali Razzaq (@AliRazzaq_) - Ticket Trick - 12/15/2018
Remote Code Execution on a Facebook server Daniel Le Gall (@Blaklis_) phpMyAdmin LFI, RCE, CSRF - 12/14/2018
XSSing Google Code-in thanks to improperly escaped JSON data Thomas Orlita (@ThomasOrlita) Google XSS - 12/14/2018
$3k Bug Bounty - Twitter’s OAuth Mistakes Terence Eden (@edent) Twitter OAuth flaw $2,940 12/14/2018
Unremovable Tags In Facebook Page Reviews Max Pasqua Facebook Logic flaw, DoS $500 12/14/2018
Chaining Two Vulnerabilities to Break Facebook Appointment Times For the Second Time Max Pasqua Facebook Logic flaw, DoS $500 12/14/2018
#BugBounty — “User Account Takeover-I just need your email id to login into your shopping portal account” Avinash Jain (@logicbomb_1) - OAuth flaw, Authentication bypass, Account takeover - 12/13/2018
Exploiting XXE with local DTD files Arseniy Sharoglazov (@_mohemiv) - XXE 12/13/2018
Pilot Into Facebook Group Support Jane Manchun Wong (@wongmjane) Facebook Logic flaw, Authorization flaw $0 12/13/2018
[Open redirect] Developers are lazy(or maybe busy) KatsuragiCSL (@ZuuitterE) - Open redirect $150 12/12/2018
Second bite on GitLab, and some interesting Ruby functions/features Nyangawa Gitlab RCE $10,000 12/12/2018
From blind XXE to root-level file read access Pieter Hiele (@honoki) - Blind XXE - 12/12/2018
How i was able to pwned application by Bypassing Cloudflare WAF gujjuboy10x00 (@vis_hacker) - WAF bypass - 12/12/2018
Microsoft Account Takeover Vulnerability Affecting 400 Million Users Aviva Zacks Facebook Subdomain takeover, OAuth flaw - 12/11/2018
How I could have stolen your photos from Google - my first 3 bug bounty writeups Gergő Turcsányi (@GergoTurcsanyi) Google Parameter tampering, Authorization flaw, IDOR $4,133.7 12/11/2018
How I was able to generate Access Tokens for any Facebook user. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure - 12/11/2018
Bruteforcing Instagram account’s passwords without limit. Samm0uda (@Samm0uda) Facebook Bruteforce, Lack of rate limiting - 12/11/2018
A Misconfiguration in techprep.fb.com REST API allowed me to modify any user profile. Samm0uda (@Samm0uda) Facebook Authorization flaw - 12/11/2018
How i was able to upload files to api.techprep.fb.com Samm0uda (@Samm0uda) Facebook Unrestricted file upload, XSS - 12/11/2018
Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over Plenum (@plenumlab) - Account takeover, Privilege escalation, Bruteforce - 12/10/2018
My first bug bounty writeup Sampanna Chimoriya Indeed XSS, HTML injection - 12/10/2018
Change Anyone’s profile picture-Exploiting IDOR Rupika Luhach (@Rup_Ki_Rani) - IDOR - 12/09/2018
Proof Of Concept Nokia Cross Site Scripting Adesh Nandkishor kolte (@AdeshKolte) Nokia XSS $0, HoF 12/09/2018
How I was Able To Bypass Email Verification Muzammil Kayani (@muzammilabbas2) - Information disclosure $200 12/08/2018
RCE in Hubspot with EL injection in HubL Fyoorer (@ƒyoorer) Hubspot RCE - 12/07/2018
Facebook WhiteHat: Able to access group plan even after leaving the group Family guy Facebook Authorization flaw, Logic flaw - 12/06/2018
Billion Laugh Attack in https://sites.google.com Antonio Sanso (@asanso) Google Billion laugh attack, DoS $500 12/05/2018
XSS to XXE in Prince v10 and below (CVE-2018-19858) Corben Leo (@hacker_) - XSS, XXE - 12/05/2018
Complete User Account Takeover on an Android Application Gaurav Narwani (@gauravnarwani97) - Account takeover, OTP bypass, Password reset flaw - 12/04/2018
Taking over Google calendar of a company Daniel V. (@d4niel_v) - Subdomain takeover - 12/04/2018
How to accidentally find a XSS in ProtonMail iOS app SecuNinja (@secuninja) ProtonMail XSS - 12/04/2018
GitHub Desktop RCE (OSX) André Baptista (@0xACB) Github RCE - 12/04/2018
Digging in to SCP Command Injection Dylan Katz (@Plazmaz) JSch Command injection $0 12/03/2018
[BBP系列三] Hijack the JS File of Uber’s Website Chaobin Zhang Uber JS file hijacking $6,000 12/03/2018
Remotely Hijacking Zoom Clients David Wells Zoom Logic flaw - 12/03/2018
Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account) Logical Bimboo - Host header injection - 11/30/2018
Story about my first bug bounty Sudhanshu Rajbhar (@sudhanshur705) Alibaba XSS $100 11/30/2018
Exploiting post message to steal and replace user’s cookies Yasser Gersy (@yassergersy) - postMessage bug - 11/30/2018
Story of Stored Xss Walid Hossain (@NoobWalid) - Stored XSS - 11/28/2018
Broken Authentication — Bug Bounty Vulnerables - Improper session management $50 11/28/2018
IRCTC — Millions of Passenger Details left at huge risk! Avinash Jain (@logicbomb_1) IRCTC Information disclosure, Lack of rate limiting $0 11/28/2018
Pwning eBay - How I Dumped eBay Japan’s Website Source Code David (@slashcrypto) Ebay .git folder disclosure, Source code disclosure $0, HoF 11/28/2018
Instagram Multi-factor authentication Bypass Vishnuraj Facebook 2FA bypass - 11/27/2018
Disclose contact_email of any Facebook application Amol Baikar (@AmolBaikar) Facebook Information disclosure - 11/27/2018
XSS on Facebook’s acquisition Oculus CDN Amol Baikar (@AmolBaikar) Facebook XSS $1,500 11/26/2018
XSS on Facebook-Instagram CDN Server bypassing signature protection. Amol Baikar (@AmolBaikar) Facebook XSS $1,500 11/26/2018
Facebook Source Code Disclosure in ads API Amol Baikar (@AmolBaikar) Facebook Source code disclosure - 11/26/2018
From CTFs to Bug Bounty Booty Benji Tobias Tailor Store Information disclosure $200 11/26/2018
XML XSS in *.yandex.ru by Accident Oktavandi (@0ktavandi) Yandex XSS $160 11/26/2018
My Journey To The Google Hall Of Fame Abartan Dhakal (@imhaxormad) Google Open redirect, XSS - 11/25/2018
Stored XSS Vulnerability in Jotform and H1C Private Site Anas Mahmood (@AnasIsHere) - Stored XSS $1,000 11/23/2018
Bypassing Scratch Cards On Google Pay Pratheesh P Narayanan Google Logic flaw $0 (Duplicate) 11/22/2018
Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read! Zain Sabahat (@Zain_Sabahat) - SSRF, LFI - 11/22/2018
An interesting XXE in SAP. Zain Sabahat (@Zain_Sabahat) SAP XXE - 11/22/2018
How i Found Information Disclosure on Scribd.com Zerb0a Scribd.com CSRF $0 11/22/2018
How I Hacked Netflix users & Use it free forever Blueberryinfosec (@bbinfosec) Netflix Cookie injection, Privilege escalation $0 11/19/2018
XS-Searching Google’s bug tracker to find out vulnerable source code Luan Herrera (@lbherrera_) Google XS-Search attack, Information disclosure $9,400 11/19/2018
Youtube - Open redirection Barak Tawily (@quitten11) Google Open redirect $0 (Informative) 11/19/2018
Authentication bypass in NodeJS application — a bug bounty story bl4de (@_bl4de) - Authentication bypass - 11/19/2018
XSS bypass using META tag in realestate.postnl.nl Prial Islam Khan (@prial261) post.nl XSS $0, HoF, Swag 11/18/2018
From Security Misconfiguration to Gaining Access of SMTP server Daniel V. (@d4niel_v) - Phpinfo file disclosure - 11/18/2018
Edmodo XSS Bug Sameer Phad (@sameerphad72) Edmodo XSS - 11/18/2018
Bypassing “How I hacked Google’s bug tracking system itself for $15,600 in bounties.” Gopal Singh (@gopalsinghcse) Google Logic flaw $3,133.70 11/17/2018
How I Managed to Create Unauthorized Comments on Facebook Live Stream Binit Ghimire Facebook Authorization flaw $750 11/16/2018
Microsoft BingPlaces Business - (url) Redirect Vulnerability Benjamin K.M. Microsoft Open redirect - 11/16/2018
XSS in hidden input fields Portswigger - XSS - 11/16/2018
