Fixing the Unfixable: Story of a Google Cloud SSRF |
David Schütz (@xdavidhu) |
Google |
SSRF |
$4,133.70 |
12/31/2021 |
Bug Hunting Journey of 2021 |
Sudhanshu Rajbhar (@sudhanshur705) |
- |
Stored XSS, Open redirect, Token theft, CSRF, Logic flaw, Information disclosure, IDOR, Account takeover |
$3,200+ |
12/31/2021 |
My first Google HOF |
RV Sharma |
Google |
Broken Access Control |
$1,337 |
12/31/2021 |
Here’s How I Could Read Anyone’s Apple ID Metrics Remotely. |
Faizan Ahmad Wani |
Apple |
Information disclosure |
- |
12/30/2021 |
Bypassing Identity-Aware Proxy - Google Cloud Vulnerability |
SebLu |
Google |
Authorization flaw, Token theft, OAuth flaw |
$5,000 |
12/30/2021 |
WhatsApp for Android Retains Deleted Contacts Locally |
Nightwatch Cybersecurity (@nightwatchcyber) |
Meta / Facebook |
Privacy issue |
$0 (Won’t fix) |
12/30/2021 |
How I Am Able To Crash Anyone’s Mozilla Firefox Browser By Sending An Email |
Sam |
Mozilla |
DoS |
$0 |
12/30/2021 |
Google Cloud Shell XSS |
NDevTK (@ndevtk) |
Google |
XSS |
$5,000 |
12/30/2021 |
[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty |
Rahul Kankrale (@RahulKankrale) |
Meta / Facebook |
IDOR |
$863 |
01/03/2022 |
Story of a weird CSRF bug |
Sudhanshu Rajbhar (@sudhanshur705) |
- |
CSRF |
- |
12/29/2021 |
Remote Code Execution in Google Cloud Dataflow |
Mike Brancato (@meatballninja) |
Google |
RCE |
$3,333.70 |
12/28/2021 |
Full account takeover vulnerability in Minecraft |
Abdulrahman Makki (@AMakki1337) |
Minecraft |
Account takeover |
$5,000 |
12/28/2021 |
Bounty Evaluation GitHub = $15,000 US Dollars | Rate Limit |
Taniya Agarwal |
GitHub |
Bruteforce, Email verification bypass, Account takeover |
$15,000 |
12/28/2021 |
Common Nginx Misconfiguration leads to Path Traversal |
MikeChan |
- |
Path traversal |
- |
12/28/2021 |
Bi/ug Bounties and HyperV RCE Research |
Peter Hlavaty (@rezer0dai) |
Microsoft Hyper-V |
RCE |
$100,000+ |
12/27/2021 |
XSS via file upload |
Jay Sharma |
- |
XSS, Unrestricted file upload |
- |
12/27/2021 |
How I Bypassed Netflix Profile Lock? |
Krishnadev P Melevila (@Krishnadev_P_M) |
Netflix |
Logic flaw |
$0 (Won’t fix) |
12/27/2021 |
Turning bad SSRF to good SSRF: Websphere Portal |
Shubham Shah (@infosec_au) |
HCL Technologies |
SSRF |
N/A (VDP) |
12/26/2021 |
How I Saved Christmas for Google 🎄 |
0xdroopy (@NikhilK50866227) |
Google (Waze) |
Dependency confusion |
- |
12/25/2021 |
Massive Users Account Takeovers(Chaining Vulnerabilities to IDOR)😲 |
Anurag__Verma |
- |
Authentication bypass, IDOR, Lack of rate limiting |
- |
12/25/2021 |
Information Disclosure leads to sensitive credential($$$) |
khan mamun (@mamunwhh) |
- |
Information disclosure |
$150 |
12/25/2021 |
How I found (and fixed) a vulnerability in Python |
Adam Goldschmidt (@AdamGolds) |
Python |
Web cache poisoning |
- |
12/24/2021 |
Cache Poisoning at Scale |
Youstin (@iustinBB) |
- |
Web cache poisoning |
$40,000 |
12/23/2021 |
MS Teams: 1 feature, 4 vulnerabilities |
Fabian Bräunlein |
Microsoft |
SSRF, Information disclosure, DoS, Spoofing |
$0 (Won’t fix) |
12/22/2021 |
How I was able to bypass WAF and find the origin IP and a few sensitive files |
Jan Muhammad Zaidi (@hasanakajan) |
- |
WAF bypass |
- |
12/22/2021 |
Sandbox escape + privilege escalation in StorePrivilegedTaskService |
Sector 7 (@sector7_nl) |
Apple |
Local Privilege Escalation, MacOS bug |
- |
12/21/2021 |
NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories |
Wiz (@wiz_io) |
Microsoft |
Security misconfiguration, .git folder disclosure |
$7,500 |
12/21/2021 |
How I found (P2) Broken Authentication with Zero Skill of Hacking |
yoshi m lutfi (@yoshiahmadlutfi) |
- |
Authentication bypass, Account takeover |
- |
12/21/2021 |
SSD Advisory – Rocket.Chat Client-side Remote Code Execution |
- |
RocketChat |
RCE, MacOS bug |
N/A (VDP) |
12/21/2021 |
How I earned $$$ by bypassing 2FA/a> |
Mohamed Taha (@Mohamed12742780) |
- |
2FA bypass, Forced browsing |
- |
12/21/2021 |
Alternative link |
Bring Your Own SSRF – The Gateway Actuator |
Wyatt Dahlenburg (@wdahlenb) |
- |
SSRF, DoS |
- |
12/20/2021 |
Blackbox Cookie Testing — How I Cracked The Admin’s Cookie |
Saeed Balquizi |
- |
Authentication bypass |
- |
12/20/2021 |
RCE in Visual Studio Code’s Remote WSL for Fun and Negative Profit |
Parsia Hackerman (@cryptogangsta) |
Microsoft |
RCE |
$0 (OOS) |
12/20/2021 |
How I was able to reveal page admin of almost any page on Facebook |
Sudip Shah |
Meta / Facebook |
IDOR |
$4,500 |
12/20/2021 |
Stored XSS by bypassing signature |
Abdulrahman Makki (@AMakki1337) |
- |
XSS, Unrestricted file upload |
$3,500 |
12/20/2021 |
Flickr Account Takeover |
Lauritz (@lauritz) |
Flickr |
Account takeover, Authentication flaw |
$7,550 |
12/18/2021 |
Hacked Google-Meet…??! |
7𝖍3𝖍4𝖈kv157 (@7h3h4ckv157) |
Google |
Authorization flaw |
- |
12/18/2021 |
Exploitation Of CVE-2021-21220 – From Incorrect JIT Behavior To RCE |
Bruno Keith (@bkth_) & Niklas Baumstark(@_niklasb) |
Google, Microsoft |
Browser bug, Memory corruption, RCE |
$100,000 |
12/16/2021 |
Broken Access Control |
Meareg |
Microsoft |
IDOR |
- |
12/16/2021 |
GHSL-2021-1053: Path traversal in Grafana REST API - CVE-2021-43813, CVE-2021-43815 |
Alvaro Muñoz (@pwntester) |
Grafana Labs |
Path traversal |
- |
12/15/2021 |
Gumtree – leaking your data and not really listening |
Alan Monie (@AlanMonie) |
Gumtree |
IDOR |
- |
12/15/2021 |
How I found the Authentication Bypass bug and Earn \(\) |
Thedarkwayg (@shadow_CLAY) |
- |
Session expiration issue |
$1,000 |
12/15/2021 |
Bypassing the macOS Gatekeeper |
Ron Masas (@RonMasas) |
Apple |
Local Privilege Escalation, Gatekeeper bypass |
- |
12/15/2021 |
How I found XSS vulnerability in Amazon in 5 minutes using shodan |
Mohamed Taha (@Mohamed12742780) |
Amazon |
XSS |
- |
12/15/2021 |
Alternative link |
How I Bypassed Incapsula WAF By Imperva |
Dawood Ikhlaq |
- |
SQL injection |
- |
12/14/2021 |
Zero Click To Account Takeover |
M7.Arman (@ArmanSecurity) |
- |
Account takeover, Password reset flaw |
- |
12/14/2021 |
SVG based Stored XSS |
xaonan44 |
- |
Stored XSS |
- |
12/12/2021 |
A story about a not-so-direct SSRF |
Preetham Bomma (@cyber01_) |
- |
SSRF |
- |
12/12/2021 |
Open Redirection - QR Code Magic |
Jerry Shah (@Jerry) |
- |
Open redirect |
$0 (Duplicate) |
12/11/2021 |
Remote Deserialization Bug in Microsoft’s RDP Client through Smart Card Extension (CVE-2021-38666) |
Valentino Ricotta |
Microsoft |
Memory corruption bug |
$5,000 |
12/10/2021 |
Remote ASLR Leak in Microsoft’s RDP Client through Printer Cache Registry (CVE-2021-38665) |
Valentino Ricotta |
Microsoft |
Memory corruption bug |
$1,000 |
12/10/2021 |
ProtoBuffer ReUtilization “New Way to Security Test GoogleCaptcha” |
ChooK |
Rapid7 |
Captcha bypass |
N/A (VDP) |
12/10/2021 |
Don’t Reply: A Clever Phishing Method In Apple’s Mail App |
Jon Bottarini (@jon_bottarini) |
Apple |
Phishing |
$5,000 |
12/09/2021 |
A phishing document signed by Microsoft – part 1 |
Pieter Ceelen (@ptrpieter) & Dima van de Wouw |
Microsoft |
Phishing, RCE |
- |
12/09/2021 |
File Upload to RCE |
Ahmed Magdy (@8Ahmed88Magdy8) |
- |
Unrestricted file upload |
- |
12/09/2021 |
Exploiting S3 bucket with path folder to Access PII info of A BANK |
Santosh Kumar Sha (@killmongar1996) |
- |
AWS misconfiguration, Information disclosure |
- |
12/09/2021 |
From Finding AWS S3 Bucket to Sensitive Data Exposure |
Demon (@R29k_) |
- |
AWS misconfiguration |
- |
12/09/2021 |
Account Takeover via Stored XSS |
Demon (@R29k_) |
- |
Account takeover, Stored XSS |
$1,000 |
12/09/2021 |
CVE-2021-43798 - Path Traversal Vulnerability In Grafana & How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs |
Jordy Versmissen / J0VSEC (@j0v0x0) |
Grafana Labs |
Path traversal |
- |
12/08/2021 |
Another Admin panel |
Rizwan_siddiqui (@Rizwan_SiDdiqu1) |
- |
HTTP response manipulation, Authentication bypass |
- |
12/08/2021 |
Microsoft Vancouver leaking website credentials via overlooked DS_STORE file |
CyberNews Team |
Microsoft |
Information disclosure |
- |
12/08/2021 |
Windows 10 RCE: The exploit is in the link |
Fabian Bräunlein & Lukas Euler |
Microsoft |
RCE |
$5,000 |
12/07/2021 |
How I was able to change Reddit acquired Dubsmash’s music library sound tracks’ titles |
Sandeep Hodkasia (@sandeephodkasia) |
Reddit |
IDOR |
$3,000 |
12/07/2021 |
Hacking into Admin Panel of U.S Federal government system C.A.R.S — without credentials. |
Hazem Brini (@ImJungsuu) |
U.S. General Services Administration |
Client-side enforcement of server-side security, Privilege escalation |
N/A (VDP) |
12/07/2021 |
Microsoft Azure Portal – CSV Injection |
Christian Becker (@0xchrisb) |
Microsoft |
CSV injection |
- |
12/06/2021 |
SSRF vulnerability in AppSheet - Google VRP |
David Nechuta (@david_nechuta) |
Google |
SSRF |
$6,267.4 |
12/05/2021 |
Accidental IDOR in eLearnSecurity to Knowing Your Address and Cert You Bought. |
Anugrah SR (@cyph3r_asr) |
INE |
IDOR |
N/A (VDP) |
12/05/2021 |
This is how i was able to See and Delete your Private Facebook Portal photos |
Abhishek Pathak (@pathleax) |
Meta / Facebook |
IDOR |
- |
12/04/2021 |
How I managed to hack User accounts of a billion-dollar sport platform |
Vishnuraj |
- |
OTP bypass, Bruteforce, Lack of rate limiting |
- |
12/04/2021 |
My mindset while hunting on Yandex and my SSRF |
Momen Ali (Cyber Guy) (@theCyberGuy0) |
Yandex |
SSRF |
- |
12/04/2021 |
How I accessed the Sensitive document which I had already deleted |
Pawan Chhabria (@heybenchmarkkk) |
- |
Privacy issue |
- |
12/04/2021 |
Write Up – XSS Stored In files.slack.com Via XML/SVG File (iOS) – $1,000 USD |
Omar Espino (@omespino) |
Slack |
XSS |
$1,000 |
12/03/2021 |
Disclose Ad Accounts linked with Instagram Accounts |
Naveen (@NaveenHax) |
Meta / Facebook |
Information disclosure, Logic flaw, GraphQL bug |
$1,500 |
12/02/2021 |
Bypassing Box’s Time-based One-Time Password MFA |
Tal Peleg |
Box |
OTP bypass, MFA bypass |
- |
12/02/2021 |
AWS SageMaker Jupyter Notebook Instance Takeover |
Gafnit Amiga (@gafnitav) |
Amazon |
Self XSS, CSRF, RCE |
- |
12/02/2021 |
Exploring Container Security: A Storage Vulnerability Deep Dive |
Fabricio Voznika & Mark Wolters |
Kubernetes |
Race condition, Kubernetes bug |
- |
12/02/2021 |
Easy SQLi in Amazon subsidiary using Sqlmap |
Mostafa Mamdoh |
Amazon |
SQL injection |
$1,500 |
12/01/2021 |
This shouldn’t have happened: A vulnerability postmortem |
Tavis Ormandy (@taviso) |
Mozilla |
Memory corruption bug |
- |
12/01/2021 |
AUDI, partner! |
vict0ni (@vict0ni) |
Audi |
Subdomain takeover, Information disclosure |
N/A (VDP) |
12/01/2021 |
How i was able to bypass Cloudflare WAF for SQLi payload |
Momen Ali (Cyber Guy) (@theCyberGuy0) |
- |
SQL injection, WAF bypass |
- |
12/01/2021 |
P1 _Bug in Apple that phase “old is Gold” |
Saurabh Sankhwar (@mr_encryption) |
Apple |
Logic flaw |
$0 (Informative) |
12/01/2021 |
Microsoft Teams – CSV Injection |
Christian Becker (@0xchrisb) |
Microsoft |
CSV injection |
- |
12/01/2021 |
VMware vCenter earlier versions (7.0.2.00100) has unauthorized arbitrary file read + ssrf + xss vulnerability |
Khoa Dinh (@_l0gg) |
VMware |
LFI, SSRF, XSS, Arbitrary file read |
- |
11/30/2021 |
My write-up in hacking IBM’s administration panel and getting SQLi on it |
Momen Ali (Cyber Guy) (@theCyberGuy0) |
IBM |
SQL injection, Broken Access Control |
- |
11/30/2021 |
NodeBB 1.18.4 - Remote Code Execution With One Shot |
Sonar (@SonarSource) |
NodeBB |
RCE, XSS, Authentication bypass, Arbitrary file read |
$1,536 |
11/30/2021 |
This Microsoft Windows RCE Vulnerability Gives an Attacker Complete Control |
Malcolm Stagg (@malcolmst) |
Windows |
Memory corruption bug |
- |
11/30/2021 |
Play The Opera Please |
Dhiraj (@RandomDhiraj) |
Opera |
Browser bug |
- |
11/29/2021 |
Price Manipulation Bypass Using Integer Overflow Method |
Marx Chryz |
- |
Payment tampering, Memory corruption bug |
- |
11/29/2021 |