[POC] Cross-Site Scripting on Garuda Indonesia Website Arif-ITSEC111 Garuda Indonesia XSS - 11/16/2018
HackenProof Customer Story: Uklon HackenProof (@hackenproof) Uklon XSS, IDOR, Blind XSS, Account takeover - 11/16/2018
Most common security vulnerabilities in npm static server modules bl4de (@_bl4de) Node.js third-party modules Path traversal, LFI, HTML injection, XSS - 11/16/2018
[email protected] Account Takeover via Cross site request forgery Adesh Nandkishor kolte (@AdeshKolte) [email protected] CSRF - 11/16/2018
Spoofing file extensions on HackerOne Anurag Jain(@csanuragjain) Hackerone Unrestricted file upload - 11/16/2018
Disclose Page Admins via Gaming Dashboard Bans Philippe Harewood (@phwd) Facebook Information disclosure - 11/15/2018
Facebook Vulnerability: Hiding from the view of Business Admin in the Business Manager Ritish Kumar Singh Facebook Logic flaw, Authorization flaw $500 11/15/2018
How I Discovered XSS that Affects around 20 Uber Subdomains Fady Othman (@Fady_Othman) Uber XSS $2,500 11/14/2018
Breaking Appointments and Job Interview Schedules With Malformed Times Max Pasqua Facebook DoS $500 11/14/2018
Spoof All Domains Containing ‘d’ in Apple Products [CVE-2018-4277] Tencent’s Xuanwu Lab Apple Browser flaw - 11/13/2018
OOB XXE in PrizmDoc (CVE-2018–15805) Nik srivastava PrizmDoc OOB XXE - 11/13/2018
[DOM based XSS] Or why you should not rely on Cloudflare too much KatsuragiCSL (@ZuuitterE) - DOM XSS - 11/13/2018
Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends Ron Masas Facebook CSRF, Information disclosure - 11/13/2018
Chain exploitation of XSS Mikhail Klyuchnikov (@__Mn1__) - DOM XSS, Clickjacking, CSRF 11/12/2018
Clickjacking on Google MyAccount Worth 7,500$ Apapedulimu (@Apapedulimu) Google Clickjacking $7,500 11/11/2018
#bugbounty How I Takeover Microsoft Store. Sadiq West Microsoft Subdomain takeover $0, HoF 11/08/2018
Object name Exposure — ING Bank Responsible Disclosure Program Rohit kumar (@rohitcoder) ING Bank Information disclosure - 11/08/2018
How I earned 5040$ from Twitter by showing a way to Harvest other users IP address Prial Islam Khan (@prial261) Twitter Information disclosure $5,040 11/07/2018
Vine User’s Private information disclosure Prial Islam Khan (@prial261) Vine IDOR, Information disclosure $7,560 11/07/2018
WordPress Design Flaw Leads to WooCommerce RCE Simon Scannell Wordpress RCE - 11/06/2018
XSS in Dynamics 365 Tim Kent (@__timk) Microsoft XSS - 11/06/2018
Evernote For Windows Read Local File and Command Execute Vulnerabilities TongQing Zhu Evernote Stored XSS, LFI, RCE - 11/05/2018
Duplicate but still cool Plenum (@plenumlab) - IDOR, Account takeover - 11/05/2018
Unauthenticated RSFTP to Command Injection Nicodemo Gawronski - Path traversal, RCE - 11/03/2018
Full Account Takeover via Referer Header (OAuth token Steal, Open Redirect Vulnerability Chaining) Muhammad Asim Shahzad - Open redirect, OAuth token theft, Account takeover $1,200 11/03/2018
How Outdated JIRA Instances suffers from multiple security vulnerabilities? Yeasir Arafat Visma XSS, SSRF - 11/03/2018 Archived page
Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone) Kunal pandey (@kunalp94) Hackerone Imagemagick GIF $500 11/02/2018
Finding hidden gems vol. 3: quick win with .sh file Mateusz Olejarka (@molejarka) - Information disclosure, Github leak - 11/01/2018
P1 Like a Boss | Information Disclosure via Github leads to Employee Account Takeover | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Information disclosure, Github leak $1,500 11/01/2018 Archived page
Stored XSS in Bug Bounty KatsuragiCSL (@ZuuitterE) - Stored XSS - 11/01/2018
Bypass HackerOne 2FA requirement and reporter blacklist Japz Divino (@japzdivino) Hackerone Logic flaw, 2FA bypass, Authentication flaw $10,000 10/31/2018
It’s all in the detail: Email leak & Account takeover thanks to WayBackMachine & extensive knowledge about the program Zseano (@zseano) - Information disclosure, Authentication bypass, Account takeover - 10/30/2018
IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”} Plenum (@plenumlab) - IDOR $1,500 10/30/2018
Journey through Google referer leakage bugs. KL Sreeram (@kl_sree) Google Information disclosure, Referer leakage $4,633.7 10/28/2018
#BugBounty — How I was able to download the Source Code of India’s Largest Telecom Service Provider including dozens of more popular websites! Avinash Jain (@logicbomb_1) - .git folder disclosure, Source code disclosure - 10/27/2018
Privilege Escalation like a Boss Jay Jani (@JayJani007) - IDOR - 10/27/2018
How Misconfigured API leaked user private information? Yeasir Arafat - IDOR, Authorization flaw - 10/26/2018
A very useful technique to bypass the CSRF protection for fun and profit. Yeasir Arafat - CSRF - 10/26/2018
CSRF account takeover Explained Automated/Manual — Bug Bounty Vulnerables OpenMenu CSRF, Account takeover $250 10/26/2018
CSRF account takeover in a company worth 1B$ Vulnerables - CSRF, Account takeover $100 10/26/2018
Subdomain takeover dew to missconfigured project settings for Custom domain . Prial Islam Khan (@prial261) Flock Subdomain takeover - 10/25/2018
DoS on Facebook Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE. Rahul Kankrale (@RahulKankrale) Facebook DoS - 10/25/2018
SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software Nik srivastava - XXE - 10/24/2018
Facebook hidden redirection vulnerability Ege Ken Facebook Open redirect $0 10/24/2018
XSS with HTML and how to convert the HTML into charcode() Arif-ITSEC111 Purinar Logistics XSS - 10/22/2018
Google sites and exploiting same origin policy Raushan Raj (@raushan_rajj) Google SOP bypass $3,133.70 10/22/2018
Cookie-based-injection XSS making exploitable with-out exploiting other Vulns Utkarsh Agrawal - XSS - 10/22/2018
Harvesting all private invites using leave program fast-tracked invitation and [email protected] email forwarding feature Japz Divino (@japzdivino) Hackerone Logic flaw $2,500 & Swag 10/22/2018
A possibility of Account Takeover in Medium Prashant Kumar (@notsoshant) Medium Account takeover, Logic flaw $0 10/20/2018
XSS with PUT in Ghost Blog Derek (@StackCrash) Ghost XSS - 10/19/2018
Add comment on a private Oculus Developer bug report Sarmad Hassan (@JubaBaghdad) Facebook IDOR, Authorization flaw - 10/18/2018
Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne Japz Divino (@japzdivino) Hackerone Logic flaw $12,500 10/17/2018
XXE in IBM’s MaaS360 Platform Cody Wass IBM XXE - 10/16/2018
Path traversal while uploading results in RCE Harsh Jaiswal (@rootxharsh) - Path traversal, RCE - 10/15/2018
Brave Browser Script Blocker Bypass Vulnerability Xiaoyin Liu Brave Software Script blocker bypass - 10/13/2018
Microsoft CSRF Vulnerability Adesh Nandkishor kolte (@AdeshKolte) Microsoft CSRF $500 10/12/2018
[Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users Max (@iSecMax) Mail.ru Authentication bypass, Blind XSS - 10/12/2018
Magic XSS with two parameters Mahmood Shahabi (@m4shahab1) - XSS - 10/12/2018
Add description to Instagram Posts on behalf of other users - 6500$ Sarmad Hassan (@JubaBaghdad) Facebook IDOR $6,500 10/12/2018
Microsoft Edge Remote Code Execution Abdulrahman Al-Qabandi (@Qab) Microsoft RCE - 10/11/2018
Access to staging environment via User-Agent string Yasser Gersy (@yassergersy) - Authentication bypass - 10/10/2018 Archived page
Symantec Messaging Gateway authentication bypass Artem Kondratenko (@artkond) Symantec Authentication bypass - 10/10/2018
Payment bypass Pratik Yadav (@PratikY9967) - Payment bypass, Logic flaw INR 31000 (~ $442.73) 10/09/2018
Facebook Business Takeover Philippe Harewood (@phwd) Facebook Authorization flaw, Logic flaw $27,500 10/09/2018
Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR) Jon Bottarini (@jon_bottarini) New Relic IDOR $2,500 10/09/2018
DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More VPN Mentor (@vpnmentor) Tinder DOM XSS - 10/09/2018
Make any Unit in Facebook Groups Undeletable Sarmad Hassan (@JubaBaghdad) Facebook Logic flaw, IDOR, Authorization flaw - 10/09/2018
[Critical] Bypass CSRF protection on IBM Mohamed Sayed (@FlEx0Geek) IBM CSRF - 10/09/2018
Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com Jonathan Bouman (@JonathanBouman) LinkedIn Stored XSS $0, HoF 10/07/2018
My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY Ali Tütüncü(@alicanact60) - Reflected XSS, CSP bypass - 10/07/2018
Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study Abdelmoughite Eljoaydi Paypal Blind XXE - 10/05/2018
Clickjacking in Google Docs and Voice typing feature. Raushan Raj (@raushan_rajj) Google Clickjacking $2,337 10/05/2018
GoogleMeetRoulette: Joining random meetings Martin Vigo (@martin_vigo) Google Bruteforce, Logic flaw - 10/04/2018
An interesting Google vulnerability that got me 3133.7 reward. Ebrahem Hegazy (@Zigoo0) Google CSRF $3,133.7 10/04/2018
Persistent XSS (Unvalidated oEmbed) at Medium.com Jonathan Bouman (@JonathanBouman) Medium Stored XSS $100 10/04/2018
Exploiting an unknown vulnerability Abhishek Bundela (@abhibundela) - Logic flaw, Payment tampering - 10/03/2018
Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager Rohit kumar (@rohitcoder) Facebook Logic flaw, Information disclosure $3,000 10/03/2018
AWS takeover through SSRF in JavaScript Gwendal Le Coguic (@gwendallecoguic) - SSRF - 10/02/2018
Applying a small bypass to steal Facebook Session tokens in Uber Samuel (@saamux) Uber XSS, CSP bypass, OAuth flaw $2,000 10/02/2018
How i found Stored xss on your-domain.redacted.com Rudra Sarkar (@rudr4_sarkar) - XSS $0 10/02/2018
Collecting Shells by the Sea of NAS Vulnerabilities Rick Ramgattie (@RRamgattie) Lenovo OS command injection, XSS, CSRF - 10/01/2018
Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps Mohamed Haron (@m7mdharon) Shopify Subdomain takeover - 10/01/2018 Archived page
Google Stored XSS in Payments Barış Sağdıç (@brsgdc) Google Stored XSS - 10/01/2018
How I was able to takeover account’s of an Earning App Abbas Wafa - Information disclosure $0 10/01/2018
Hacking the Subway Android app Wesley Gahr (@wesley_gahr) Subway Logic flaw, Authorization flaw - 09/28/2018
IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent Divyanshu Shukla Confluent IDOR, Content spoofing, Open redirect - 09/28/2018
Just another tale of severe bugs on a private program. Siva Krishna Samireddi (@le4rner) - Open redirect, SSRF, IDOR, Logic flaw $1,623 09/28/2018
#BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! Avinash Jain (@logicbomb_1) - RCE, Exposed Jenkins instance - 09/27/2018
Thick Client — Attacking databases the fun/easy way Richard Clifford - Thick client flaw, Credentials sent over unencrypted channel - 09/26/2018
Arbitrary File Read in one of the largest CRMs Richard Clifford - LFI - 09/26/2018
[XSS] survey.dropbox.com Kumar Dropbox XSS $0 09/25/2018
Weaponizing XSS Attacking Internal System Rahul R - Blind XSS - 09/25/2018
Subdomain Takeover via Unsecured S3 Bucket Connected to the Website Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Subdomain takeover - 09/24/2018 Archived page
Responsible disclosure: retrieving a user’s private Facebook friends. Riccardo Padovani (@rpadovani93) Facebook Logic flaw, Authorization flaw, Information disclosure 3,000 09/23/2018
How I XSS’ed Uber and Bypassed CSP Efkan (@mefkansec) Uber Reflected XSS 2,000 09/22/2018
R-XSS -> CSRF bypass to account takeover/ Nirmal Dahal (@TheNittam) - Reflected XSS, CSRF bypass - 09/21/2018
Bypassing Firebase authorization to create custom goo.gl subdomains Thomas Orlita (@ThomasOrlita) Google Logic flaw, IDOR - 09/21/2018
Another XSS in Google Colaboratory Michał Bentkowski (@securitymb) Google XSS - 09/20/2018
Shopify Athena Bug Uranium238 (@uraniumhacker) Shopify Authorization flaw, Information disclosure - 09/20/2018
Local file inclusion at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea LFI $250 09/19/2018
Bypassing Authentication Using Javascript Debugger. Mohit Dabas (@mohitdabas08) - Authentication bypass - 09/18/2018
How i bypassed AKAMAI KONA WAF , XSS in overstock.com ! Oktavandi (@0ktavandi) Overstock.com XSS - 09/18/2018
Facebook $750 Reward for a Simple Bug Aman Shahid (@amansmughal) Facebook Authentication bypass, Logic flaw $750 09/18/2018
Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution ) Armaan Pathan (@armaancrockroax) - LFI, Unrestricted File Upload, RCE - 09/18/2018
Reflected XSS at Philips.com Jonathan Bouman (@JonathanBouman) Philips Reflected XSS - 09/17/2018
XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites Randy Westergren (@RandyWestergren) Google XSS $0 09/17/2018
Vertical escalation of privileges Leading to Sensitive Data Exposure Umair Ahmed (@u_ahmedofficial) - Bruteforce, IDOR, Authorization flaw - 09/16/2018
User Account takeover in India’s largest digital business company Minali Arora (@AroraMinali) - Account takeover, OTP bypass - 09/16/2018
IDOR User Account Takeover By Connecting My Facebook Account with victims Account Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook IDOR $1,200 09/16/2018 Archived page
Persistent Cross-Site Scripting on redacted worth $2,000 Muhammad Asim Shahzad - Stored XSS $2,000 09/15/2018
How I hijacked your account when you opened my cat picture Matti Bijnens (@MattiBijnens) - Logout CSRF - 09/14/2018
Hacking your own antivirus for fun and profit (Safe browsing gone wrong) Martin Thirup Christensen (@Mthirup) Bullguard Reflected XSS $0 09/14/2018
Subdomain Takeover worth 200$ Ali Razzaq (@AliRazzaq_) Netlify Subdomain takeover $200 09/14/2018
Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html Daniel Maksimovic Silver Gold Bull DOM XSS, Clickjacking - 09/13/2018
Subdomain Takeover via Campaignmonitor Mohamed Haron (@m7mdharon) Campaign Monitor Subdomain Takeover $900 09/11/2018 Archived page
Open-Redirect Vulnerability in udacity.com Anil Tom (mr_4nk) Udacity Open redirect $0, Swag 09/11/2018
Hacking a Crypto Debit Card Service Muhammad Abdullah Plutus SQL injection - 09/11/2018
XXE at Bol.com Jonathan Bouman (@JonathanBouman) Bol.com XXE $500 (voucher) 09/11/2018
How to do 55.000+ Subdomain Takeover in a Blink of an Eye BuckHacker (@thebuckhacker) Shopify Subdomain takeover - 09/10/2018
Authentication Bypass Using SQL Injection AutoTrader Webmail – Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) AutoTrader SQL injection - 09/10/2018 Archived page
Stored XSS Vulnerability in H1C Private site Anas Mahmood (@AnasIsHere) - Stored XSS $900 09/09/2018
Making the Facebook app more secure - $8500 bounty Ashley King (@AshleyKingUK) Facebook Open redirect $8,500 09/09/2018
ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) ZOL Zimbabwe XSS, SQL injection - 09/09/2018 Archived page
How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website) Muhammad Asim Shahzad - Open redirect - 09/09/2018
Disclosure of Facebook Page Admin due to insecure tagging behavior Aj Dumanhug (@ajdumanhug) Facebook Information disclosure, Logic flaw - 09/09/2018