How I got my first bounty on financial sector gateway site by using Previous GraphQL vulnerabilities. |
Night Hawk |
- |
Information disclosure, GraphQL bug |
$2,500 |
11/26/2021 |
SSD Advisory – Chrome Ad Heavy Bypass (via history.back()) |
Alesandro Ortiz (@AlesandroOrtizR) |
Chrome |
Browser bug |
- |
11/26/2021 |
WordPress Plugin Confusion: How an update can get you pwned & Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack |
Kamil Vavra (@vavkamil) & Gal Nagli (@naglinagli) |
- |
Supply chain attack, WordPress plugin confusion, WordPress theme confusion |
- |
11/25/2021 |
RocketChat - Monitor User Messages |
Rojan Rijal (@uraniumhacker) |
RocketChat |
Authorization flaw |
N/A (VDP) |
11/25/2021 |
How I Found My First XSS Bug |
Thedarkwayg (@shadow_CLAY) |
Atlassian |
XSS |
$600 |
11/25/2021 |
Unauthenticated Sensitive Information Disclosure at [REDACTED] |
Rizaldi Wahaz (@wah_haz) |
- |
Old components with known vulnerabilities, Information disclosure |
- |
11/25/2021 |
Account Takeover in $Million Company? |
0xGodson (@0xGodson_) |
Fastmail |
Account takeover, Password reset flaw |
$0 (Informative) |
11/24/2021 |
Finding XSS on .apple.com and building a proof of concept to leak your PII information |
Zseano (@zseano) |
Apple |
XSS |
- |
11/23/2021 |
Alternative link |
Moodle Blind SQL injection via MNet authentication |
rekter0 (@rekter0) |
Moodle |
SQL injection |
- |
11/23/2021 |
A business logic error bug worth 600$ |
Deep Patidar (@itsdeepceh) |
- |
Payment tampering |
$600 |
11/23/2021 |
GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks |
Romain Carnus, Maxime Nadeau, Julien Pineault & Mathieu Novis |
Microsoft |
Local Privilege Escalation |
- |
11/22/2021 |
[BugBounty] XSS with Markdown — Exploit & Fix on OpenSource |
Lê Thành Phúc |
- |
XSS |
- |
11/22/2021 |
Peeping through a Web-Socket |
Aditya Verma (@0cirius0) |
- |
Cross-Site Websocket Hijacking (CSWH) |
- |
11/21/2021 |
Hacking Apple Security Report System |
HackrzVijay (@hackrzvijay) |
Apple |
Logic flaw, Social engineering |
$0 (OOS) |
11/20/2021 |
Exploiting OAuth: Journey to Account Takeover |
Aditya Dixit (@zombie007o) |
- |
Account takeover, OAuth flaw, XSS, Weak CSP, CSRF |
- |
11/19/2021 |
How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud |
Valeriy Shevchenko (@Krevetk0Valeriy) |
Atlassian |
Information disclosure, Authentication flaw |
$15,000 |
11/19/2021 |
A Story of an Epic Blind Remote Code Execution(RCE) |
Akash Solanki (@MAALP1225) |
- |
RCE, OS command injection |
- |
11/18/2021 |
A common defect in java system-Memory DoS (include CVE-2021-2344, CVE-2021-2371, CVE-2021-2376, CVE-2021-2378) |
threedr3am (@threedr3am1) |
Oracle |
DoS |
- |
11/18/2021 |
URL whitelist bypass in https://cxl-services.appspot.com & Reacting to myself finding an SSRF vulnerability in Google Cloud
|
David Schütz (@xdavidhu) |
Google |
Privilege escalation, URL validation bypass, SSRF |
$10,401.1 |
11/17/2021 |
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory |
Karl Fosaaen (@kfosaaen) |
Microsoft |
Information disclosure |
- |
11/17/2021 |
Write Up – Apple N/A: PII Information, Full Contact List, Main Phone No. And Main Icloud Email Extracted; Bug Patched: Arbitrary Local File Read Via Zip File And Symlinks On Ios Files App. |
Omar Espino (@omespino) |
Apple |
Arbitrary file read |
$0 |
11/17/2021 |
The tale of CVE-2021–34479 (VSCode XSS) |
Daniel Santos (@bananabr) |
Microsoft |
XSS, CSP bypass |
- |
11/17/2021 |
Keybase App Vulnerability: Incomplete Cleanup of Messages In Keybase for Android/iOS, CVE-2021-34421 |
Olivia O’Hara (@oliviaohara), Jackson Henry (@JacksonHHax), John Jackson (@johnjhacking) & Robert Willis (@rej_ex) |
Keybase |
Information disclosure |
- |
11/17/2021 |
Diving into Open-source LMS Codebases |
Poh Jia Hao (@Chocologicall) |
Moodle, Chamilo LMS |
Insecure file upload, Insecure deserialization, RCE, CSRF, SQL injection, Reflected XSS |
- |
11/16/2021 |
DOS attack in Yahoo, How i was able to deny new users from service? |
Mostafa Mamdoh |
Yahoo |
DoS, Logic flaw |
$1,000 |
11/16/2021 |
Full account takeover through referral code. |
Mostafa Mamdoh |
Shipt |
Authentication flaw, Account takeover |
$700 |
11/16/2021 |
DOS attack in Yahoo, How i was able to deny new users from service? |
Mostafa Mamdoh |
Yahoo |
DoS |
$1,000 |
11/15/2021 |
How I Found P1 bug Due to Sensitive data exposure And Earn \(\) |
Piyush shukla (@PiyushShukla__) |
- |
Information disclosure |
- |
11/15/2021 |
Broken Link Hijacking — 404 Google Play Store— xxx$ Bounty |
Proviesec (@proviesec) |
- |
Broken link hijacking |
- |
11/14/2021 |
Exploiting CSP in Webkit to Break Authentication & Authorization |
Sachin Thakuri (@sachinnthakuri) & Prakash (@1lastBr3ath) |
Apple |
Information disclosure, CSP leak, Account takeover |
$100,000+ |
11/13/2021 |
Impact of an Insecure Deep Link |
Yashar Shahinzadeh (@YShahinzadeh) & Аli Dinifаr (@binb4sh) |
CafeBazaar |
Insecure deep link |
- |
11/13/2021 |
Never leave this tip while you hunting Broken Access Control |
secureITmania (@secureitmania) |
- |
Broken Access Control |
- |
11/13/2021 |
How I got $200 in 30 Seconds. |
Yash__ HackZ (@HackzYash) |
- |
Information disclosure |
$200 |
11/12/2021 |
chaining improper authentication to idor and no rate limit for mass account takeover |
mohit (@mohit29295572) |
- |
Account takeover, Lack of rate limiting, CSRF, IDOR |
- |
11/12/2021 |
From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy |
Mostafa Mamdoh |
Udemy |
Broken access control, Information disclosure, IDOR, HTML injection |
$1,300 |
11/12/2021 |
Simple SSRF Allows Access To Internal Assets |
Sam Paredes (@caffeinevulns) |
- |
SSRF |
- |
11/11/2021 |
Write Up – Google VRP Bug Bounty: /etc/environment Local Variables Exfiltrated On Linux Google Earth Pro Desktop App – $1,337 USD |
Omar Espino (@omespino) |
Google |
XSS |
$1,337 |
11/11/2021 |
Unrestricted File Upload Leads to SSRF and RCE |
Muhammad Adel (@ItsFadinG_) |
- |
ImageTragick, Unrestricted file upload, SSRF, RCE |
- |
11/11/2021 |
Fuzzing Microsoft’s RDP Client using Virtual Channels: Overview & Methodology |
Valentino Ricotta |
Microsoft |
Memory corruption bug |
$6,000 |
11/10/2021 |
ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough |
Nir Ohfeld (@nirohfeld) & Sagi Tzadik (@sagitz_) |
Microsoft |
Cross-tenant vulnerability, Account takeover, Privilege escalation |
$40,000 |
11/10/2021 |
Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond |
Daniel Thatcher |
- |
HTTP Header Smuggling, HTTP Request Smuggling |
- |
11/10/2021 |
400$ Bounty again using Google Dorks |
Haris M (@hrsm321) |
- |
Directory listing, Information disclosure |
$400 |
11/09/2021 |
Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over |
Cam (@secretlyhidden1) |
Google |
IDOR |
- |
11/09/2021 |
Bypass Chrome Ad-Heavy detection mechanism |
0x0021h (@0x0021h) |
Google |
Browser bug |
- |
11/09/2021 |
How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes |
Mahmoud Youssef (@0xmahmoudjo0) |
- |
SQL injection |
- |
11/07/2021 |
SONY Hunting I: Discovering Hidden Parameters (5x SWAG) |
can1337 (@canmustdie) |
Sony |
Open redirect |
N/A (VDP) |
11/07/2021 |
Insufficient Redirect URI validation: The risk of allowing to dynamically add arbitrary query parameters and fragments to the redirect_uri |
Lauritz (@lauritz) |
GitHub, Microsoft, StackExchange |
OAuth flaw, Prototype pollution |
- |
11/06/2021 |
4 Crits in 48 hours: Unicorn Programs |
Monke (@pmofcats) |
- |
Privilege escalation, Information disclosure, IDOR |
- |
11/06/2021 |
Bypass video capture limit on Ray-Ban Stories |
Philippe Harewood (@phwd) |
Meta / Facebook |
Logic flaw, Android bug |
$1,500 |
11/05/2021 |
Unauthenticated Access To Cloud Portal — A 🚪 Without 🗝️ |
Yukesh Kumar (@3th1c_yuk1) |
- |
Authentication bypass |
- |
11/05/2021 |
HacktoberFest2k21 vulnerability: How users metadata can be changed via Auth JWT tokens leaking from waybackurls |
Anurag__Verma |
DigitalOcean |
IDOR |
N/A (VDP) |
11/04/2021 |
Fiverr email restriction bypassed | Bounty 100$ |
Maruf Hosan |
Fiverr |
Logic flaw |
$100 |
11/04/2021 |
A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions |
Perception Point (@PerceptionPo1nt) |
Apple |
Local Privilege Escalation, MacOS bug |
- |
11/03/2021 |
How i made 500$ with XSS |
Nassim Chami (@nvccim) |
- |
XSS, Account takeover |
$500 |
11/01/2021 |
Never Give Up — Story of Hacking Dutch Government and Earning that Dutch Swag. |
BabaBounty (@Rohan96867358) |
Dutch Government |
IDOR |
N/A (VDP) |
10/31/2021 |
This is how i was able to Permanently Crash all Mapillary users within minutes |
Abhishek Pathak (@pathleax) |
Meta / Facebook |
Application-level DoS |
- |
10/31/2021 |
How I found Command Injection via Obsolete PHPThumb |
Sushant Kamble |
- |
OS command injection |
- |
10/30/2021 |
How I was able to access a properly Configured S3 Bucket |
Pawan Chhabria (@heybenchmarkkk) |
- |
Leaked AWS keys, Information disclosure |
- |
10/28/2021 |
Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection |
Microsoft Security Vulnerability Research (MSVR) |
Apple |
SIP bypass, Local Privilege Escalation |
- |
10/28/2021 |
Write Up – XSS Stored In api.media.atlassian.com Via Doc File (iOS) |
Omar Espino (@omespino) |
Atlassian |
Stored XSS |
- |
10/28/2021 |
A journey from XML External Entity (XXE) to NTLM hashes! |
Shubham Chaskar (@chaskar_shubham) |
- |
XXE |
- |
10/28/2021 |
Apple XAR – Arbitrary File Write (CVE-2021-30833) |
Richard Warren (@buffaloverflow) |
Apple |
Arbitrary file write |
- |
10/28/2021 |
Unauthenticated Cache Purge |
Priyansh Bansal (@PriyanshB25) |
Lenovo |
Unauthenticated cache purge |
N/A (VDP) |
10/28/2021 |
Unauthorized access to any user’s account. |
vikram naidu (@ImVikram7msd) |
- |
IDOR, Authentication bypass, Account takeover |
- |
10/28/2021 |
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD |
Sonar (@SonarSource) |
GoCD |
Broken authentication, Authentication flaw |
N/A (VDP) |
10/27/2021 |
Easy SSRF from Wayback Machine |
Khaled Mohamed (@0xElkomy) |
- |
SSRF |
- |
10/27/2021 |
Use-After-Free in Voice Control: CVE-2021-30902 Write-up |
08Tc3wBB (@08Tc3wBB) |
Apple |
Memory corruption bug |
- |
10/27/2021 |
An Effective 5 min recon leads to a Hall of Fame |
Renganathan (@IamRenganathan) |
- |
Information disclosure |
- |
10/26/2021 |
A 7500$ Google sites IDOR |
Jalal (@r0ckin_) |
Google |
IDOR |
$7,500 |
10/24/2021 |
Account Takeover via improper input validation |
Gaurav Narwani (@gauravnarwani97) & Verneet (@err0rrrrr) |
- |
OAuth flaw, Token theft, Account takeover |
- |
10/24/2021 |
How I was able to revoke your Instagram 2FA |
Dhiyaneshwaran (@DhiyaneshDK) |
Facebook (Instagram) |
Bruteforce, Rate-limiting bypass |
$5,000 |
10/23/2021 |
Google Chrome Vulnerability Worth for $6K: Use After Free (CVE-2021-30573) |
Security For Everyone / S4E Team (@secforeveryone) |
Google |
Memory corruption bug |
$6,000 |
10/23/2021 |
Discourse SNS webhook RCE |
joernchen (@joernchen) |
Discourse |
RCE |
- |
10/23/2021 |
Tagged User Could Delete Facebook Story |
Mark Rhoy (@mrkrhy_xyz) |
Meta / Facebook |
Logic flaw, Android app bug, Authorization flaw |
- |
10/23/2021 |
How i Got 3 SQL injection in just 10 minutes. |
Ahmed Fatouh (@XDev05) |
- |
SQL injection |
- |
10/23/2021 |
A story of another awesome old school hacking that lead to a cool P1 bug |
Vuk Ivanovic |
- |
403 bypass |
- |
10/22/2021 |
Moodle - Stored XSS and blind SSRF possible via feedback answer text |
rekter0 (@rekter0) & Holme (@holme_sec) |
Moodle |
Stored XSS, SSRF |
- |
10/22/2021 |
All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021-38646) |
Eugene Lim (@spaceraccoonsec) |
Apache OpenOffice |
RCE, Memory corruption bug |
- |
10/22/2021 |
Unauthorized access to any Facebook user’s draft profile picture frames |
Sandeep Hodkasia (@sandeephodkasia) |
Meta / Facebook |
IDOR |
- |
10/22/2021 |
CVE-2021-2471 MySQL JDBC XXE |
- |
Oracle (MySQL) |
XXE |
- |
10/21/2021 |