Stored XSS Vulnerability in Tumblr Anas Mahmood (@AnasIsHere) Automattic (Tumblr) Stored XSS $1,000 09/08/2018
Reflected XSS in Google Code Jam Thomas Orlita (@ThomasOrlita) Google Reflected XSS - 09/08/2018
SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Nutanix SQL injection $0, Swag 09/08/2018 Archived page
LFI to 10 servers pwn Nirmal Dahal (@TheNittam) - LFI - 09/07/2018
Bypassing Hotstar Premium with DOM manipulation and some JavaScript OpSecX Hotstar Logic flaw, Payment bypas $0 09/07/2018
RCE Unsecure Jenkins Instance | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - RCE $0 09/07/2018 Archived page
Write-up - Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app Omar Espino (@omespino) Yahoo! Stored XSS $3,500 09/07/2018
Simple Login Brute Force / Current Password Requirement Bypass Mandeep Jadon (@1337tr0lls) - IDOR, Account takeover, Bruteforce - 09/07/2018
#BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk! Avinash Jain (@logicbomb_1) Naaptol IDOR - 09/07/2018
How I could download the source code of an Indian e-commerce website!! Minali Arora (@AroraMinali) - File disclosure, Source code disclosure - 09/05/2018
P1 Vulnerability in 60 seconds @Wh11teW0lf - Information disclosure, File disclosure $1,500 09/05/2018
Facebook Bug Bounty! {Permission Bug} Ali Tütüncü(@alicanact60) Facebook Authorization flaw, Logic flaw $750 09/05/2018
Admin Disclosure of Facebook Business all Pages by normal employees: Kamal Facebook Information disclosure $0 09/02/2018
How I could have launched a spear phishing campaign with Starbucks email servers Kyle (@b3nac) Starbucks Host header injection $150 09/01/2018
Send request to Martians. Earthlings are already your friends. Sagar VD Google CSRF - 09/01/2018
I Own Your Customers !!! Muhammad Abdullah - Information disclosure, Hardcoded credentials, AWS flaw - 09/01/2018
Pwned Together: Hacking dev.to Antony Garand Dev.to Stored XSS $150, HoF 08/31/2018
$100 Bounty in 300 seconds isn’t bad !!! Rohan Chavan (@rohanchavan1918) Zoho Stored XSS $100, HoF 08/31/2018
Reflected XSS in Django REST Framework Api at MapBox Subdomain Mohamed Haron (@m7mdharon) Mapbox Reflected XSS $500 08/29/2018 Archived page
Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file Mateusz Olejarka (@molejarka) - Information disclosure, Github leak $0 08/29/2018
A Infinite Loop Story. Ashish Kunwar (@D0rkerDevil) - DoS $100 08/29/2018
A $1000 Bounty Gaurav Narwani (@gauravnarwani97) - Information disclosure $1,000 08/28/2018 Archived page
Reflected Swf XSS at ( https://plugins.svn.wordpress.org ) Mohamed Haron (@m7mdharon) Wordpress Swf XSS, Reflected XSS $350 08/28/2018 Archived page
How i found a 1500$ worth Deserialization vulnerability Ashish Kunwar (@D0rkerDevil) - Misconfigured JSF ViewState, Java deserialization $1,500 08/28/2018
IDOR FACEBOOK: malicious person add people to the “Top Fans” Jafar Abo Nada Facebook IDOR - 08/28/2018
Traversing the Path to RCE hawkinsecurity - Path traversal, RCE $0 08/27/2018
Uber Bug Bounty: 1000$ for two “high severity” issue Peuch Uber Information disclosure, Github leak $1,000 08/27/2018
Open Redirection negative Wibes Pleio Open redirection - 08/26/2018
My first valid xss(@Hackerone) Jatin Aesthetic (@techyfreakk) - XSS $100 08/25/2018
Remote Code Execution on a Facebook server Daniel Le Gall (@Blaklis_) Facebook RCE $5,000 08/24/2018
Privileged Escalation in Facebook Messenger Rooms Jafar Abo Nada Facebook Privilege escalation, IDOR - 08/24/2018
SQL Injection Vulnerability In University Of Cambridge Adesh Nandkishor kolte (@AdeshKolte) Cambridge SQL injection - 08/24/2018
Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org Thomas Orlita (@ThomasOrlita) Webcomponents.org Stored XSS - 08/23/2018
API key: The real goldmine Yumi - Information disclosure - 08/19/2018
Privileged Escalation in Facebook Messenger Rooms Jafar Abo Nada (@Jafar_Abo_Nada) Facebook Authorization flaw, Privilege escalation - 08/18/2018
User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty Thuvarakan Nakarajah Facebook (WhatsApp) Credentials sent over HTTP - 08/18/2018
YAHOO IDOR -elimination of any comment Bada Diaz (@bada77) Yahoo IDOR - 08/17/2018
3 Minutes & XSS! Ashish Jha Edmodo XSS - 08/17/2018
IDOR leads to account takeover @s0cket7 - IDOR - 08/16/2018
ICloud.com DOM-Based XSS! #BugBounty Musab Alhussein Apple DOM XSS $0, HOF 08/14/2018
Another “TicketTrick” story Uranium238 (@uraniumhacker) Uber Logic flaw, TicketTrick - 08/14/2018
XSS at Hubspot and XSS in email areas. Friendly (@SkeletorKeys) Hubspot, [Private program] XSS $450 08/13/2018
IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo Aagam shah (@neutrinoguy) Edmodo IDOR - 08/12/2018
Distorted and Undeletable Posts in Facebook Group Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw, Logic flaw - 08/12/2018
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System Orange Tsai (@orange_8361) Amazon RCE - 08/11/2018
S3 Bucket Misconfiguration in Amazon Divyanshu Shukla Amazon AWS flaw $0 08/11/2018
Adminer Script Results to Pwning Server?, Private Bug Bounty Program Yasho (@YShahinzadeh) - Authentication bypass - 08/11/2018
Misconfigured JIRA setting - Apigee Tutorgeeks Google, Jira Information disclosure - 08/10/2018 Archived page
[Twitter Bug Bounty] Misconfigured JSON endpoint on ads.twitter.com lead to Access control issue and Information Disclosure of role privileged users. Peerzada Fawaz Ahmad Qureshi (@zk34911) Twitter Authorization flaw, Information disclosure $280 08/10/2018
Subdomain Takeover: Yet another Starbucks case Patrik Hudak Starbucks Subdomain takeover $2,000 08/09/2018
From TOMCAT to NT AUTHORITY\SYSTEM Rahul R - Default credentials - 08/09/2018
My Disclosed Report about Basic auth Api details at Reverb.com Mohamed Haron (@m7mdharon) Reverb Information disclosure $100 08/09/2018 Archived page
This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs Carlos Daniel Giovanella HackerOne, Sentry Logs flooding and falsification $0 08/09/2018
My First Critical Report Miguel Corral (@mcorral74) - Password reset flaw, Account takeover $2,500 08/08/2018
How I hacked a Crypto Exchange (Bug Bounty Writeup) Muhammad Abdullah - IDOR - 08/07/2018
From data leak to account takeover Antony Garand - Account takeover, Information disclosure, Password reset flaw - 08/07/2018
How I gained commit access to Homebrew in 30 minutes Eric Holmes (@vesirin) Homebrew Information disclosure - 08/07/2018
Sending out phishing e-mails from @microsoft.com @si9int Microsoft HTML injection $0 08/07/2018
Unauth meetings access Uranium238 (@uraniumhacker) Google Authorization flaw, Logic flaw - 08/06/2018
Self XSS leads to blind XSS and reflected XSS. Friendly (@SkeletorKeys) - Blind XSS, Reflected XSS $700 08/06/2018
Reflected XSS Primagames.com Friendly (@SkeletorKeys) Prima Games Reflected XSS - 08/06/2018
My First Swag Pack : A Logical Bug on Edmodo Abartan Dhakal Edmodo Logic flaw $0, Swag 08/05/2018
Stored XSS in GameSkinny Friendly (@SkeletorKeys) GameSkinny Stored XSS - 08/03/2018
Blind-XSS in Chrome Experiments - Google (Write Up) Evan Ricafort (@evanricafort) Google Blind XSS $100 08/03/2018
#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company Avinash Jain (@logicbomb_1) Paytm IDOR - 08/03/2018
Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375) Daniel Kachakil Google Privilege escalation, Android flaw - 08/01/2018
Exploiting a Microsoft Edge Vulnerability to Steal Files Ziyahan Albeniz Microsoft SOP bypass - 08/01/2018
Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ) Mohamed Haron (@m7mdharon) Shipt Subdomain takeover - 08/01/2018 Archived page
Disclose Facebook Internal Server Information With A Strange Poll Jane Manchun Wong (@wongmjane) Facebook Logic flaw - 08/01/2018
CRLF Injection Into PHP’s cURL Options TomNomNom - CRLF injection - 08/01/2018
How I could access your internal servers, steal and modify your image repository PoC || GO - RCE - 07/31/2018
Hacking Imgur for Fun and Profit Nathan (@NathOnSecurity) Imgur Outdated component with a known vulnerability, Information disclosure $5,500 07/29/2018
18th Acknowledgement From Microsoft Muhammad Muhaddis Microsoft IDOR $0, HOF 07/29/2018
Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) Brian Hyde Yahoo XSSI $750 07/29/2018
Microsoft Office 365 Stored XSS @Pethuraj Microsoft Stored XSS $0, HOF 07/29/2018
Making a Blind SQL Injection a Little Less Blind TomNomNom - SQL injection - 07/28/2018
Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features Ameer Assadi Binary.com Clickjacking - 07/28/2018
How I found XSS on Amazon? Coding_Karma Amazon XSS $0 07/26/2018
Exfiltration via CSS Injection d0nut - CSS injection - 07/25/2018
SQL Injection and A silly WAF Mahmoud Gamal (@Zombiehelp54) - SQL injection - 07/25/2018
Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716] Sebastian (ha.cker.info) Private program, SEOmatic CMS plugin SSTI - 07/24/2018
Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again Michał Bentkowski (@securitymb) Google Open redirect $7,500 07/24/2018
Finding hidden gems vol. 1: forging OAuth tokens using discovered client id and client secret Mateusz Olejarka (@molejarka) - Information disclosure $3,133.7 07/23/2018
IDOR FACEBOOK: malicious person add people to the “Top Fans” Jafar Abo Nada (@Jafar_Abo_Nada) Facebook IDOR - 07/21/2018
Unclaimed Medium Publication takeover in WeTransfer Prial Islam Khan (@prial261) WeTransfer Medium publication takeover $100 07/21/2018
Google Assistant Bug Worth $3133.7 ! Circle Ninja (@circleninja) Google Reflective XSS $3,133.7 07/21/2018
RCE due to ShowExceptions Harsh Jaiswal (@rootxharsh) - RCE, Information disclosure, Debugging enabled $5,000 07/20/2020
Into the Borg – SSRF inside Google production network Enguerran Gillier (@opnsec) Google SSRF $13,337 07/20/2018
The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet François Proulx EOSIO DNS rebinding - 07/19/2018
RCE on Yahoo Luminate Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo RCE - 07/19/2018
How I was able to delete 13k+ Microsoft Translator projects Haider Mahmood Microsoft CSRF, IDOR $0 07/19/2018
Hey Developer, Give me your API keys.!! Devansh batham Crowdin Information disclosure Swag, HoF 07/18/2018
Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw, Logic flaw - 07/18/2018
Hacking thousands of companies through their helpdesk Khaled Hassan - Account takeover, DoS, Logic flaw - 07/17/2018
CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation Charles Fol (Ambionics Security) PrestaShop Privilege escalation, Improper session management - 07/16/2018
WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?] Omar Espino (@omespino) Facebook Blind Stored XSS - 07/16/2018
Attacking PostgreSQL Database Vishnuraj - Bruteforce, Weak credentials - 07/16/2018
Bug Bounty at Bangladeshi Site. Shaifullah Shaon - SQL injection BDT 10,000 (~ $120) 07/15/2018
Should this be public though? Rojan Rijal (@uraniumhacker) <td markdown="span">Shopify, Uber Information disclosure $500 07/13/2018
XSS in Microsoft subdomain Sudhanshu Rajbhar (@sudhanshur705) Microsoft XSS - 07/13/2018
The tradeRifle Vulnerability Identified in LBank Mobile Service (CVE-2018-13363) PeckShield LBank MiTM - 07/12/2018
Gsuite Hangouts Chat 5k IDOR Cam (@SecretlyHidden1) Google IDOR $5,000 07/10/2018
Persistent XSS at AH.nl Jonathan Bouman (@JonathanBouman) AH.nl Stored XSS $200 07/09/2018
#BugBounty - Compromising User Account- “How I was able to compromise user account via HTTP Parameter Pollution(HPP)” Avinash Jain (@logicbomb_1) - HTTP Parameter Pollution, Password reset flaw, Account takeover - 07/07/2018
Server Side Request Forgery on Vanilla Forums Vikash Chaudhary Vanilla Forums SSRF - 07/07/2018
Latex to RCE, Private Bug Bounty Program Yasho (@YShahinzadeh) - RCE - 07/06/2018
The $12,000 Intersection between Clickjacking, XSS, and Denial of Service Sam Curry (@samwcyo) Bustabit Clickjacking, XSS, DoS $12,000 07/04/2018
Chaining Multiple Vulnerabilities to Gain Admin Access Ben Sadeghipour (@nahamsec) - IDOR, Account takeover - 07/02/2018
Bug Bounty: Tumblr reCAPTCHA vulnerability write up Leigh-Anne Galloway (@L_AGalloway) Automattic (Tumblr) reCAPTCHA bypass, email enumeration, username enumeration - 06/29/2018
Authentication bypass in Cisco Meraki Ameya (@iamTakeMyHand) Cisco Meraki Authentication bypass - 06/29/2018
This popular Facebook app publicly exposed your data for years Inti De Ceukelaire (@securinti) Facebook, Nametests.com Information disclosure, Authorization flaw $4,000 06/28/2018
Take Advantage of Out-of-Scope Domains in Bug Bounty Programs Abdullah Hussam (@Abdulahhusam) - XSS $1,250 06/27/2018
How re-signing up for an account lead to account takeover @zseano - Logic flaw, Account takeover - 06/26/2018
Subdomain Takeover: Starbucks points to Azure Patrik Hudak Starbucks Subdomain takeover $2,000 06/25/2018
Account Take over via reset password Yasser Gersy (@yassergersy) - Password reset flaw, Account takeover $1,500 06/25/2018 Archived page
How I got access to local AWS info via Jira Coen Goedegebure - SSRF - 06/24/2018
Fastest Fix on Open Bug Bounty Platform Wen Bin KONG Kevag Telekom GmbH Reflected XSS, CSRF - 06/24/2018
How I hacked Apple.com (Unrestricted File Upload) Jonathan Bouman (@JonathanBouman) Apple Unrestricted file upload - 06/22/2018
XSS in Google Colaboratory + CSP bypass Michał Bentkowski (@securitymb) Google XSS, CSP bypass - 06/21/2018
Using a GitHub app to escalate to an organization owner for a $10,000 bounty Tanner Github Authorization flaw, IDOR $10,000 06/20/2018
Setting arbitrary request headers in Chromium via CRLF injection Michał Bentkowski (@securitymb) Google CRLF injection - 06/20/2018
I discovered a browser bug Jake Archibald Mozilla, Microsoft Browser bug, Range requests flaw - 06/20/2018
[Responsible disclosure] How I could have booked movie tickets through other user accounts Bharathvaj Ganesan AGS Cinemas Password reset flaw, Account takeover, Bruteforce, OTP bypass - 06/18/2018
How i found blind XSS in Apple Taha Smily Apple Blind XSS - 06/18/2018
Reflected Client XSS at Amazon.com Jonathan Bouman (@JonathanBouman) Amazon Reflected XSS $0 06/15/2018
Yay! 3133.70$ for RCE on *.withgoogle.com subdomain. lalka (@0x01alka) Google RCE $3,133.70 06/15/2018
Password reset to full account takeover Hamza Bettache - Password reset flaw, Account takeover - 06/15/2018
Reflected XSS in 360totalsecurity Taha Smily 360totalsecurity Reflected XSS - 06/14/2018
The 2.5 BTC Stored XSS Khaled Hassan - Stored XSS 2.5 BTC 06/13/2018
How I got paid premium plan for free on many popular websites Khaled Hassan - Logic flaw - 06/13/2018
Vulnerability Netflix (cross-site-scripting) XSS Bada Diaz (@bada77) Netflix Reflected XSS - 06/13/2018
Unvalidated Open Redirect Bol.com Jonathan Bouman (@JonathanBouman) bol.com Open redirect $100 in gift cards 06/12/2018