From staging to 0 click account takeover |
mohamad mahmoudi (@dPhoeniixx) |
Pinterest |
Account takeover, Logic flaw |
- |
10/19/2021 |
Exploiting Request forgery on Mobile Applications. |
Sayed Abdelhafiz (@dPhoeniixx) |
Pinterest |
CSRF, Account takeover, Android app bug, iOS app bug |
- |
10/19/2021 |
A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection |
Marc Olivier Bergeron |
Amazon |
SQL injection, WAF bypass |
- |
10/19/2021 |
Shells And SOAP: Websphere Deserialization To RCE |
Wyatt Dahlenburg (@wdahlenb) |
IBM |
RCE, Insecure deserialization |
- |
10/18/2021 |
The Speckle Umbrella story — part 2 |
Imre Rad (@ImreRad) |
Google |
Information disclosure, Logic flaw |
- |
10/18/2021 |
How I Escalated a Time-Based SQL Injection to RCE |
JM Sanchez / 0xEchidonut (@jmrcsnchz) |
Sony |
SQL injection, RCE |
- |
10/17/2021 |
Business Logic Errors - A Logic Destruction |
Jerry Shah (@Jerry) |
- |
Logic flaw |
- |
10/17/2021 |
Exploitation of file’s download parameters to create potential risk of malware delivery: $200 bug! |
Muhammad Aamir (@Muhammad__Aamir) |
- |
CSRF, RCE |
$200 |
10/17/2021 |
Remote code execution in Managed Anthos Service Mesh control plane |
Anthony Weems |
Google |
RCE |
$6,000 |
10/15/2021 |
Write Up – Google VRP N/A: Arbitrary Local File Read (Macos) Via <a> Tag And Null Byte (%00) In Google Earth Pro Desktop App |
Omar Espino (@omespino) |
Google |
Local File Read |
$0 (Won’t fix) |
10/14/2021 |
500$ Bug: Sensitive Data Exposure to Broken Access Control leads, How I able to take over any account of India’s Biggest College Ever.👨💻 |
Gowtham_Naidu (@NaiduPonnana) |
- |
OTP bypass, Account takeover, Password reset flaw |
$500 |
10/13/2021 |
Abusing Slack’s file-sharing functionality to de-anonymise fellow workspace members |
Julien Cretel (@jub0bs) |
Slack |
XSLeaks |
$0 (Won’t fix) |
10/12/2021 |
ESET Endpoint Security credentials theft |
Mehdi Alouache |
ESET |
Credentials sent over unencrypted channel |
$0 (Informative) |
10/12/2021 |
Bypassing required reviews using GitHub Actions |
Omer Gil (@omer_gil) |
GitHub |
Privilege escalation, Logic flaw |
- |
10/12/2021 |
Hacking YouTube With MP4 |
KeyboardWarrior (@Keyb0ardWarr10r) |
Google |
Logic flaw, DoS |
$0 (Informative) |
10/11/2021 |
Exploiting HTML-to-PDF Converters through HTML Imports |
Mohammed Diaa (@mhmdiaa) |
- |
XSS, LFI |
- |
10/10/2021 |
How I Hacked Billion Android Users Social And 3rd Party Account | A Story About 5000$ Bug |
Karthikeyan (@Karthithehacker) |
Google |
Android bug |
$5,000 |
10/10/2021 |
How I got $500 with Open redirect |
khan mamun (@mamunwhh) |
- |
Open redirect |
$500 |
10/10/2021 |
Stumbling across a DOM XSS on google.com |
tkiela (@svennergr) |
Google |
DOM XSS |
- |
10/10/2021 |
Account Takeover — Story of 2 same issues in a single program but different sub-domains. |
Himanshu Pdy (@himanshu_pdy_01) |
- |
Account takeover |
- |
10/10/2021 |
Auth Bypass in Google Assistant |
David Schütz (@xdavidhu) |
Google |
Insecure deeplink |
$8,133.70 |
07/10/2021 |
Power of Your Own Wordlist — Fuzz for Log File Leads to Information Leakage |
MikeChan |
- |
Information disclosure |
- |
10/09/2021 |
Request Smuggling In Major Crypto Site — road to disappointment |
CeloIme Prezime |
- |
HTTP Request Smuggling |
$0 |
10/09/2021 |
Accessing Apple’s internal UAT Slackbot for fun and non-profit |
Shail Patel (@shail_official) & Ashish Kunwar (@D0rkerDevil) |
Apple |
Authorization flaw |
$0 |
10/07/2021 |
CVE-2021-26420: Remote Code Execution In Sharepoint Via Workflow Compilation |
- |
Microsoft |
RCE |
- |
10/06/2021 |
Hacking Netflix Eureka! |
Maxim Tyukov (@maxtyukov) |
Netflix |
SSRF, XSS |
- |
10/06/2021 |
CSRF to one tray Red-bull |
Mohammed Saneem |
Redbull |
CSRF |
N/A (VDP) |
10/06/2021 |
[EN] Stored XSS in the administrator’s panel due to misuse of MarkupSafe |
Aethlios (@AethliosIK) |
pass Culture |
Stored XSS |
- |
10/06/2021 |
How I got access to many PIIs through a source code leak |
Supras (@LdrTom) |
- |
Information disclosure |
- |
10/05/2021 |
CVE-2021-26084 |
snowyyowl (@bennyyjacob) |
Atlassian |
RCE |
- |
10/05/2021 |
Bypassing 403 Protection To Get Pagespeed Admin Access |
Prajit Sindhkar (@PrajitSindhkar) |
- |
403 bypass |
$200 |
10/04/2021 |
$600 for IDOR (File or Folder Download) |
Inderjeet Singh - encodedguy (@3nc0d3dGuY) |
- |
IDOR |
$600 |
10/03/2021 |
A short story of Content Spoofing to HTML Injection in Apple using Dangling Markup Injection |
Rishu Ranjan (@tweetit_rrj) |
Apple |
HTML injection, Dangling Markup Injection |
- |
10/03/2021 |
Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit) |
Vanshal Gaur (@VanshalG) |
- |
SSRF |
- |
10/02/2021 |
The Discovery Of Gatekeeper Bypass CVE-2021-1810 & Analysis Of CVE-2021-1810 Gatekeeper Bypass |
Rasmus Sten (@pajp) |
Apple |
Logic flaw |
- |
10/01/2021 |
Ping’ing XMLSec |
tint0 (@_tint0) |
Ping, Netflix, Paypal |
XSLT, XXE |
- |
09/30/2021 |
Expect The Unexpected: Discovering fresh ZeroDay for Bounty |
SinSin (@sin_khe) |
- |
Logic flaw, Information disclosure |
- |
09/30/2021 |
How I found bug on Google Cloud |
Anuragbhoir11 |
Google |
OTP bypass |
- |
09/30/2021 |
Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Account takeover, Android app bug |
$10,000 |
09/29/2021 |
Force Browsing bug at Facebook business plan ($500 Bounty) |
Dewanand Vishal (@dewcode91) |
Meta / Facebook |
Authorization flaw, Forced browsing |
$500 |
09/29/2021 |
Telegram users’ privacy has been violated again. Messenger representatives demand not to disclose details |
ne555 |
Telegram |
Privacy issue |
- |
09/29/2021 |
“A tale of making internet pollution free” - Exploiting Client-Side Prototype Pollution in the wild |
Sergey Bobrov (@black2fan), Mohan Sri Rama Krishna P (@s1r1u5_), Terjanq (@terjanq), Beomjin Lee (@po6ix), Masato Kinugawa (@kinugawamasato), Nikita Stupin (@_nikitastupin), Rahul Maini (@iamnoooob), Harsh Jaiswal (@rootxharsh), Mikhail Egorov (@0ang3el), Melar Dev (@melardev) |
Apple, Atlassian, Mozilla, HubSpot, Segment Analytics & others |
Prototype pollution, XSS |
$12,600+ |
09/28/2021 |
Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS) |
Bobby Rauch / Bobbyr |
Apple |
Stored XSS |
- |
09/28/2021 |
DeepSurface Security Advisory: LPE in Firefox on Windows |
Robert Chen |
Mozilla |
Local Privilege Escalation |
$0 (Won’t fix) |
09/28/2021 |
Bypass of biometrics & password security functionality for Android |
Dheeraj Madhukar (@Dheerajmadhukar) |
CoinDCX |
Authentication bypass, Android app bug |
- |
09/27/2021 |
CVE-2021-39246 – Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack excessive verbose logging – Windows, macOS, Linux |
sickcodes (@sickcodes) |
Tor |
Verbose logging |
$0 (Informative) |
09/27/2021 |
Improper phone number validation to account takeover |
shesha sai_c (@Cyb3r_4ss4s1n) |
- |
Logic flaw, OTP bypass, Account takeover |
- |
09/27/2021 |
Attack Surface Analysis - Part 3 - Resurrected Code Execution |
Parsia Hackerman (@cryptogangsta) |
- |
RCE |
- |
09/26/2021 |
Telegram bug in terminated sessions |
Hackintosh5 |
Telegram |
Session expiration issue |
- |
09/24/2021 |
Remote Command Execution in Visual Studio Code Remote Development Extension |
Abdel Adim smaury Oisfi (@smaury92) |
Microsoft |
RCE |
- |
09/24/2021 |
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program |
Denis Tokarev / illusionofchaos |
Apple |
Information disclosure, Local Privilege Escalation, Privacy issue |
- |
09/24/2021 |
$8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser |
Renwa (@RenwaX23) |
Opera |
XSS, RCE |
$8,000 |
09/24/2021 |
Bug-Bounty | FASTMAIL [pobox.com : account takeover] |
Mohammed ELdawody |
Fastmail |
Account takeover, Password reset flaw |
- |
09/24/2021 |
Bug-Bounty | FASTMAIL [topicbox.com: Privileges Escalation > Organization Takeover] |
Mohammed ELdawody |
Fastmail |
Privilege escalation, Logic flaw |
- |
09/24/2021 |
Facebook Messenger for MacOS contained valid hardcoded FB access token (employee’s token?) |
Dzmitry Lukyanenka (@vulnano) |
- |
Hardcoded token |
$625 |
09/23/2021 |
Pwn2Own 2021: Parallels Desktop Guest To Host Escape |
Benjamin McBride (@bdmcbri) |
Parallels |
VM escape |
- |
09/23/2021 |
Super Admin panel without Credentials 😎 |
Rizwan_siddiqui (@Rizwan_SiDdiqu1) |
- |
Authentication bypass |
N/A (VDP) |
09/22/2021 |
Autodiscovering the Great Leak |
Amit Serper (@0xAmit) |
Microsoft |
Domain name collision |
- |
09/22/2021 |
mXSS in support.mozilla.org |
Guilherme Keerok (@k33r0k) & Luan Herrera (@lbherrera_) |
Mozilla |
XSS |
$0 (OOS) |
09/22/2021 |
A fever Worth 750$- [Accessing Private Projects ] |
Shakti Mohanty (@3ncryptSaan) |
Mozilla |
IDOR, Information disclosure |
$750 |
09/22/2021 |
Cookie Stealing via Clickjacking using Burp collaborator |
Anurag__Verma |
- |
Clickjacking |
- |
09/22/2021 |
RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through |
Markus Wulftange (@mwulftange) |
Citrix Systems |
RCE, Path traversal |
- |
09/21/2021 |
Mama Always Told Me Not to Trust Strangers without Certificates |
Adam (@AdamOfDc949) |
Netgear |
MiTM, RCE |
- |
09/21/2021 |
5 RCEs in npm for $15,000 |
Robert Chen (@NotDeGhost) & Philip |
- |
RCE |
$15,000 |
09/20/2021 |
Unlimited report user in Instagram (Facebook) leads to abuse risk. |
Mano Prasanth |
Meta / Facebook |
Lack of rate limiting |
$0 (Informative) |
09/20/2021 |
Vertical Privilege escalation |
Saddam Hussain (@wisdomfreak1) |
- |
Privilege escalation |
- |
09/19/2021 |
Chaining bugs for better bounties |
Manas Harsh (@ManasH4rsh) |
- |
SSRF, XSS, Information disclosure |
$600 |
09/19/2021 |
Admin access !! |
th3.d1p4k (@DipakPanchal05) |
- |
Privilege escalation, Broken Access Control |
- |
09/19/2021 |
A small change, and things go in your hand : Story of a $250 bounty |
Fardeen Ahmed (@fardeenahmed411) |
- |
Information disclosure |
$250 |
09/18/2021 |
From phpinfo page to many P1 bugs and RCE. [Symfony] |
Abdelrahman Khaled |
- |
File disclosure, Information disclosure, RCE |
- |
09/18/2021 |
From Google Dorking to Information Disclosure |
MikeChan |
- |
Information disclosure, Lack of authentication |
N/A (VDP) |
09/18/2021 |
All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035) |
Eugene Lim (@spaceraccoonsec) |
Apache OpenOffice |
RCE, Memory corruption bug |
- |
09/17/2021 |
How to have free Internet WIFI on United Airlines flights |
Philippe Delteil (@PhilippeDelteil) |
United Airlines |
Payment tampering, Logic flaw |
- |
09/17/2021 |
A Small Tale of Account Takeover … |
Saugat Pokharel (@saugatpk5) |
- |
IDOR, Account takeover |
- |
09/16/2021 |
Weaponizing Reflected XSS to Account Takeover |
Hassan Shahid (@pwnsauc3) |
- |
XSS, Account takeover |
- |
09/16/2021 |
How I was able to find 100+ XSS in United nations Bug Bounty Programr |
mrpentestguy (@MR_iambatman) |
United Nations |
XSS |
N/A (VDP) |
09/16/2021 |
This is why you shouldn’t trust your Federated Identity Provider |
Soufiane Habti (@wld_basha) |
- |
OAuth flaw, Account takeover, Authentication bypass |
$1,500 |
09/15/2021 |
A Facebook bug that exposes email/phone number to your friends |
Saugat Pokharel (@saugatpk5) |
Meta / Facebook |
Information disclosure, Logic flaw |
$19,250 |
09/15/2021 |
How I Was Able To Send SMS From Google To Anyone | $$$ Google Vulnerability: |
Raidh Ĥere (@asterfiest) |
Google |
Content spoofing |
- |
09/15/2021 |
How I hacked worldwide Tiktok users |
s3c (@s3c_krd) |
TikTok |
IDOR |
$7,500 |
09/15/2021 |
Archived page |
Microsoft Azure Portal – Persistent Cross-Site Scripting |
Christian Becker (@0xchrisb) & Sven Schlüter (@secsven) |
Microsoft |
Stored XSS |
- |
09/15/2021 |
10 golden minutes for taking over a Chess.com account |
Seqrity (@seqrity9) |
Chess.com |
Lack of rate limiting, Bruteforce, Session expiration issue |
$400 |
09/14/2021 |
Hacking CloudKit - How I accidentally deleted your Apple Shortcuts |
Frans Rosén (@fransrosen) |
Apple |
Logic flaw(s) |
$64,000 |
09/13/2021 |