Full account Takeover via reset password function Khaled Hassan - IDOR, Account takeover, Password reset flaw $1,250 06/12/2018
Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution Jake Miller Google CSV injection, Server side spreadsheet injection, Formula injection, RCE - 06/11/2018
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL Darrell Damstedt - XXE $0 06/11/2018
[PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique. Ayoub Ait Elmokhtar Paypal CSRF - 06/10/2018
Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper Matthew Bryan Steam Inventory Helper Chrome extension DOM XSS, UXSS, Clickjacking - 06/08/2018
How I was able to list some internal information from PayPal #BugBounty Adrien Jeanneau Paypal Expression Language Injection (JSTL), Information disclosure $0 06/07/2018
How I found XSS via SSRF vulnerability -Adesh Kolte Adesh Nandkishor kolte (@AdeshKolte) CERT-EU, Motorola, Stanford SSRF, XSS $750 06/07/2018
#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection. Avinash Jain (@logicbomb_1) - SQL injection - 06/06/2018
Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0 Daniel Svartman OAuth Logic flaw - 06/05/2018
Searching for XSS found LDAP injection Davide Tampellini - LDAP injection - 06/05/2018
Are you sure this is a trusted email? Khaled hassan - Open mail relay $900 06/05/2018
Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected) Matthew Bryan Read&Write Chrome extension SOP bypass - 06/05/2018
How I Hacked Fotor & Got “Nothing” Somdev Sangwan (s0md3v) Fotor SSRF, RFI $0 06/01/2018 Archived page
Getting PHP Code Execution and leverage access to panels,databases,server Shawar Khan (@ShawarkOFFICIAL) - Code execution - 06/01/2018
How i converted SSRF to XSS in Jira. Ashish Kunwar (@D0rkerDevil) - SSRF, XSS $50 06/01/2018
How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte Adesh Nandkishor kolte (@AdeshKolte) AT&T RCE, Clickjacking, XSS, Same Origin Method Execution $750 06/01/2018
#Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay Raghavendra Reddy - Parameter tampering - 05/31/2018
Reflected XSS in Yahoo Subdomain ( hk.movies.yahoo.com ) Mohamed Haron (@m7mdharon) Yahoo! Reflected XSS - 05/30/2018 Archived page
5k$ for path traversal on *.paypal-corp.com subdomain lalka (@0x01alka) Paypal Path traversal $5,000 05/30/2018
Account Takeover and Blind XSS! Go Pro, get Bugs! Tabahi (@_tabahi) - IDOR, Stored XSS, Account takeover, Blind XSS $3,500 05/30/2018
How I found 5 store XSS on a private program. Each worth “1,016.66$” Shahzad Sadiq - Stored XSS $5,083.3 05/30/2018
How I got hall of fame in two fortune 500 companies — An RCE story… Alfie - RCE - 05/29/2018
How i was able to get admin panel on a private program Shahzad Sadiq - Weak credentials $1,500 05/29/2018
reCAPTCHA bypass via HTTP Parameter Pollution Andres Riancho Google HTTP parameter pollution, reCAPTCHA bypass $500 05/28/2018
Persistent XSS to Steal Passwords – Paypal Akhil Reni Paypal Stored XSS - 05/26/2018
Simple IDOR to reject a to-be users invitation via their notification Abss TBH @abss_tbh WePay IDOR - 05/24/2018
How I was able to see any private album passwrod in Picturepush — IDOR Murtada Kamil PicturePush IDOR - 05/23/2018
#BugBounty — ”How I was able to hack any user account via password reset?” Bikash Gupta - IDOR, Account takeover, Password reset flaw - 05/23/2018
RCE by uploading a web.config 003random - RCE - 05/22/2018
AWS Security Flaw which can grant admin access! Sharath AV Amazon Authorization flaw - 05/22/2018
Getting read access on Edmodo Production Server by exploiting SSRF Shawar Khan (@ShawarkOFFICIAL) Edmodo SSRF - 05/21/2018
Self-XSS + CSRF to Stored XSS Renwa (@RenwaX23) - Self XSS, CSRF, STored XSS - 05/20/2018
$36k Google App Engine RCE Ezequiel Pereira (@epereiralopez) Google RCE $36,337 05/20/2018
Fastest Fix on Open Bug Bounty Platform Wen Bin KONG Kevag Telekom GmbH XSS, CSRF - 05/19/2018
How i got 100$ from one private website Aayush Pokhrel (@aayushpok) - Information disclosure $100 05/19/2018
How i HACKED admin account via password reset IDOR function of one private currency exchanger site Aayush Pokhrel (@aayushpok) - IDOR, Password reset flaw, Account takeover - 05/19/2018
Stored XSS in Yahoo and all subdomains! Hakim Bencella Microsoft Stored XSS $1,500 05/19/2018
Xss in Microsoft hacker_eth Microsoft XSS - 05/18/2018
How I was able to get subscription of $120/year For Free Muhammad Khizer Javed / babayaga47 (@khizer_javed47) wetransfer.com Payment bypass $500 05/18/2018
Whatsapp- DOS vulnerability on Android/iOS/Web Pratheesh P Narayanan Facebook DoS $500 05/15/2018
HSTS Bypass Vulnerability in IE Preview Xiaoyin Liu Microsoft HSTS bypass $0 05/15/2018
How I used a simple Google query to mine passwords from dozens of public Trello boards Kushagra Pathak Trello Authorization flaw, Information disclosure $0 05/09/2018
Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS Honc (@honcbb) Trend Micro DOM XSS $0, HoF 05/08/2018
Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability Mohamed A. Baset Asus Authorization flaw, Information disclosure - 05/08/2018
A Five Minute SQL-I Ashish Jha - SQL injection - 05/06/2018
How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program Hariom Vashisth - Price manipulation, Parameter tampering $0 05/05/2018
$4500 bounty - How I got lucky Eray Mitrani - Subdomain takeover $4,500 05/03/2018
Disclose Private Video Thumbnail from Facebook WorkPlace Sarmad Hassan (@JubaBaghdad) Facebook IDOR $3,000 05/03/2018
Stealing money from one account to another account Ajay Gautam (@evilboyajay) - Logic flaw - 05/02/2018
Story Of a Stored XSS Bypass Prial Islam Khan (@prial261) Zerocopter Open redirect - 04/30/2018
Multiple security vulnerabilities in domains belonging to Google Sysdreams Google Broken access control, Directory traversal, Stored XSS - 04/30/2018
How I found 2.9 RCE at Yahoo! Bug Bounty program Kedrisec (@kedrisec) Yahoo RCE - 04/30/2018
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! Avinash Jain (@logicbomb_1) - RCE - 04/29/2018
Reflected XSS on Stack Overflow ssid (@newp_th) Stack Overflow Reflected XSS - 04/27/2018
Stored XSS in Yahoo! Shahzada AL Shahriar Khan Yahoo Stored XSS $2000 04/27/2018
Bypassing the Confirmation Email for Newsletter (bof.nl) Mohammed Israil (@mdisrail2468) Bits of Freedom Authorization flaw, IDOR $0, Swag 04/26/2018
How I earned 60K+ from private program Siva Krishna Samireddi (@le4rner) - Open redirect, subdomain takeover, XSS, HTTP parameter pollution 60,000 INR (approx. $880) 04/25/2018
The Unknown Hero-App Logic Bugs Circle Ninja (@circleninja) Canva Logic flaw - 04/25/2018
XSS “403 forbidden” bypass write up Nur A Alam Dipu - XSS - 04/25/2018
How we got LFI in apache Drill (Recon like a boss) gujjuboy10x00 (@vis_hacker) - LFI - 04/23/2018
DOM XSS in Google VRView library Federico Fazzi Google DOM XSS $3,133.7 04/23/2018
Three Cases, Three Open Redirect Bypasses Mohammed Eldeeb (@malcolmx0x) - Open redirect - 04/22/2017
Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal YoKo Kho (@YoKoAcc) Paypal Stored XSS - 04/21/2018
Story Of a Stored XSS Bypass Prial Islam Khan (@prial261) - Stored XSS - 04/21/2018
#BugBounty — ”Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company. Avinash Jain (@logicbomb_1) - LFI, RCE - 04/19/2018
Bypassing the Current Password Protection at PayPal TechSupport Portal YoKo Kho (@YoKoAcc) Paypal Authorization flaw, Account takeover - 04/19/2018
Google Bug: Posting on groups as any user’s behalf ssid (@newp_th) Google Email spoofing $0 04/18/2018
Whatsapp user’s IP disclosure with Link Preview feature Rahul Kankrale (@RahulKankrale) Facebook Information disclosure $0 (won’t fix) 04/18/2018
Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile YoKo Kho (@YoKoAcc) Ribose IDOR - 04/18/2018
How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program YoKo Kho (@YoKoAcc) - IDOR - 04/18/2018
IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks YoKo Kho (@YokoAcc) - IDOR - 04/17/2018
How I got stored XSS using file upload gujjuboy10x00 (@vis_hacker) - Stored XSS - 04/17/2018
From an error message to DB disclosure Yumi - Hardcoded credentials - 04/17/2018
Spoof an user to create a description of a group in Flickr Samuel (@saamux) Yahoo (Flickr) IDOR - 04/16/2018
Bypassing Captcha Like a Boss Ak1T4 (@akita_zen) - Captcha bypass $xxx 04/16/2018
#SecurityBreach — ”How I was able to book hotel room for 1.50₹!” Hariom Vashisth - CORS flaw - 04/15/2018
Bypass CSP by Abusing XSS Filter in Edge Xiaoyin Liu Microsoft CSP bypass $1,500 04/15/2018
How I hacked companies related to the crypto currency and earned $60,000 Max (@iSecMax) okex.com, livecoin.net, [private program] Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection $59,400 04/14/2018
How I bypassed Ebay process on redirect Mohamed Sayed (@FlEx0Geek) Ebay Open redirect $0 04/13/2018
Hijacking User’s Private Information access_token from Microsoft Office360 facebook App Mohamed A. Baset Microsoft Logic flaw $0 04/13/2018
Please email me your password Jasmin Laundry - Blind XSS, Blind SQL injection, SMTP header injection, Account takeover - 04/11/2018 Archived page
How I broke into Google Issue Tracker Abhishek Bundela (@abhibundela) Google Logic flaw, Authorization flaw $0 04/10/2018
Source Code Analysis in YSurvey — Luminate bug Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo Authentication bypass, Authorization flaw, SQL injection - 04/10/2018
Piercing the veil: Server Side Request Forgery to NIPRNet access Alyssa Herrera (@Alyssa_Herrera_) DoD SSRF - 04/09/2018
Stealing HttpOnly Cookie via XSS Yasser Gersy (@yassergersy) - XSS - 04/08/2018 Archived page
Reflected XSS on www.zomato.com By Mustafa Hasan Mohamed Haron (@m7mdharon) Zomato Reflected XSS $100 04/07/2018 Archived page
“Exploiting a Single Parameter” Hisham Mir (@Hishammir1) - SSRF, XSS $2,500 04/06/2018
Link injection on 2 Twitter Subdomain Mohamed Haron (@m7mdharon) Twitter Link injection $280 04/01/2018 Archived page
Avinash Jain (@logicbomb_1) - IDOR - 04/05/2018
How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for serious XSS vulnerability :( Satyendra Shrivastava Udemy XSS, HTML injection - 04/05/2018
Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account Family guy Facebook Authorization flaw - 04/02/2018
My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass ) Mohamed Haron (@m7mdharon) - SQL injection, Auth bypass, Account takeover $2,000 04/01/2018 Archived page
XSS in Yahoo Subdomain Mohamed Haron (@m7mdharon) Yahoo! Flash XSS $600 03/31/2018 Archived page
XSS In sports.tw.campaign.yahoo.net Mohamed Haron (@m7mdharon) Yahoo! Reflected XSS - 03/31/2018 Archived page
How I hacked one cryptocurrency service Valeriy Shevchenko (@Krevetk0Valeriy) PayKassa Blind XSS, Reflected XSS, CSRF $300 03/31/2018
How I Could Have Promoted Any Facebook Page For Free. Anees Khan Facebook Logic flaw $0 03/30/2018
View Insights for Any Facebook Marketplace Product Jane Manchun Wong (@wongmjane) Facebook Authorization flaw - 03/29/2018
Creating Test Conversion using any App Joshua Regio Facebook Web parameter tampering $3,000 03/27/2018
Google bug bounty for security exploit that influences search results Tom Anthony (@TomAnthonySEO) Google Logic flaw $5,000 03/27/2018
Reflected XSS Moogaloop SWF ( Version < 6.2.x ) Mohamed Haron (@m7mdharon) Vimeo Flash XSS, Reflected XSS - 03/26/2018 Archived page
Misconfiguration of Demographics Privacy in a Page Mark Christian Deduyo Facebook Logic flaw $750 03/26/2018
#BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) Avinash Jain (@logicbomb_1) BookMyShow Host header attack, IDOR - 03/25/2018
Hacking Oracle in 5 Minutes Rahul R Oracle Directory listing - 03/25/2018
Google adwords 3133.7$ Stored XSS Emad Shanab Google Stored XSS $3,133.7 03/21/2018
Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489 Abdullah Hussam (@Abdulahhusam) Wordpress CSRF $1337 03/15/2018
#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality Avinash Jain (@logicbomb_1) - Logic flaw, Password reset flaw, Account takeover - 03/14/2018
Dox Facebook Employees Behind “Did You Know” Questions Jane Manchun Wong (@wongmjane) Facebook Information disclosure - 03/13/2018
Union Based Sql injection Write up ->A private Company Site Nur A Alam Dipu - SQL injection - 03/12/2018
How I hacked 74k users of a website. Utkarsh Agrawal - Authentication flaw - 03/11/2018
How I hacked 74k users of a website. Utkarsh Agrawal - Authorization flaw - 03/11/2018
Getting any Facebook user’s friend list and partial payment card details Josip Franjkovic Facebook Information disclosure, IDOR - 03/09/2018
Stored XSS, and SSRF in Google using the Dataset Publishing Language Craig Arendt (@signalchaos) Google Stored XSS, SSRF $18,337 03/07/2018
Clickjackings in Google worth 12644.7$ Raushan Raj (@raushan_rajj) Google Clickjacking $12,644.7 03/06/2018
Facebook Bug Bounty Reports Raushan Raj (@raushan_rajj) Facebook Authorization flaw, Logic flaw, Information disclosure $6,000 03/06/2018
#BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! Avinash Jain (@logicbomb_1) - OTP bypass - 03/05/2018
How I found A Surprising XSS Vulnerability on Oracle NetSuite ? Circle Ninja (@circleninja) Oracle XSS - 03/02/2018
The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! Mohamed A. Baset Facebook Information disclosure $2,500 02/25/2018
Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! Mohamed A. Baset Facebook Clickjacking - 02/25/2018
How i Hacked into a bugcrowd. public program Vishnuraj - RCE - 02/25/2018
#BugBounty — API keys leakage, Source code disclosure in India’s largest e-commerce health care company. Avinash Jain (@logicbomb_1) - Path traversal - 02/25/2018
How I was able to delete any image in Facebook community question forum Sarmad Hassan (@JubaBaghdad) Facebook IDOR $1500 02/24/2018
Bypassing Google’s authentication to access their Internal Admin panels Vishnu Prasad P G Google Authentication bypass $13,337 02/24/2018
The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations! Seif Elsallamy Facebook Race condition - 02/23/2018
Modifying any Ad Space and Placement Joshua Regio Facebook IDOR - 02/22/2018
POODLE SSLv3 bug on multiple twitter smtp servers Omar Espino (@omespino) Twitter Cryptographic issues $280 02/21/2018
Google bugs stories and the shiny pixelbook. Missoum Said (@missoum1307) Google DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF $6,250 02/20/2018
How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties Anand Prakash (@sehacure) Tinder, Facebook Account takeover, Authorization flaw $6,250 02/20/2018 Mirror link
Exploiting CORS Miss configuration using XSS Noman Shaikh - CORS misconfiguration - 02/18/2018
#BugBounty — Exploiting CRLF Injection can lands into a nice bounty Avinash Jain (@logicbomb_1) - CRLF injection $250 02/17/2018