Escalating Azure Privileges with the Log Analytics Contributor Role |
Karl Fosaaen (@kfosaaen) |
Microsoft |
Logic flaw(s) |
- |
09/13/2021 |
$3133.70 Google Dialogflow IDOR Vulnerability |
Raidh Ĥere (@asterfiest) |
Google |
IDOR |
$3,133.70 |
09/12/2021 |
$5000 Google IDOR Vulnerability Writeup |
Raidh Ĥere (@asterfiest) |
Google |
IDOR |
$5,000 |
09/11/2021 |
How I found my first AEM related bug. |
Vedant Tekale (@_justYnot) |
- |
LFR |
- |
09/11/2021 |
Bypassing GCP Org Policy with Custom Metadata & GCP AI Notebooks Vulnerability - Remediation |
Kat Traxler (@NightmareJS) |
Google |
Authorization flaw |
$1,337 |
09/10/2021 |
How I Was Able to delete any facebook story where am I mentioned or tagged |
Sank Dahal (@sank68034756) |
Meta / Facebook |
Logic flaw |
$1,000 |
09/10/2021 |
Mistuned Part 1: Client-side XSS to Calculator and More, Mistuned Part 2: Butterfly Effect & Part 3 |
Sank Dahal (@sank68034756) |
Apple |
XSS, Memory corruption bug, iOS bug |
- |
09/10/2021 |
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances |
Unit 42 (@Unit42_Intel) |
Microsoft |
Container takeover, Container escape, Privilege escalation |
- |
09/09/2021 |
Change home directory and bypass TCC aka CVE-2020-27937 |
Wojciech Reguła (@_r3ggi) |
Apple |
Privacy issue, MacOS bug |
- |
09/09/2021 |
GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink |
Justin Steven (@justinsteven) |
GitHub |
Logic flaw, Information disclosure |
- |
09/08/2021 |
Spook.js: Attacking Google Chrome’s Strict Site Isolation via Speculative Execution and Type Confusion |
Ayush Agarwal, Sioli O’Connell, Jason Kim, Shaked Yehezke, Daniel Genkin, Eyal Ronen & Yuval Yarom |
Google |
Browser bug, Side-channel attack, Site Isolation bypass |
- |
09/08/2021 |
Account Takeover via XSS in e-signature feature worth 2500$ |
Gökhan Güzelkokar (@gkhck_) |
- |
XSS, Account takeover |
$2,500 |
09/08/2021 |
Facebook email disclosure and account takeover |
Rikesh Baniya / NotRickyy (@rikeshbaniya) |
Meta / Facebook |
Information disclosure, Account takeover |
- |
09/08/2021 |
Bug Bounty Guest Post: Local File Read via Stored XSS in The Opera Browser |
Renwa (@RenwaX23) |
Opera |
Stored XSS, Local File Read |
$4,000 |
09/08/2021 |
Accessing Grofers Grafana Instance Using Shodan |
Lohith Gowda M (@lohigowda_in) |
Grofers |
Weak credentials |
$25,000 |
09/08/2021 |
5 Different Vulnerabilities in Google’s Threadit |
Thomas Orlita (@ThomasOrlita) |
Google |
DOM XSS, Clickjacking, Privilege escalation, Information disclosure |
- |
09/07/2021 |
SSRF in PDF export with PhantomJs |
أنس روبي (@xhzeem) |
- |
SSRF, XSS, LFI |
- |
09/07/2021 |
Full structure takeover to many brands of company |
Abdelrahman Khaled |
- |
Directory listing, Information disclosure |
- |
09/06/2021 |
SSD Advisory – NETGEAR D7000 Authentication Bypass |
- |
Netgear |
Authentication bypass |
- |
09/06/2021 |
2 CSRF 1 IDOR on Google Marketing Platform |
apapedulimu / Nosa Shandy (@LocalHost31337) |
Google |
IDOR, CSRF |
$3,633.70 |
09/06/2021 |
How I can take over any user’s account with their mobile number |
Sushmitha Katikitala |
- |
Account takeover, OTP bypass, Authentication bypass |
- |
09/06/2021 |
Burp Suite RCE |
Wfox |
PortSwigger |
RCE, Browser bug |
- |
09/06/2021 |
Eye for an eye: Unusual single click JWT token takeover |
Yurii Sanin (@SaninYurii) |
JetBrains |
Open redirect, JWT bug, Account takeover |
- |
09/05/2021 |
Business Logic Errors - Must Vote |
Jerry Shah (@Jerry) |
- |
Logic flaw |
$0 (Duplicate) |
09/05/2021 |
Bypassed! and uploaded a sweet reverse shell |
Ajay Sharma (@security_donut) |
- |
Unrestricted file upload |
- |
09/05/2021 |
How i hacked BBC mail servers |
Momen Ali (Cyber Guy) (@theCyberGuy0) |
BBC |
Information disclosure, Open mail relay |
N/A (VDP) |
09/04/2021 |
More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Account takeover |
$126,000 |
09/03/2021 |
How @Mailru traeted my report on their program |
Aý Oùb (@Yukusawa18) |
Mail.ru |
AWS misconfiguration |
$150 |
09/03/2021 |
IDOR Vulnerability In GraphQL Api On Website |
Aidil Arief |
- |
IDOR, GraphQL bug |
- |
09/03/2021 |
Google Cloud Build — under the hood |
Imre Rad (@ImreRad) |
Google |
- |
- |
09/02/2021 |
Play the music and bypass TCC aka CVE-2020-29621 |
Wojciech Reguła (@_r3ggi) |
Apple |
Privacy issue, MacOS bug |
- |
09/02/2021 |
RCE By Code Injection | Perl Reverse Shell |
Abdulrahman-Kamel |
- |
RCE, Code injection |
- |
09/02/2021 |
ZDI-21-1053: Bypassing Windows Lock Screen |
Abdelhamid Naceri (@KLINIX5) |
Microsoft |
Authentication bypass |
- |
09/02/2021 |
Your Vulnerability Is In Another OEM! |
Lucas Georges, Julient Boutet & Thomas Chauchefoin |
Western Digital |
Memory corruption bug, RCE |
- |
09/02/2021 |
SQL injection in harvard subdomain |
Brandon Roldan (@tomorrowisnew_) |
Harvard University |
XSS, SQL injection |
- |
09/02/2021 |
Breaking Application’s Logic to DOS Attack |
Abhijeet Singh (@abhiunix) |
- |
IDOR, DoS |
- |
09/02/2021 |
chaining bugs from self XSS to account takeover |
Behnam Yazdanpanah (@abhiunix) |
- |
Self XSS, WAF bypass, CSRF, Account takeover |
- |
09/02/2021 |
How I Found Multiple XSS in Hidden Legacy Pages |
Marx Chryz |
- |
XSS |
$1,000 |
09/02/2021 |
Hacking Dutch Government For a lousy T-shirt |
Veshraj Ghimire (@GhimireVeshraj) |
Dutch Government |
IDOR, Information disclosure |
$0, Swag |
09/02/2021 |
CVE-2021-2429: A Heap-based Buffer Overflow Bug In The Mysql Innodb Memcached Plugin |
- |
Oracle (MySQL) |
Memory corruption bug |
- |
09/02/2021 |
SQL injection in harvard subdomain |
Brandon Roldan (@tomorrowisnew_) |
Harvard University |
SQL injection |
- |
09/01/2021 |
Now Patched Vulnerability in WhatsApp could have led to data exposure of users |
Dikla Barda & Gal Elbaz |
Facebook (WhatsApp) |
Memory corruption bug |
- |
09/01/2021 |
Full PoC | Metasploit Pro Trial License Request Limit Bypass/a> |
ChooK |
Rapid7 |
Privilege escalation, Logic flaw |
N/A (VDP) |
08/31/2021 |
Dropping root shell in a Crypto Exchange for Fun and Profitn’t |
Nirmal Thapa (@tnirmalz) |
ChangeNOW |
RCE |
$1,000 |
08/31/2021 |
Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD) |
Shubham Bhamare (@theshubh77) |
Meta / Facebook |
2FA bypass |
$1,000 |
08/31/2021 |
Broken Access Control Leads To Change Of Admin Details |
V3D (@v3d_bug) |
- |
Privilege escalation, Client-side enforcement of server-side security |
- |
08/31/2021 |
CVE-2021-39165: A Bug Bounty Journey from a Laravel SQL Injection Vulnerability |
Xuan Tuyen |
- |
SQL injection |
- |
08/30/2021 |
Proxytoken: An Authentication Bypass In Microsoft Exchange Server |
Xuan Tuyen |
Microsoft |
Authentication bypass |
- |
08/30/2021 |
I owe your Request | HTTP Request Smuggling leads to Full Accounts takeover |
Muhammad Adel (@ItsFadinG_) |
- |
HTTP Request Smuggling |
- |
08/30/2021 |
Two account takeover bugs worth $4300 🎁 |
Usama Varikkottil (@usama_dev) |
- |
Account takeover, Privilege escalation, 403 bypass, IDOR |
$4,300 |
08/29/2021 |
How MarkMonitor left >60,000 domains for the taking |
Ian Carroll (@iangcarroll) |
- |
Subdomain takeover |
- |
08/29/2021 |
Hunting for XSS with CodeQL |
Daniel Santos (@bananabr) |
GitLab |
XSS |
$500 |
08/29/2021 |
What would you do if Oracle’s mailing server sent you this? |
I am Broot |
Oracle |
HTML injection |
- |
08/29/2021 |
ATO of WordPress Website “4 digits €€€€ Bounty in 5 Minute!” |
Ritesh Gohil (@RiteshG37659480) |
- |
Exposed registration page, Account takeover |
- |
08/29/2021 |
Information disclosure via api misconfiguration |
Rizwan_siddiqui (@Rizwan_SiDdiqu1) |
- |
Information disclosure |
- |
08/29/2021 |
Bug Bounty: “My Remote Code Execution” |
0xJin (@0xJin) |
- |
Default credentials, RCE |
- |
08/29/2021 |
Cache Poisoning via SelfXSS + Path Parameter |
ElMahdi Mrhassel (@ElMrhassel) |
- |
XSS, Web cache poisoning |
- |
08/28/2021 |
SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection |
Caesar Evan Santoso |
- |
WAF bypass, SSRF, SQL injection |
- |
08/28/2021 |
Exploiting Devops -Leak Source codes |
Shivbihari Pandey (@ninja_pandit_) |
- |
Information disclosure |
- |
08/28/2021 |
How I Scored 2K Bounty via an IDOR |
Sicksec (@OriginalSicksec) |
Mail.ru |
IDOR |
$2,000 |
08/27/2021 |
How did I earned 6000$ from tokens and scopes in one day |
Corraldev (@javier_corralg) |
- |
Authorization flaw, Privilege escalation |
$6,000 |
08/27/2021 |
ChaosDB: Critical Vulnerability in Microsoft Azure Cosmos DB |
Nir Ohfeld (@nirohfeld) & Sagi Tzadik (@sagitz_) |
Microsoft |
Account takeover, Local Privilege escalation |
$40,000 |
08/26/2021 |
Oauth client secret leak and possible IDOR leading to PII Disclosure |
Monke & Bend Theory (@bendtheory) |
- |
IDOR, OAuth flaw, Information disclosure |
- |
08/26/2021 |
Reflective XSS via search box [Bypassing Cloudflare WAF]. |
Friendly (@SkeletorKeys) |
- |
Reflected XSS |
- |
08/26/2021 |
‘Websocket Hijacking’ to steal Session_ID of victim users |
Sunil Yedla (@sunilyedla2) |
- |
Cross-Site WebSocket Hijacking (CSWH) |
- |
08/25/2021 |
Pwn2Own Vancouver 2021 :: Microsoft Exchange Server Remote Code Execution |
Steven Seeley (@steventseeley) |
Microsoft |
RCE, MiTM |
- |
08/25/2021 |
Business Logic Ratings Bug |
Maxwell Dulin (@Dooflin5) |
- |
Logic flaw |
- |
08/25/2021 |
Retrieve Archived Stories Of Any Public Instagram Account. |
Naveen |
Facebook (Instagram) |
IDOR, GraphQL bug |
$0 (Duplicate) |
08/25/2021 |
Vulnerability in Bumble dating app reveals any user’s exact location |
Robert Heaton (@RobJHeaton) |
Bumble |
Information disclosure, Logic flaw |
$2,000 |
08/25/2021 |
The Nomulus rift |
Imre Rad (@ImreRad) |
Google |
Insecure deserialization |
- |
08/25/2021 |
“How Companies Need to Widen There Scopes” |
amnotacat |
- |
RCE, Components with known vulnerabilities |
- |
08/25/2021 |
How I found a primitive but critical broken access control vulnerability in YouTrack (CVE-2020–24618) |
Yurii Sanin (@SaninYurii) |
JetBrains |
Information disclosure |
- |
08/25/2021 |
One Endpoint, Two Account Takeovers |
Yashar Shahinzadeh (@YShahinzadeh) |
- |
Account takeover |
- |
08/24/2021 |
[$5K] Misconfigured Reset password that leads to Account Takeover (No user Interaction ATO) |
Aditya Sharma (@Assass1nmarcos) |
- |
Account takeover, Password reset flaw, Information disclosure |
$5,000 |
08/24/2021 |
How i was able to steal private files of any user on Larksuite |
Imran Nissar (@Imrannissar3) |
- |
IDOR |
- |
08/24/2021 |
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions |
UpGuard Team (@upguard) |
Microsoft |
Information disclosure |
- |
08/23/2021 |
Hey Google ! - Delete my Data Properly — #GoogleVRP |
Sriram Kesavan (@sriramoffcl) |
Google |
Logic flaw |
- |
08/23/2021 |
Zoom RCE from Pwn2Own 2021 |
Thijs Alkemade & Daan Keuper |
Zoom |
RCE, Memory corruption bug |
$200,000 |
08/23/2021 |
Server Side Request Forgery with huge impact in production application |
Gökhan Güzelkokar (@gkhck_) |
- |
SSRF |
- |
08/23/2021 |
Story Of Unexpected Bugs |
Neh Patel |
- |
IDOR, XSS |
- |
08/22/2021 |
MonkeyType.com Stored Cross-Site Scripting |
Tyle Butler (@tbutler0x90) |
MonkeyType.com |
Stored XSS, Authentication bypass, IDOR |
$40 |
08/22/2021 |
How I was able to get 1000$ bounty from a ds-store file? |
Khaled Mohamed (@0xElkomy) |
- |
Information disclosure, Debugging enabled |
€1,000 |
08/21/2021 |
Playing With s3 Leaks |
Aswin Thambi Panikulangara (@r0074g3n7) |
- |
AWS misconfiguration |
- |
08/21/2021 |
How I found my first Subdomain Takeover vulnerability |
Monish Basaniwal |
- |
Subdomain takeover, CSRF |
€375 |
08/20/2021 |
How I got RCE In The World Largest Russian Company |
Sicksec (@OriginalSicksec) |
Mail.ru |
RCE |
- |
08/20/2021 |
Disclose WhatsApp Number of Instagram Accounts Despite Setting Set to be Hidden |
Naveen (@NaveenHax) |
Meta / Facebook |
Information disclosure, Logic flaw |
$1,000 |
08/19/2021 |
Account Takeover via Access Token Leakage |
Tuhin Bose (@tuhin1729_) |
- |
IDOR, Information disclosure, Account takeover |