How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. Waleed Ahmed Facebook Android, DoS $500 02/15/2018
#BugBounty — “How I was able to shop for free!”- Payment Price Manipulation Avinash Jain (@logicbomb_1) - Web parameter tampering / Price manipulation - 02/11/2018
Oracle Cross Site Scripting Vulnerability -Adesh Kolte Adesh Nandkishor kolte (@AdeshKolte) Oracle Reflected XSS - 02/10/2018
Stored XSS on Snapchat Mrityunjoy Snapchat Stored XSS - 02/09/2018
I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it Anand Prakash (@sehacure) Facebook Bruteforce, Account takeover $15,000 02/09/2018 Mirror link
Taking over Facebook accounts using Free Basics partner portal Josip Franjkovic Facebook Information disclosure, IDOR - 02/07/2018
Bug bounty left over (and rant) Part III (Google and Twitter) Antonio Sanso (@asanso) Google, Twitter OAuth flaw, Authentication flaw, Information disclosure $5,540 02/06/2018
How I gained access to Sony’s database Rahul R Sony - $0 02/06/2018
SQL injection with load file and into outfile NoGe - SQL injection $750 02/05/2018
How I found IDOR on Twitter’s Acquisition – Mopub.com Jay Jani (@JayJani007) Twitter IDOR - 02/05/2018
Facebook mailto injection leads to social engineering & spam attack Rahul Kankrale (@RahulKankrale) Facebook Mailto injection $0 (won’t fix) 02/03/2018
#BugBounty — ”I don’t need your current password to login into your account” - How could I completely takeover any user’s account in an online classified ads company. Avinash Jain (@logicbomb_1) - Authentication bypass - 02/03/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) Mohammed Abdul Raheem - IDOR $3000 02/03/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) Mohammed Abdul Raheem - IDOR $3000 02/02/2018
Internal IPs disclosure Omar Espino (@omespino) Nokia Internal IP disclosure - 02/02/2018
How I was able to Bypass XSS Protection on HackerOne’s Private Program Jay Jani (@JayJani007) - XSS - 02/02/2018
Getting access to prompt debug dialog and serialized tool on main website facebook.com Omar Espino (@omespino) Facebook Debug info disclosure - 01/31/2018
How I was able to Download Any file from Web server! hammadhassan924 - XSS, IDOR $450 01/27/2018
How I got 22000$ worth ethereum Shubham Gupta - Blind XSS ~22,000 Ethereum 01/26/2018
JSON CSRF attack on a Social Networking Site[Hackerone Platform] Sahil Tikoo (@viperbluff) Badoo CSRF $280 01/26/2018
Here’s how I could’ve ridden for free with Uber Anand Prakash (@sehacure) Uber Logic flaw $5,000 01/26/2018
Full Account Takeover through CORS with connection Sockets Samuel (@saamux) - CORS misconfiguration, Account takeover - 01/25/2018
[Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility on https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/ Peerzada Fawaz Ahmad Qureshi (@zk34911) Yahoo Authorization flaw $300 01/25/2018
No RCE? Then SSH to the box! Jasmin Laundry - LFI, Directory traversal, RCE - 01/25/2018
Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) Mohamed Haron (@m7mdharon) Hubspot Reflected XSS - 01/24/2018 Archived page
#BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection Avinash Jain (@logicbomb_1) LinkedIn Open redirect - 01/24/2018
Asus Cross Site Scrpting And Directory Listing Vulnerability Adesh Nandkishor kolte (@AdeshKolte) Asus Directory listing, XSS - 01/23/2018
File Disclosure via .DS_Store file (macOS) Omar Espino (@omespino) Facebook Directory listing - 01/23/2018
Internshala Bug in Internshala Student Partner Circle Ninja (@circleninja) Internshala Bruteforce $0 01/20/2018
Reflected File Download ( RFD ) in www.Google.com Mohamed Haron (@m7mdharon) Google Reflected File Download $0 01/18/2018 Archived page
$1800 in less than an hour. yappare (@yappare) Indeed CSRF, XSS $1,800 01/17/2018
Reflected XSS via AngularJS Template Injection Taha Ibrahim Draidia Hostinger Reflected XSS, CSTI - 01/17/2018
#BugBounty — AWS S3 added to my “Bucket” list! Avinash Jain (@logicbomb_1) - AWS flaws - 01/16/2018
View the bug subscriptions for any Oculus User Philippe Harewood (@phwd) Facebook IDOR - 01/15/2018
Hacking Facebook accounts using CSRF in Oculus-Facebook integration Josip Franjkovic Facebook CSRF - 01/15/2018
#BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company Avinash Jain (@logicbomb_1) - CSRF, Web parameter tampering - 01/14/2018
Google Tez XSS @Pethuraj Google XSS $3,133.7 01/13/2018
#BugBounty — How I was able to read chat of users in an Online travel portal Avinash Jain (@logicbomb_1) - IDOR - 01/10/2018
RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins Mohamed Haron (@m7mdharon) Yahoo! RCE $8,000 01/05/2018 Archived page
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) Mohammed Abdul Raheem - IDOR $3,000 02/04/2018
F**k you Thomas” - ToyTalk bug bounty writeup Jahmel Harris ToyTalk Authentication bypass, HTML injection - 01/04/2018
Content Injection in DuoLingo’s TinyCards App for Android [CVE-2017-16905] Nightwatch Cyber (@nightwatchcyber) DuoLingo Content injection - 01/04/2018
Abusing internal API to achieve IDOR in New Relic Jon Bottarini (@jon_bottarini) New Relic IDOR $1000 01/02/2018

Bug bounty writeups published in 2017

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Stealing $10,000 Yahoo Cookies! Tabahi (@_tabahi) Yahoo CORS flaw $10,000 12/30/2017
How I found SSRF on TheFacebook.com Thunder Facebook SSRF - 12/27/2017
Jumping to the hell with 10 attempts to bypass devil’s WAF Ak1T4 (@akita_zen) - XSS - 12/27/2017
Microsoft SharePoint’s ‘Follow’ Feature XSS (CVE-2017–8514) -Adesh Kolte Adesh Nandkishor kolte (@AdeshKolte) Microsoft XSS - 12/21/2017
Account Takeover Due to Misconfigured Login with Facebook/Google Bhavuk Jain (@bhavukjain1) Google, Facebook Account takeover, Authorization flaw - 12/20/2017
P4 to P2 - The story of one blind SSRF Mikhail Klyuchnikov (@__Mn1__) - Blind SSRF - 12/19/2017
Unrestricted File Upload to RCE | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook RCE - 12/19/2017
Don’t Trust the Host Header for Sending Password Reset Emails Jack Cable Mavenlink Password reset flaw, Account takeover $1,500 12/13/2017
How I was able to takeover Facebook account Ameer Hamza Facebook Authentication bypass $0 12/10/2017
Using App Ads Helper as an Analytic User Joshua Regio Facebook Authorization flaw $500 12/09/2017
Bug Bounty: Fastmail Brian Hyde Fastmail Read-only access to private server files, Blind SSRF/Blind XXE $3000 12/08/2017
How I Was Able To See The Bounty Balance Of Any Bug Bounty Program In HackerOne Cj Legacion Hackerone Logic flaw $0 12/06/2017
Getting a RCE — CTF Way Uranium238 (@uraniumhacker) - RCE - 12/05/2017
DEV XSS Protection bypass made my quickest bounty ever!! Yeasir Arafat - XSS $150 12/03/2017
LFI to Command Execution: Deutche Telekom Bug Bounty Daniel Maksimovic Deutche Telekom LFI, RCE - 11/30/2017
Image removal vulnerability in Facebook polling feature Pouya Darabi (@Pouyadarabi) Facebook IDOR $10,000 11/25/2017
Story of bypassing Referer Header to make open redirect Mohammed Eldeeb (@malcolmx0x) - Open redirect - 11/22/2017
Taking note: XSS to RCE in the Simplenote Electron client Yasin Soliman (@SecurityYasin) Automattic XSS, RCE - 11/22/2017
Amazon Bypass Open Redirect Honc (@honcbb) Amazon Open redirect - 11/19/2017
VMware Official VCDX Reflected XSS Honc (@honcbb) VMware Reflected XSS - 11/19/2017
UBER Wildcard Subdomain Takeover | BugBounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Uber Subdomain takeover - 11/20/2017