- |
08/19/2021 |
From Pwn2Own 2021: A New Attack Surface On Microsoft Exchange - Proxyshell! |
Orange Tsai (@orange_8361) |
Microsoft |
RCE, Privilege escalation |
$200,000 |
08/18/2021 |
How to Hack Apple ID |
Zemnmez (@zemnmez) |
Apple |
XSS, Account takeover |
$10,000 |
08/17/2021 |
Confirming any new Email Address bug in Facebook (Part-4) |
Lokesh Kumar (@lokeshdlk77) |
Meta / Facebook |
Rate-limiting bypass |
$3,449 |
11/04/2020 |
Dangling DNS: Announcekit |
Mohamed Elbadry (@_melbadry9) |
- |
Subdomain takeover |
- |
08/16/2021 |
Two weeks of securing Samsung devices: Part 2 |
Oversecured (@OversecuredInc) |
Samsung |
Arbitrary file write, Arbitrary file read, Vulnerable Android content provider |
$18,040 |
08/16/2021 |
CVE-2021-22929 – Brave Browser 1.27 and below permanently logs the server connection time for all v2 tor domains to ~/.config/BraveSoftware /Brave-Browser/tor/data/tor.log |
sickcodes (@sickcodes) |
Brave Software |
Privacy issue, Information disclosure |
$400 |
08/16/2021 |
A Bug’s Life: CVE-2021-21225 & Exploiting CVE-2021-21225 and disabling W^X |
Brendon Tiszka (@btiszka) |
Google |
Browser bug |
$22,000 |
08/16/2021 |
Why u should use burp to test Path Traversal Vulnerability and also get RXSS |
Yasser Mohammed (@boomneroli) |
- |
Path traversal, XSS, CSRF, Account takeover |
$700 |
08/16/2021 |
Second Order Subdomain Takeovers – They DO Exist! |
Alun Jones (@ftp_alun) |
Microsoft |
Subdomain takeover, Broken link hijacking |
- |
08/15/2021 |
1st Bug Bounty WriteUp: Open Redirect To XSS on Login Page |
Nassim Chami (@nvccim) |
- |
Open redirect, XSS |
- |
08/15/2021 |
Simple HTML Injection to $250 |
Ahmad Halabi (@Ahmad_Halabi_) |
- |
Account takeover, Mass assignment |
$600 |
08/14/2021 |
Finding multiple SSRF with aws metadata access on A BANK system |
Santosh Kumar Sha (@killmongar1996) |
- |
SSRF |
- |
08/14/2021 |
Bypass Google Captcha+Parameter Pollution Leads to send email to any user on behalf of “Organization” with any desired content |
viral bhatt (@viralbhatt100) |
- |
HTTP Parameter Pollution, Captcha bypass |
- |
08/14/2021 |
Facebook Bug:Invite user to Like a Page even after they decline the Page Like Invite |
Circle Ninja (@circleninja) |
Meta / Facebook |
Logic flaw |
$0 (Informative) |
08/14/2021 |
How we was able to takeover whole organization via Privilege Escalation |
Yasser Mohammed (@boomneroli) |
- |
Privilege escalation, Authorization flaw |
$500 |
08/13/2021 |
How I found read/write access to the personal data of 3 million users of an E-commerce website? |
Prashant Singh / SecGeek_one0one |
- |
IDOR |
- |
08/13/2021 |
Blind SSRF in URL Validator |
Yash Kandekar (@Neutron__) |
- |
Blind SSRF |
- |
08/12/2021 |
Taking Over Employee Accounts by Managers with Zero Employee Interaction |
Chaitanya Rajhans (@Chaitanya_024) |
- |
HTML injection |
$250 |
08/12/2021 |
How I Bought a £240.00 Annual Subscription for Bargain £0.01 |
Craig Hays (@craighays) |
- |
Payment tampering, Logic flaw |
- |
08/11/2021 |
OVE-20210809-0001 Visual Studio Code .ipynb Jupyter Notebook XSS (Arbitrary File Read) |
Justin Steven (@justinsteven) |
Microsoft |
XSS |
$0 (OOS) |
08/11/2021 |
Multiple Vulnerabilities In cPanel/WHM |
Adrian Tiron (@adrian__t) |
cPanel |
XXE, Stored XSS, Privilege escalation, CSRF, Cross-Site WebSocket Hijacking (CSWH) |
- |
08/10/2021 |
Fuzzing + IDOR = Admin TakeOver |
Gonzalo Carrasco (@0xCGonzalo) |
- |
IDOR, Account takeover |
- |
08/09/2021 |
What is BOLA? 3-digit bounty from Topcoder ($$$) |
can1337 (@canmustdie) |
Topcoder |
IDOR |
- |
08/09/2021 |
CVE-2021-25738 |
Jordy Versmissen / J0VSEC (@j0v0x0) |
Kubernetes |
RCE |
$1,000 |
08/07/2021 |
CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation Of Privilege (EOP) |
bohops (@bohops) |
Intel |
Local Privilege Escalation |
- |
08/07/2021 |
Size Matters — CVE-2021–0485 (High) |
+Ch0pin (@Ch0pin) |
Google (Android) |
Local Privilege Escalation |
- |
08/07/2021 |
Access to CrowdTangle Deletion Framework API |
Philippe Harewood (@phwd) |
Meta / Facebook |
Authorization flaw, GraphQL bug |
- |
08/07/2021 |
View the country of a private Instagram User |
Philippe Harewood (@phwd) |
Meta / Facebook |
Information disclosure |
$0 (Informative) |
08/07/2021 |
Access to CrowdTangle Deletion Framework API |
Philippe Harewood (@phwd) |
Meta / Facebook |
Information disclosure, Logic flaw, GraphQL bug |
$0 (Informative) |
08/07/2021 |
Do you like to read? I can take over your Kindle with an e-book |
Slava Makkaveev |
Amazon |
Memory corruption bug, RCE, Local Privilege Escalation |
- |
08/06/2021 |
Account Takeover (User + Admin) Via Password Reset |
Hemant Patidar (@HemantSolo) |
- |
Account takeover, Password reset flaw, Logic flaw |
$200 |
08/05/2021 |
PostMessage Xss vulnerability on private program |
Youghourta Ghannei (@YoughartaG) |
- |
XSS, postMessage bug |
- |
08/03/2021 |
How the use of hidden form fields lead to Email verification bypass |
Yash Swarup (@wazirsec) |
- |
Email verification bypass, Client-side enforcement of server-side security |
- |
08/03/2021 |
Detecting Jackson deserialization vulnerabilities with CodeQL |
Artem Smotrakov (@artem_smotrakov) |
GitHub |
Insecure deserialization |
$4,500 |
08/02/2021 |
Facebook Messenger for android indirect thread deletion vulnerability. |
Rahul Kankrale (@RahulKankrale) |
Meta / Facebook |
Insecure deeplink |
- |
08/02/2021 |
how to be popular |
yan (@bcrypt) |
OkCupid |
CSRF, Type confusion |
- |
08/02/2021 |
CVE-2020–15823: Server-Side Request Forgery (SSRF) in JetBrains YouTrack |
Yurii Sanin (@SaninYurii) |
JetBrains |
SSRF |
- |
08/02/2021 |
~/BugBounty/IDOR/”How I was able to exfiltrate any user’s credit coupons” |
Jai Sharma (@ja1sharma) |
- |
IDOR |
- |
08/02/2021 |
Privilege Escalation | stealing user’s point | Bugcrowd |
Abhind Abhi |
- |
IDOR, Privilege escalation |
- |
08/02/2021 |
Tale of XSS in Angular |
Sicksec (@OriginalSicksec) |
- |
Reflected XSS |
- |
08/02/2021 |
Blind XXE Leads to Internal Port Scanning Through SSRF |
Sam Paredes (@caffeinevulns) |
- |
XXE, SSRF |
- |
08/01/2021 |
Multi Domain DOM Cross Site Scripting |
Sam Paredes (@caffeinevulns) |
- |
DOM XSS |
- |
08/01/2021 |
The journey from Google Honorable Mention to Hall of Fame. |
Akash basnet (@noneofyou007) |
Google |
Referer leakage, Information disclosure, Password reset flaw |
- |
08/01/2021 |
Missing permission check for Facebook gaming community invites |
Philippe Harewood (@phwd) |
Meta / Facebook |
Information disclosure, Authorization flaw |
- |
08/01/2021 |
Bug Bounty Stories #1: Tale of CSP bypass in an electron app! |
SecurityGOAT (@RuntimeSecurity) |
- |
CSP bypass |
- |
07/31/2021 |
From Hobby to Hacking |
Muhammad Syahrul Haniawan (@b0x_in) |
- |
Unrestricted file upload, RCE, Lack of authentication |
- |
07/31/2021 |
How I escalate my Self-Stored XSS to Account Takeover with the help of IDOR |
Jefferson Gonzales (@gonzxph) |
- |
Self-XSS, IDOR, Account takeover |
- |
07/31/2021 |
How I bypassed website using Akamai waf |
Yusif Cəfərov (@yusifceferov_) |
- |
XSS |
- |
07/31/2021 |
Facebook Vulnerability: Expose Group Member — $3000 |
Muhammad Sholikhin (@MuhammadLikhin) |
Meta / Facebook |
IDOR |
$3,000 |
07/30/2021 |
XXE in Public Transport Ticketing Mobile APP |
Nikhil (niks) (@niksthehacker) |
- |
XXE, RCE |
- |
07/30/2021 |
Account takeover via stored xss |
vikram naidu (@ImVikram7msd) |
- |
Stored XSS |
$1,000 |
07/30/2021 |
Google Bug Bounty: $500 worth client-side DoS on Google Keep |
Tommaso De Ponti (@heytdep) |
Google |
Application-level DoS |
$500 |
07/30/2021 |
Gaining Access To GCP Of Google Stadia — 500$ Bounty |
Sebastien Kaul |
Google |
Information disclosure |
$500 |
07/29/2021 |
How I found my first IDOR in HackerOne |
N1GHTMAR3 (@n1ghtmar3_2421) |
- |
IDOR |
- |
07/29/2021 |
How I could have hacked your medium account by phishing your FB, Twitter & Google credentials. |
Renganathan (@IamRenganathan) |
Medium |
Open redirect, OAuth flaw |
- |
07/29/2021 |
Chaining Open Redirect with XSS to Account Takeover |
Radian ID |
- |
Open redirect, XSS, Account takeover |
- |
07/29/2021 |
How I earned \(\) by Amazon S3 Bucket misconfigurations? |
Abdullah Mohamed (@3bodymo_) |
- |
AWS misconfiguration, Subdomain takeover |
- |
07/29/2021 |
Information Disclosure to Account Takeover |
Sunil Yedla (@sunilyedla2) |
- |
Information disclosure, OAuth flaw, Account takeover, Authentication bypass |
- |
07/28/2021 |
Pre-Auth RCE in Moodle Part I - PHP Object Injection in Shibboleth |
Johannes Moritz & Robin Peraglie |
Moodle |
RCE, PHP Object Injection |
- |
07/27/2021 |
XSS-Special-Cases: XSS That Works only in mobile Devices |
0xdln (@0xdln) |
- |
XSS |
- |
07/27/2021 |
Abusing JSON Web Token to steal accounts — 3000$ |
Filipe Azevedo (@filipaze_) |
- |
IDOR |
$3,000 |
07/27/2021 |
Telegram Report: SSRF leads to DOS attack [Reports that didn’t make it] |
Philippe Delteil (@PhilippeDelteil) |
Telegram |
SSRF, DoS |
- |
07/27/2021 |
XXE Case Studies |
cinzinga (@cinzinga_) |
- |
XXE |
- |
07/26/2021 |
Apple Hall Of Fame for a Small Misconfiguration || Unauth Cache Purging |
Prajit Sindhkar (@PrajitSindhkar) |
Apple |
Unauthenticated cache purge |
$0, HoF |
07/26/2021 |
Mattermost Server v5.32 > v5.36 Reflected XSS in OAuth flow |
zi0Black (@zi0Black) |
Mattermost |
Reflected XSS, OAuth flaw |
$900 |
07/26/2021 |
Bug Chain leads to Mass Account Takeover! |
Shubhayu Majumdar (@shubhayu64) |
- |
Information disclosure, Password reset flaw, Account takeover |
- |
07/26/2021 |
Easy Bounty With Exposed Buckets & Blobs |
mr.d0x (@mrd0x) |
- |
Misconfigured cloud storage |
$1,450 |
07/26/2021 |
How I found a bug in Apple within just in 5min. |
Akash basnet (@noneofyou007) |
Apple |
XSS |
- |
07/25/2021 |
Not valid bug that leads to us a multiple Valid Report in Facebook |
Kent Jarold Abulag (@wkemenhehehegsg) |
Meta / Facebook |
Information disclosure |
$1,000 |
07/25/2021 |
eBay XSS demo and guide to spear phishing |
MLT (@0dayWizard) |
Ebay |
XSS |
- |
07/24/2021 |
How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools |
Orwa Atyat (@GodfatherOrwa) |
Meta / Facebook |
SSTI, SQL injection, Authentication bypass, Privilege escalation, Reflected XSS |
- |
07/23/2021 |
Story OF MY 3RD Bounty From Facebook |
Aashish Jung Kunwar (@WhoisAasis) |
Meta / Facebook |
Irremovable users, Logic flaw |
$500 |
07/23/2021 |
FragAttacks |
Mathy Vanhoef (@vanhoefm) |
The Internet |
Wifi vulnerability |
$750 |
07/23/2021 |
Pre-Account Takeover by Reversing a Weak Email Verification Token Algorithm |
Craig Hays (@craighays) |
- |
Weak crypto |
- |
07/22/2021 |
Unauthenticated Access To MongoDB Database of Oracle Corporation |
Pratikkhalane (@KhalanePratik) |
Oracle |
Lack of authentication, Exposed administrative interface |
- |
07/22/2021 |
Escalating Self-XSS To Stored XSS via Image injection + IDOR |
Demon (@R29k_) |
- |
Self XSS, Stored XSS, IDOR |
- |
07/21/2021 |
Guest Blog Post - Attacking the DevTools |
David Erceg (@david_erceg) |
Microsoft |
Browser bug |
$36,000 |
07/21/2021 |
XSS-Through-Fuzzing-Default-IIS |
0xdln (@0xdln) |
- |
Reflected XSS |
- |
07/20/2021 |
How I was able Find mass leaked AWS s3 bucket from js File |
Santosh Kumar Sha (@killmongar1996) |
- |
AWS misconfiguration |
- |
07/20/2021 |
Hacking Xiaomi’S Android Apps - Part 1 |
Ameya (@iamTakeMyHand) |
Xiaomi |
Android app bug, Information disclosure, Open redirect, Privacy issue |
- |
07/19/2021 |
How I Bypassed a tough WAF to steal user cookies using XSS! |
Asem Eleraky (@melotover) |
- |
XSS, WAF bypass |
- |
07/19/2021 |
Facebook Vulnerability: $1500 for Removing Document Cover |
Muhammad Sholikhin (@MuhammadLikhin) |
Meta / Facebook |
Authorization flaw, IDOR |
$1,500 |
07/18/2021 |
Account Takeover + A Bonus Vulnerability |
Vikash Maurya |
- |
Account takeover, Session fixation |
- |
07/18/2021 |
RCE via WebDav - Power Of PUT |
Jerry Shah (@Jerry) |
- |
Default credentials, RCE |
- |
07/18/2021 |
IIS-Default-Page-to-Information-Disclosure |
0xdln (@0xdln) |
- |
Information disclosure |
- |
07/17/2021 |
Remote code execution in cdnjs of Cloudflare |
RyotaK (@ryotkak) |
Cloudflare |
RCE, Path traversal |
- |
07/16/2021 |
Logical Flaw Resulting Path Hijacking |
Veshraj Ghimire (@GhimireVeshraj) |
- |
Namespace attack |
- |
07/16/2021 |
How i was able to bypass Cloudflare for XSS! |
hosein vita (@HoseinVita) |
- |
XSS |
- |
06/16/2021 |
RFD Vulnerability And Content-Disposition Header Bypass Story! |
Kabilan S (@kabilan1290) |
- |
Reflected File Download |
- |
07/14/2021 |
Stored XSS in Google Doubleclick Studio [Google Research Grant] |
Jasminder Pal Singh (@Singh_Jasminder) |
Google |
Stored XSS |
$0 |
07/14/2021 |
How I found Blind SQL Injection just by browsing and getting a unique URL |
Jawad Mahdi (@hunter0x1) |
- |
SQL injection |
- |
07/14/2021 |
Credential stuffing in Bug bounty hunting |
Valeriy Shevchenko (@Krevetk0Valeriy) |
- |
Credential stuffing |
$8,300 |
07/14/2021 |
($380) XSS STORED in Bigo Bug Bounty Program |
Aidil Arief |
Bigo |
XSS |
$380 |
07/14/2021 |
Forced Browsing to Access Admin Panel |
the_unluck_guy (@7he_unlucky_guy) |
- |
Forced browsing |
- |
07/13/2021 |
Unencrypted HTTP Links to Google Scholar in Search |
David Schütz (@xdavidhu) |
Google |
MiTM |
- |
07/13/2021 |
Part 2: Dive into Zoom Applications |
Rakesh Thodupunoori (@rakesh_3895) |
Zoom |
CSRF, Account takeover, Information disclosure, Session expiration issue, Authorization bug, Logic flaw |
- |
07/13/2021 |
Apple Security Bounty: A personal experience |
Nicolas Brunner |
Apple |
Permission issue, iOS bug |
$0 |
07/13/2021 |
Broken Access control bug : Bypassing 403’s by finding another endpoint that do the same thing. |
tomorrowisnew (@tomorrowisnew_) |
- |
Broken Access Control, 403 bypass |
- |
07/12/2021 |
Trick to bypass rate limit of password reset functionality |
Abdulrahman-Kamel |
- |
Rate limiting bypass |
- |
07/12/2021 |
Pre-Denial Of Service (set-up 2FA on unverified account) |
Vikash Maurya |
- |
Application-Level DoS |
- |
07/11/2021 |
Critical Bug Bounty Reports: Part 1 |
Greg Gibson |
- |
Account takeover, Password reset flaw, RCE, Information disclosure |
- |
07/11/2021 |
Reflected XSS Through Insecure Dynamic Loading |
Greg Gibson |
- |
XSS |
- |
07/11/2021 |
Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer |
Sam Curry (@samwcyo) |
Chess.com |
Broken link hijacking |
- |
07/10/2021 |
Account Takeovers — Believe the Unbelievable |
Nikhil (niks) (@niksthehacker) |
- |
Account takeover, Session management flaw, Weak credentials, Components with known vulnerabilities, Password reset flaw |
$5,751 |
07/09/2021 |
Facebook Email/phone disclosure using Binary search |
Rikesh Baniya / NotRickyy (@rikeshbaniya) |
Meta / Facebook |
Password reset flaw, Information disclosure, Bruteforce |
- |
07/09/2021 |
Discovering Zero-Day Vulnerabilities in McAfee Products |
mr.d0x (@mrd0x) |
McAfee |
Local Privilege Escalation |
- |
07/09/2021 |
IDOR on clientauthconfig.googleapis.com |
David Schütz (@xdavidhu) |
Google |
IDOR |
$0 (Won’t fix) |
07/08/2021 |
CVE-2021-22555: Turning \x00\x00 into 10000$ |
Andy Nguyen (@theflow0) |
Google |
Memory corruption bug, Local Privilege Escalation |
$10,000 |
07/07/2021 |
Mass Assignment exploitation in the wild – Escalating privileges in style |
Gal Nagli (@naglinagli) |
- |
Mass assignment, Privilege escalation |
- |
07/07/2021 |
Let’s cancel the subscription (informative) |
Adnan Malik (@adnanmalikinfo) |
- |
Logic flaw, Payment tampering |
$0 (Informative) |
07/07/2021 |
Kaspersky Password Manager: All your passwords are belong to us |
Jean-Baptiste Bédrune |
Kaspersky |
Weak crypto |
- |
07/06/2021 |
Exploiting Auto-save Functionality To Steal Login Credentials |
Saad Ahmed (@XSaadAhmedX) |
- |
HTML injection |
- |
07/06/2021 |
Blind XSS in Apple School- Enrollment Data Disclosure |
hackrzvijay (@hackrzvijay) |
Apple |
Blind XSS |
$5,000 |
07/05/2021 |
View Other User Private Livestream Data |
Geva (@Geva_7) |
Meta / Facebook |
IDOR |
- |
07/03/2021 |
Bulletin.com email address leak |
Philippe Harewood (@phwd) |
Meta / Facebook |
Information disclosure, GraphQL bug |
$3,750 |
07/02/2021 |
How We Are Able To Hack Any Company By Sending Message – $20,000 Bounty [CVE-2021–34506] |
Vansh Devgan (@Th3Pr0xyB0y) & Shivam Kumar Singh (@MrRajputHacker) |
Microsoft |
UXSS |
$20,000 |
06/30/2021 |
Testing Cookies worth $500 |
Sankalpa Acharya (@sankalpa_02) |
- |
Account takeover, IDOR |
$500 |
06/30/2021 |
Finding DOM Polyglot XSS in PayPal the Easy Way |
Gareth Heyes (@garethheyes) |
Paypal |
DOM XSS, CSP bypass |
- |
06/30/2021 |
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) |
Michael Stepankin (@artsploit) |
- |
RCE, Insecure deserialization |
- |
06/29/2021 |
gcp-dhcp-takeover-code-exec |
Imre Rad (@ImreRad) |
Google |
DHCP flood, VM takeover |
- |
06/28/2021 |
How I found my first Chrome bug (CVE-2021–21210) |
Daniel Santos |
Google (Chrome) |
NAT Slipstreaming |
- |
06/28/2021 |
Diving into Dependabot along with a bug in npm |
tyage (@tyage) |
GitHub |
SSRF, RCE |
$8,117 |
06/27/2021 |
Taking over Uber accounts through voicemail |
Shubham Shah (@infosec_au) |
Uber |
Account takeover |
$0 (Informative) |
06/27/2021 |
Misconfigured $3 Bucket - A Semi Opened Environment |
Yukesh Kumar (@3th1c_yuk1) |
Redbull |
AWS misconfiguration |
N/A (VDP) |
06/27/2021 |
Escalating XSS to Arbitrary File Read |
Pethuraj (@Pethuraj) |
- |
XSS, LFI |
- |
06/27/2021 |
Oversightboard.com site-wide CSRF due to missing checking |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
CSRF |
$500 |
06/27/2021 |
Disclose unconfirmed email/phone of a Facebook user |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure |
$500 |
06/27/2021 |
Some ways to find more IDOR |
Thái Vũ (@thaivd98) |
- |
IDOR |
- |
06/26/2021 |
Gaining access to protected components |
DavMehtab Zafar (@0xmzfr) |
- |
Vulnerable Android content provider |
- |
06/25/2021 |
From Information Disclosure to interesting Privilege Escalation |
David Shaul (@dudy2kk) |
- |
Information disclosure, Account takeover, Privilege escalation |
- |
06/25/2021 |
PII Leakage - Revealing Secrets |
Jerry Shah (@Jerry) |
- |
Information disclosure |
- |
06/25/2021 |
A supply-chain breach: Taking over an Atlassian account |
Dikla Barda, Yaara Shriki, Roman Zaikin (@R0m4nZ41k1n) & Oded Vanunu (@Od3dV) |
Atlassian |
XSS, CSRF |
- |
06/24/2021 |
Flywheel Subdomain Takeover |
Smaran Chand (@smaranchand) |
- |
Subdomain takeover |
- |
06/24/2021 |
MSRC is confused! 😕 |
Ricardo Iramar dos Santos (@ricardo_iramar) |
Microsoft |
Dependency confusion |
$0 |
06/24/2021 |
Microsoft Store free purschase vulnerabilites |
Marlon Fabiano (@astrounder) |
Microsoft |
Payment tampering, Logic flaw |
- |
06/24/2021 |
Three Microsoft Store vulnerabilites |
Marlon Fabiano (@astrounder) |
Microsoft |
Payment tampering, Logic flaw |
- |
06/24/2021 |
How i was able to get Appreciation from the organization of a website just by changing a sign..!!! |
Fardeen Ahmed (@fardeenahmed411) |
- |
Information disclosure, Source code disclosure |
- |
06/23/2021 |
Generate online votes using Race Condition Vulnerability in Woobox Web Application (Write Up) |
Evan Ricafort (@evanricafort) |
Woobox |
Race condition |
- |
06/23/2021 |
Cracking Encrypted Credit Card Numbers Exposed By API |
Craig Hays (@craighays) |
- |
Information disclosure, Weak crypto |
- |
06/22/2021 |
Stored XSS via Invite leading to Mass Account Takeover at Opera. |
Samrat Gupta (@Sm4rty_) |
Opera |
Stored XSS |
- |
06/20/2021 |
Unprivileged User with Read/Write permission to User Access can escalate their role to ADMIN — Privilege Escalation |
Ertugrul Ozdemir (@ertugrulphp) |
- |
Privilege escalation |
- |
06/20/2021 |
How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It |
Laxman Muthiyah (@laxmanmuthiyah) |
Apple |
Account takeover, 2FA bypass, Rate-limiting bypass, Race condition |
$18,000 |
06/19/2021 |
Full Local File Read via Error Based XXE using XLIFF File |
pwn.vg / Tomi (@mastomii) |
- |
XXE |
- |
06/19/2021 |
Zero Click account Takeover |
Zahir Tariq (@ZahirTariq3) |
- |
Account takeover, Password reset flaw |
- |
06/19/2021 |
Exploiting File Upload Functionality in Unique Way. |
Rohit Soni |
- |
Unrestricted file upload |
- |
06/19/2021 |
Accessing Restricted Documents With Extra JSON Body Content |
Imran Huda (@imranHudaA) |
- |
Mass-assignment, Authorization flaw |
$500 |
06/18/2021 |
Account takeover via stored XSS with arbitrary file upload |
0xbadb00da (@0xbadb00da) |
- |
Insecure file upload, XSS, Account takeover |
- |
06/18/2021 |
M1 Macs GateKeeper bypass aka CVE-2021-30658 |
Wojciech Reguła (@_r3ggi) |
Apple |
Local Privilege Escalation |
- |
06/18/2021 |
How We Are Able To Hack Any Company By Sending Message - $20,000 Bounty [CVE-2021–34506] & Video PoC |
Th3Pr0xyB0y (@Th3Pr0xyB0y) & Shivam Kumar Singh (@MrRajputHacker) |
Microsoft |
Universal XSS |
$20,000 |
06/17/2021 |
Archived page |
HTML Injection and a dream in Google Chrome for Linux (Write Up) |
Evan Ricafort (@evanricafort) |
Google |
HTML injection |
$0 (Informative) |
06/17/2021 |
Crashing your LinkedIn app with a connection request. |
Renganathan (@IamRenganathan) |
LinkedIn |
Application-Level DoS |
- |
06/17/2021 |
Why dynamic code loading could be dangerous for your apps: a Google example |
Oversecured (@OversecuredInc) |
Google |
Arbitrary file write, Insecure intents |
- |
06/17/2021 |
Part-1 Dive into Zoom Applications |
Rakesh Thodupunoori (@rakesh_3895) |
Zoom |
CSRF, Payment bypass, Logic flaw, Account takeover, Privilege escalation |
$22,000 |
06/16/2021 |
Story of Google Hall of Fame and Private program bounty worth \(\) |
Basavaraj Banakar (@basu_banakar) |
Google |
Exposed registration page |
- |
06/16/2021 |
One-click DOS via Response Manipulation |
Akhil |
- |
Logic flaw |
- |
01/16/2021 |
Authentication Bypass | Easy P1 in 10 minutes |
Anirudh Makkar (@anirudhmakkar) |
- |
Authentication bypass, Forced browsing |
- |
06/16/2021 |
This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them |
Mayur Fartade (@mayurfartade) |
- |
IDOR, GraphQL bug |
$30,000 |
06/15/2021 |
Importance of burp history analysis to bypass 403 |
Vuk Ivanovic |
- |
403 bypass |
- |
06/15/2021 |
Exploiting outdated Apache Airflow instances & Blast Radius: Apache Airflow Vulnerabilities |
Ian Carroll (@iangcarroll) |
- |
Session management flaw |
$13,000 |
06/14/2021 |
Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs |
Evan Grant (@stargravy) |
Microsoft |
postMessage bug, Token theft |
- |
06/14/2021 |
Blind Command Injection - It hurts |
Jerry Shah (@Jerry) |
- |
Command injection, RCE |
- |
06/14/2021 |
An exciting journey to find SSRF , Bypass Cloudflare , and extract AWS metadata ! |
hosein vita (@HoseinVita) |
- |
SSRF |
- |
06/13/2021 |
User’s location diclosure in the “Nearby Friends” feature. $15,500 Bounty |
Yavor Rusev / Явор Русев |
Meta / Facebook |
Information disclosure |
$15,500 |
06/13/2021 |
[Google VRP] Privilege escalation on https://dialogflow.cloud.google.com |
lalka (@0x01alka) |
Google |
Authorization flaw, Logic flaw |
$3,133.70 |
06/13/2021 |
Story of Account Takeover : Using Social Login with Mass Assignment Vulnerability to hack accounts ! |
Mohammad Kaif |
- |
Mass assignment, Account takeover |
- |
06/13/2021 |
How I found the silliest logical vulnerability for $750 that no one found for 3 years |
Sina Kheirkhah (@Sin_Khe) |
- |
Logic flaw |
$750 |
06/12/2021 |
How I was able to bypass the admin panel without the credentials. |
Pratikkhalane (@KhalanePratik) |
- |
Information disclosure |
$500 |
06/12/2021 |
Bypassing 2FA using OpenID Misconfiguration |
Youstin (@iustinBB) |
- |
2FA bypass, Authentication flaw |
- |
06/11/2021 |
Two weeks of securing Samsung devices: Part 1 |
Oversecured (@OversecuredInc) |
Samsung |
Arbitrary file write, Insecure intents |
$20,690 |
06/10/2021 |
Second Order Race Condition |
Prasoon Gupta (@0xdekster) |
- |
Race condition |
$1,000 |
06/10/2021 |
Unexpected IDOR Vulnerability in [REDACTED] - [redacted].net (Write Up) |
Evan Ricafort (@evanricafort) |
- |
IDOR |
$2 |
06/10/2021 |
Author spoofing in Google Colaboratory |
Zohar Shachar |
Google |
Logic flaw |
$500 |
06/09/2021 |
How i was able to bypass parental pin of showmax |
abdoul gadiri balde (@moodiAbdoul) |
Showmax |
Authorization flaw |
- |
06/09/2021 |
Story of my first cash bounty on hackerone. |
Vedant Tekale (@_justYnot) |
- |
SSRF, XSS |
- |
06/07/2021 |
How I could have accessed all your private videos/photos saved inside your device without even unlocking it? |
Samip Aryal |
Meta / Facebook |
Authorization flaw, Logic flaw |
$3,150 |
06/06/2021 |
How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access |
Santosh Kumar Sha (@killmongar1996) |
- |
SSRF |
- |
06/06/2021 |
Shopify Multipass Misconfiguration |
Ahmed A. Sherif |
- |
Authentication flaw, Logic flaw |
- |
06/05/2021 |
Pop-Ups in a good-world |
Guilherme Keerok (@k33r0k) |
Imgur |
XSS |
- |
06/04/2021 |
Executing CSRF With Phone Validation |
Greg Gibson |
- |
CSRF |
- |
06/04/2021 |
403 Forbidden Bypass |
th3.d1p4k (@DipakPanchal05) |
- |
OTP bypass, Exposed registration page, XSS |
- |
06/04/2021 |
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #3 |
R ando (@Rando02355205) |
Google |
Broken Acces Control |
- |
06/04/2021 |
Android: Exploring vulnerabilities in WebResourceResponse |
Oversecured (@OversecuredInc) |
Amazon |
Arbitrary file read |
- |
06/03/2021 |
Server Side Request Forgery - A Forged Document |
Jerry Shah (@Jerry) |
- |
SSRF, File upload bug |
$500 |
06/03/2021 |
Bypassing LFI (Local File Inclusion) |
Abhishek (@abhishake21) |
- |
LFI |
- |
06/03/2021 |
XSS in the AWS Console |
Nick Frichette (@frichette_n) |
Amazon |
XSS, CSP bypass, CSTI |
- |
06/02/2021 |
Exploiting Open Redirect - Whitelist Bypass Using Salesforce Environment |
Gaurav Nayak (@4auvar) |
- |
Open redirect, Token theft |
- |
06/02/2021 |
Escalating SSRF to Accessing all user PII information by aws metadata |
Santosh Kumar Sha (@killmongar1996) |
- |
SSRF |
- |
06/01/2021 |
CVE-2021-29084: Exploiting CRLF Header Injection in Synology NAS for Unauthenticated File Downloads |
Justin Taft |
Synology |
CRLF injection |
- |
06/01/2021 |
Facebook Page Admin Disclosure |
Kunjan Nayak (@kunjannayak5) |
Meta / Facebook |
Information disclosure |
$500 |
05/31/2021 |
AppCache’s forgotten tales |
Luan Herrera (@lbherrera_) |
Google (Chrome) |
Browser bug |
$10,000 |
05/31/2021 |
Escalating SSRF to Accessing all user PII information by aws metadata |
Santosh Kumar Sha (@killmongar1996) |
- |
SSRF |
- |
05/31/2021 |
runc mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs (CVE-2021-30465) |
Etienne Champetier / champtar |
Google |
Kubernetes bug, Container breakout |
- |
05/30/2021 |
Metadata service MITM allows root privilege escalation (EKS / GKE) |
Etienne Champetier / champtar |
Google |
Kubernetes bug, Privilege escalation, MiTM |
- |
05/30/2021 |
Account Takeover via iFrame Injection |
xbforce (@xbforce) |
- |
Iframe injection, Account takeover |
- |
05/29/2021 |
The beauty of chaining client-side bugs |
Master SEC (@MasterSEC_AR) |
- |
CRLF, XSS, CSP bypass, DoS, CSTI |
- |
05/29/2021 |
CafeBazaar and Subdomain Takeover |
Sina Kheirkhah (@Sin_Khe) |
CafeBazaar |
Subdomain takeover |
- |
05/29/2021 |
Github, The Goldmine for P1s and P2s - Sensitive Information Exposure via Github by a Company Employee |
Savir Suda (@savxiety) |
- |
Information disclosure |
- |
05/28/2021 |
Hey WAF! Better Luck Next Time! 👽 |
Akash Rox Starz |
- |
SQL injection |
- |
05/28/2021 |
How I hacked a Target again and again… |
Aditya Verma (@0cirius0) |
- |
OAuth bug, Account takeover, XSS, Broken Access Control |
- |
05/27/2021 |
Bypassing restricted port protection in WebKit |
David Schütz (@xdavidhu) |
Apple |
Browser bug |
- |
05/26/2021 |
GitLab Arbitrary File Read & Write through Kroki - CVE-2021-22203 |
Anh Duc Nguyen (@ledz1996) |
- |
Arbitrary file read |
$5,600 |
05/25/2021 |
Stored XSS with two different parameters |
Joel Cantu (@InfosecRintox) |
- |
Reflected XSS |
- |
05/25/2021 |
Patch Gapping a Safari Type Confusion |
Theori (@theori_io) |
Apple |
Memory corruption bug |
- |
05/25/2021 |
Chaining XSS with authentication issues to turn it into full account takeover |
N1GHTMAR3 (@n1ghtmar3_2421) |
- |
XSS, Account takeover |
- |
05/24/2021 |
Disclose leads form details of any Facebook Business Account or Facebook Page (Bug Bounty) |
Amine Aboud (@amineaboud) |
Meta / Facebook |
IDOR, GraphQL bug |
- |
05/23/2021 |
CORS misconfig that worths USD200 |
MikeChan |
- |
CORS misconfiguration |
$200 |
05/23/2021 |
Finding and Exploiting Unintended Functionality in Main Web App APIs |
Bend Theory (@bendtheory) |
- |
IDOR, Information disclosure, Privilege escalation |
$4,000 |
05/21/2021 |
Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$) |
Rohit kumar (@rohitcoder) |
Meta / Facebook |
Information disclosure |
$500 |
05/21/2021 |
CSRF from which we can create a support ticket in Victim’s Account (500$) |
Rohit kumar (@rohitcoder) |
Meta / Facebook |
CSRF |
$500 |
05/21/2021 |
How I turned 0000 into $600: Phone Verification Bypass |
Shrirang Diwakar |
- |
OTP bypass |
$600 |
05/21/2021 |
403 Forbidden Bypass |
th3.d1p4k (@DipakPanchal05) |
- |
403 bypass, Forced browsing |
- |
05/21/2021 |
Oculus SSO “Account Linking” bug leads to account takeover on third party websites and inside VR Games/Apps |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
SSO bug, Authentication flaw, Account takeover |
$12,000 |
05/20/2021 |
XSS via postMessage in chat.mozilla.org |
Guilherme Keerok (@k33r0k) |
Mozilla |
XSS, postMessage bug |
$500 |
05/20/2021 |
Third-Party Apps were still getting your private Facebook data even after their access expiry. |
Samip Aryal |
Meta / Facebook |
Logic flaw |
$1,000 |
05/20/2021 |
Writeups: Facebook Whitehat program(2021): Instagram Live setting bug |
Takashi Suzuki |
Meta / Facebook |
Logic flaw |
$537 |
05/20/2021 |
SSRF in PDF Renderer using SVG |
pwn.vg / Tomi (@mastomii) |
- |
SSRF |
$2,150 |
05/19/2021 |
Time-Based SQL Injection to Dumping the Database |
Naveen J (@thevillagehackr) |
- |
SQL injection, Android app bug |
- |
05/19/2021 |
Finding my First Critical Web Cache Poisoning |
Yasser Khan (@N3T_hunt3r) |
- |
Web cache poisoning |
- |
05/18/2021 |
Path Traversal in MobileSafari |
David Schütz (@xdavidhu) |
Apple |
Path traversal |
- |
05/18/2021 |
Drupal Insecure Default Leads To Password Reset Poisoning |
Bogdan Tiron (@Bogdan___T) |
Drupal |
Password reset flaw, Host header injection |
N/A (VDP) |
05/17/2021 |
Just Gopher It: Escalating a Blind SSRF to RCE for $15k |
SirLeeroyJenkins (@SirLeeroyJenkin) |
- |
SSRF, RCE |
$15,000 |
05/17/2021 |
Clickjacking in Nearby Devices Dashboard |
David Schütz (@xdavidhu) |
Google |
Clickjacking |
- |
05/17/2021 |
My Fourth Account takeover through password reset |
Omar Hamdy (@seaman00o) |
- |
Account takeover, Password reset flaw |
- |
05/17/2021 |
How i hijacked 12 Subdomains in one Program |
Naveen kumawat (@nvk0x) |
- |
Subdomain takeover |
- |
05/17/2021 |
Auth Bypass in https://nearbydevices-pa.googleapis.com |
David Schütz (@xdavidhu) |
Google |
Broken Access Control |
$5,000 |
05/16/2021 |
MSSQL Injection In JSON Request |
Kailash (@Corrupted_brain) |
- |
SQL injection |
- |
05/16/2021 |
Edmodo Bug Bounty Writeup |
Pethuraj (@Pethuraj) |
Edmodo |
XSS |
$0 (Duplicate) |
05/16/2021 |
2FA Bypass via Forced Browsing |
Akhil |
- |
2FA bypass |
- |
05/15/2021 |
Mass Assignment exploitation in the wild - Escalating privileges in style |
Gal Nagli (@naglinagli) |
- |
Mass assignment, Privilege escalation |
- |
05/14/2021 |
One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Reflected XSS, Account takeover |
$9,600 |
05/13/2021 |
Blind XSS on Google Internal System |
Kailash (@Corrupted_brain) |
Google |
Blind XSS |
$5,000 |
05/13/2021 |
Counter-Strike Global Offsets: reliable remote code execution |
brymko (@brymko), dezk (@cffsmith) & Simon Scannell (@scannell_simon) |
Valve |
RCE |
- |
05/13/2021 |
How I find my first Stored XSS |
Filipe Azevedo (@filipaze_) |
- |
Stored XSS |
- |
05/13/2021 |
My story of hacking Dutch Government |
Tuhin Bose (@tuhin1729_) |
Dutch Government |
XSS |
- |
05/12/2021 |
CVE-2020-35580 |
hateshape (@hateshaped) |
- |
LFI |
- |
05/11/2021 |
CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data |
Intezer |
Microsoft |
Privilege escalation |
- |
05/11/2021 |
2FA Verification Bypass in Shapeshift [shapeshift.com] (Write Up) |
Evan Ricafort (@evanricafort) |
Shapeshift |
2FA bypass |
- |
05/10/2021 |
Stored XSS to Organisation Takeover |
Zaid Bhat (@zaidozaid) |
- |
Stored XSS |
- |
05/10/2021 |
Simple logical Bug turned into a bounty |
Sndp Giri |
Meta / Facebook |
Logic flaw |
$500 |
05/10/2021 |
Exploiting Activity in medium android app |
Raju kumar (@MrCyberwarrior) |
Medium |
Insecure intents |
- |
05/10/2021 |
Unauthorized access to Django Admin Dashboard by endpoint leaked on GitHub |
Santosh Kumar Sha (@killmongar1996) |
- |
Lack of authentication, Forced browsing |
- |
05/10/2021 |
Microsoft bug bounty writeup |
th3.d1p4k (@DipakPanchal05) |
Microsoft |
Information disclosure |
- |
05/08/2021 |
Workplace by Facebook | Unauthorized access to companies environment — $27,5k |
Marcos Ferreira (@mvinni_) |
Meta / Facebook |
Authorization flaw, Logic flaw, IDOR |
$27,500 |
05/07/2021 |
Apple Bug bounty writeups XSS(2021) |
Takashi Suzuki |
Apple |
XSS |
- |
05/07/2021 |
Identify a Facebook user by his phone number despite privacy settings set |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Privacy issue, Information disclosure |
$9,000 |
05/06/2021 |
CVE-2021-1815 – MacOS Local Privilege Escalation Via Preferences |
Offensive Security (@offsectraining) |
Apple |
Local Privilege Escalation |
- |
05/06/2021 |
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit |
- |
Google |
RCE |
- |
05/05/2021 |
Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
OAuth flaw, Authorization flaw, Account takeover |
$18,000 |
05/05/2021 |
How I Found Sql Injection on intensedebate.com (h1) in 5 minute $350 |
Ahmad A Abdulla (@lu3ky13) |
Automattic |
SQL injection |
$350 |
05/05/2021 |
XSS Through Parameter Pollution |
Saajan Bhujel (@saajanbhujel11) |
- |
Open redirect, XSS, HTTP Parameter Pollution |
- |
05/05/2021 |
Injecting Punycode URL Within the Arbitrary Text via Comment Box In Google Photo Sharing Option |
Divyanshu Shukla (@justm0rph3u5) |
Google |
HTML injection |
$0 (OOS) |
05/05/2021 |
ExifTool CVE-2021-22204 - Arbitrary Code Execution |
William Bowling / vakzz (@wcbowling) |
GitLab |
RCE |
$20,000 |
05/04/2021 |
Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida & Exploiting the Source Engine (Part 1) |
Geebz (@Gbps111) |
Valve |
RCE |
$7,500 |
05/04/2021 |
Deep Dive into Open Source Bug Bounty |
Ritik Sahni (@ritiksahni22) |
- |
CSRF |
- |
05/03/2021 |
Finding known exploits for bugbounties. |
ipanda (@ipanda915) |
- |
RCE |
$0 (Duplicate) |
05/03/2021 |
IDOR Leads To Leak Any Uber Eats Restaurant Analytics |
Prial Islam Khan (@prial261) |
Uber |
IDOR |
$2,000 |
05/02/2021 |
Basic recon to RCE |
Joshua Martinelle (@J0_mart) |
- |
Insecure deserialization, RCE |
- |
05/02/2021 |
Chaining CSRF with XSS to deactivate Mass user accounts by single click |
Santosh Kumar Sha (@killmongar1996) |
- |
CSRF, XSS |
- |
05/02/2021 |
SSRF Through PDF Generation |
Joshua Martinelle (@J0_mart) |
- |
SSRF |
- |
05/01/2021 |
How I found my first RCE? |
ipanda (@ipanda915) |
- |
RCE |
- |
05/01/2021 |
How I got $400 for my first SSRF bug? |
Usama Varikkottil (@usama_dev) |
- |
SSRF |
$400 |
05/01/2021 |
Password reset code brute-force vulnerability in AWS Cognito |
Pentagrid (@pentagridsec) |
Amazon |
Password reset flaw, Brute force, Rate limiting bypass, Account takeover |
- |
04/30/2021 |
Facebook account takeover due to unsafe redirects after the OAuth flow |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
OAuth flaw, Open redirect, Account takeover |
$28,800 |
04/30/2021 |
My first OOB XXE exploitation |
Joshua Martinelle (@J0_mart) |
- |
XXE |
- |
04/30/2021 |
How I was able to Retrieve your Personal Documents using the Wayback Machine! |
Savir Suda (@savxiety) |
- |
Privacy issue, Information disclosure |
- |
04/30/2021 |
Exploiting memory corruption vulnerabilities on Android |
Oversecured (@OversecuredInc) |
Paypal |
Memory corruption bug |
$1,100 |
04/30/2021 |
A tale of Html to Pdf converter ssrf and various bypasses |
Jatin Aesthetic (@techyfreakk) |
- |
SSRF |
- |
04/29/2021 |
De-anonymising Anonymous Animals in Google Workspace |
David Schütz (@xdavidhu) |
Google |
Privacy issue, Information disclosure |
- |
04/29/2021 |
The False Oracle — Azure Functions Padding Oracle Issue |
polarply (@polarply) |
Microsoft |
Padding Oracle, Privilege escalation |
- |
04/28/2021 |
How did I earn €€€€ by breaking the back-end logic of the server |
Dewanand Vishal (@dewcode91) |
- |
Logic flaw, Information disclosure |
- |
04/28/2021 |
Reflected DOM-based XSS on DomaiNesia |
N45HT |
DomaiNesia |
XSS |
- |
04/27/2021 |
Exploiting XSS via Markdown on Xiaomi |
N45HT |
Xiaomi |
XSS |
- |
04/27/2021 |
WordPress 5.7 XXE Vulnerability |
Sonar (@SonarSource) |
WordPress |
XXE |
$600 |
04/27/2021 |
Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol |
Antonio Cocomazzi (@splinter_code) & Andrea Pierini (@decoder_it) |
Microsoft |
Local Privilege Escalation |
- |
04/26/2021 |
Reflected XSS on Microsoft |
N45HT |
Microsoft |
Reflected XSS |
- |
04/25/2021 |
From Wayback Machine To Account Takeover |
Demon (@R29k_) |
- |
Open redirect, Account takeover |
$800 |
04/25/2021 |
Supply Chain Attacks via GitHub.com Releases |
Nightwatch Cybersecurity (@nightwatchcyber) |
GitHub |
Logic flaw |
$0 |
04/25/2021 |
How I found Cross-Site-Scripting (Reflected) on more than 300 systems! |
MR SINISTER (@KabirSuda) |
- |
Reflected XSS |
- |
04/25/2021 |
From Wayback Machine To Account Takeover |
Demon (@R29k_) |
- |
Account takeover, Password reset flaw, Open redirect |
- |
04/25/2021 |
RCE via Internal Access to Adminer Database Management (Critical) |
Ahmad Halabi (@Ahmad_Halabi_) |
- |
RCE |
- |
04/24/2021 |
AWS internal metadata accessed through SSRF by Chaining an Open Redirect bug |
Santosh Kumar Sha (@killmongar1996) |
- |
SSRF, Open redirect |
- |
04/24/2021 |
Page Owners Can’t remove or change page roles of deactivated users (or if Attacker blocks the page owner) in Facebook Lite, Facebook for Android and touch.facebook.com |
Baibhav Anand (@SpongeBhav) |
Meta / Facebook |
Logic flaw |
$525 |
04/22/2021 |
Brave — Stealing your cookies remotely |
Pedro Oliveira (@kanytu) |
Brave |
Arbitrary file read |
$500 |
04/22/2021 |
Telegram bug bounties: XSS, privacy issues, official bot exploitation and more… |
Davide, Andrea & Giuseppe |
Telegram |
XSS, Authorization flaw, DoS |
- |
04/22/2021 |
PrivateDrop: Breaking and Fixing Apple AirDrop |
Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute & Christian Weinert |
Apple |
Privacy issue, Information disclosure |
- |
04/21/2021 |
New Clubhouse Security Vulnerabilities Could Happen to Any Growing Unicorn |
Katie Moussouris (@k8em0) |
Clubhouse |
Logic flaw |
- |
04/21/2021 |
Remote code execution in Homebrew by compromising the official Cask repository |
RyotaK (@ryotkak) |
Homebrew |
RCE |
- |
04/21/2021 |
Got Nice catch by Google |
Parth Desani (@DesaniParth) |
Google |
OAuth flaw, Open redirect, CSRF |
$0 (Early acquisition) |
04/22/2021 |
How I was able to inject XSS payload into any user’s mailbox |
Gaurav Popalghat (@N008x) |
- |
XSS |
- |
04/21/2021 |
CVE-2021-30481: Source engine remote code execution via game invites |
floesen (@floesen_) |
Valve |
RCE, Integer underflow |
$8,000 |
04/2O/2021 |
Playing With iframes: Bypassing Content-Security-Policy |
JM Sanchez / 0xEchidonut (@jmrcsnchz) |
- |
CSP bypass, Open redirect, HTML injection |
- |
04/2O/2021 |
Auth Bypass in Google Workspace Real Time Collaboration |
David Schütz (@xdavidhu) |
Google |
Authentication bypass, Information disclosure |
- |
04/2O/2021 |
IDOR leads to leaked the likes count even though is hidden by victim | YouTube ($XXXX) |
R ando (@Rando02355205) |
Google |
IDOR, Logic flaw |
- |
04/2O/2021 |
Blind SSRF to Port Scanning through response time |
Harish |
- |
SSRF |
- |
04/19/2021 |
Unauthorized access to admin setpassword page BY bypassing 403 Forbidden |
Santosh Kumar Sha (@killmongar1996) |
- |
Authorization flaw |
- |
04/18/2021 |
(POC) Untrim any live video on Facebook |
Ahmad Talahmeh |
Meta / Facebook |
Authorization flaw |
$2,875 |
04/18/2021 |
Exploiting Unrestricted File Upload to achieve Remote Code Execution on a bug bounty program |
Jadek Mark (@mase289) |
- |
Unrestricted file upload, RCE |
- |
04/18/2021 |
Pwning your assignments: Stored XSS via GraphQL endpoint |
Kartik Sharma (@dominat0r98) |
- |
Stored XSS, GraphQL bug |
$2,881 |
04/18/2021 |
Misconfiguration in Change-password Functionality Leads to Account Takeover |
Mahmoud Radwan (@0x___2m) & Mahmoud samaha (@0x__2m) |
- |
IDOR, Logic flaw, Password reset flaw, Account takeover |
- |
04/18/2021 |
XSS via Exif Data - The P2 Elevator |
Jerry Shah (@Jerry) |
- |
Stored XSS |
- |
04/18/2021 |
Discoure themes OS Command Injection |
joernchen (@joernchen) |
Discourse |
RCE, OS command injection |
- |
04/18/2021 |
(POC) Remove any Facebook’s live video ($14,000 bounty) |
Ahmad Talahmeh |
Meta / Facebook |
Logic flaw |
$14,000 |
04/17/2021 |
Lets Learn English - Hacking 10M+ Users |
Aseem Shrey (@AseemShrey) |
- |
AWS misconfugation, Insecure Firebase database, OTP bypass, Account takeover, Logic flaw |
- |
04/17/2021 |
(POC) Update business fyi message as Facebook page analyst |
Ahmad Talahmeh |
Meta / Facebook |
IDOR, GraphQL bug |
$750 |
04/17/2021 |
How I earned \(\) through Stored XSS |
Harish |
- |
Stored XSS, CSTI |
$3,205 |
04/16/2021 |
Fun sql injection — mod_security bypass |
Y000 (@Y000) |
- |
SQL injection |
- |
04/16/2021 |
Allow arbitrary URLs, expect arbitrary code execution |
Fabian Bräunlein & Lukas Euler |
Nextcloud, Telegram, VLC |
RCE |
- |
04/15/2021 |
How I got 9000 USD by hacking into iCloud |
Alexandre Fernandes (@fernale) |
Apple |
XSS |
$9,000 |
04/15/2021 |
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) |
CENSUS |
Facebook (WhatsApp) |
Man-in-the-Disk |
- |
04/14/2021 |
Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere |
Cisco Talos |
Microsoft |
RCE |
- |
04/14/2021 |
Google Photos : Theft of Database & Arbitrary Files Android Vulnerability |
Rahul Kankrale (@RahulKankrale) |
Google |
Improper Export of Android Application Components |
$1,337 |
04/13/2021 |
You Talking To Me? |
Li JianTao (@cursered) |
Google |
RCE, Browser bug |
$0 (Duplicate) |
04/12/2021 |
ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3 |
Chris Williams (@HawaiiFive0day) |
Tesla, Google |
RCE, Browser bug |
- |
04/12/2021 |
Unauthenticated Account Takeover Through Forget Password |
Nikhil (niks) (@niksthehacker) |
- |
Password reset flaw, Account takeover, Information disclosure |
- |
04/12/2021 |
Stored XSS on the DuckDuckGo search results page |
PMOC (@pmofcats) |
DuckDuckGo |
Stored XSS |
- |
04/10/2021 |
Cookie poisoning leads to DoS and Privacy Violation |
Benjamin Walter |
CS Money |
DoS, SSRF |
$700 |
04/09/2021 |
Auth Issues |
Uranium238 (@uraniumhacker) |
Google |
Authentication flaw, Logic flaw |
- |
04/09/2021 |
(CRITICAL) Blind Storage XSS — My first Bug Bounty 💰 |
Benjamin Walter |
CS Money |
Blind XSS |
$1,000 |
04/8/2021 |
What if you could deposit money into your Betting account for free? Oh wait where has this 25k came from… |
Mikey (@mikey96_bh) |
- |
Logic flaw |
$10,000 |
04/07/2021 |
Chaining an Blind SSRF bug to Get an RCE |
Santosh Kumar Sha (@killmongar1996) |
- |
Blind SSRF, RCE |
- |
04/7/2021 |
I Built a TV That Plays All of Your Private YouTube Videos |
David Schütz (@xdavidhu) |
Google |
CSRF |
$6,000 |
04/05/2021 |
Apple TV for Fire OS code execution |
Razvan Sima (@0xraaz) |
Apple |
RCE, Insecure storage, Man-in-the-Disk attack |
- |
04/05/2021 |
Cloud Based Storage Misconfigurations -> Critical Bounties |
Mikey (@mikey96_bh) |
- |
Cloud storage misconfiguration |
$7,500 |
04/05/2021 |
Weird and very easy authentication bypass found with Google dorking |
GrumpinouT (@RVerwilghen) |
- |
Authentication bypass |
- |
04/05/2021 |
Intro to Open-source Bug Bounty |
Arjun Shibu (@0xsegf) |
Mailtrain |
Directory traversal |
- |
04/05/2021 |
CSRF in YouTube Leanback API |
David Schütz (@xdavidhu) |
Google |
CSRF |
- |
04/05/2021 |
Breaking GitHub Private Pages for $35k |
Robert Chen (@NotDeGhost) & Philip |
Github |
XSS, CRLF, Web cache poisoning |
$35,000 |
04/04/2021 |
Remote code execution through unsafe unserialize in PHP |
Sjoerd Langkemper |
- |
Insecure deserialization, RCE |
- |
04/04/2021 |
Journeys in Quoteless and Multi Reflection XSS |
Bend Theory (@bendtheory) |
- |
XSS |
$250 |
04/04/2021 |
RCE on Starbucks Singapore and more for $5600 |
Kamil Onur Özkaleli (@ko2sec) |
Starbucks |
RCE, Unrestricted file upload |
$5,600 |
04/03/2021 |
Code execution as root via AT commands on the Quectel EG25-G modem |
nns |
Quectel |
OS command injection, RCE |
$2,000 |
04/03/2021 |
Gain write permission of repositories with a bug in GitHub Actions |
tyage (@tyage) |
GitHub |
Broken Access Control, Logic flaw |
$25,000 |
04/02/2021 |
Automate Cache Poisoning Vulnerability - Nuclei |
Mohamed Elbadry (@_melbadry9) |
- |
Web cache poisoning, Stored XSS |
$1,500 |
04/02/2021 |
This Man Thought Opening A TXT File Is Fine, He Thought Wrong. MacOS CVE-2019-8761 |
Paulos Yibelo (@PaulosYibelo) |
Apple |
MacOS bug, HTML injection |
- |
04/02/2021 |
Bragging Rights: Let’s head back to bug bucket |
Manas Harsh (@ManasH4rsh) |
- |
XSS, IDOR, 2FA bypass |
$951 |
04/02/2021 |
XSS in Large Messenger and Payment App - a Shout Out to Parameter Guessing |
Lauritz (@lauritz) |
- |
XSS, HTLML injection |
- |
04/02/2021 |
Play a game, get Subscribed to my channel - YouTube Clickjacking Bug | #GoogleVRP |
GoogleSriram Kesavan (@sriramoffcl) |
- |
Clickjacking |
$100 |
04/02/2021 |
Who Contains the Containers? |
James Forshaw (@tiraniddo) |
Microsoft |
Local privilege escalation |
- |
04/01/2021 |
Facebook account takeover due to a wide platform bug in ajaxpipe responses |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Account takeover |
$30,000 |
04/01/2021 |
Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Account takeover, OAuth flaw, Open redirect |
$12,000 |
04/01/2021 |
Zero click vulnerability in Apple’s macOS Mail |
Mikko Kenttälä (@Turmio_) |
Apple |
Account takeover, Information disclosure, RCE |
- |
04/01/2021 |
GKE Autopilot Node Compromise via Race Condition |
Anthony Weems |
Google |
Container escape |
$1,337 |
04/01/2021 |
Download Facebook internal mobile builds |
Philippe Harewood (@phwd) |
Meta / Facebook |
Information disclosure |
$6,000 |
03/31/2021 |
My first Bug report at Facebook 2021 |
Kent Jarold Abulag (@wkemenhehehegsg) |
Meta / Facebook |
Logic flaw, Authorization flaw |
- |
03/31/2021 |
Missing CORS leads to Complete Account Takeover |
Niraj Modi (@nirajmodi51) |
- |
Missing CORS, CSRF, Account takeover |
- |
03/30/2021 |
I felt like there were no more bugs left after winning € 2000 … But an email worth €750 changed my mind |
Thexssrat (@theXSSrat) |
- |
Broken Access Control, IDOR |
€2750 |
03/30/2021 |
A weird XSS |
gato the wizard |
- |
Reflected XSS |
- |
03/30/2021 |
CSRF to Full Account Takeover |
Ashraf Harb (@ashrafharb97) |
- |
CSRF, Account takeover |
- |
03/29/2021 |
PHP fopen() function to local file inclusion |
أنس روبي (@xhzeem) |
- |
LFI |
- |
03/28/2021 |
How I made to Paypal Bug Bounty $750 |
Pethuraj (@Pethuraj) |
Paypal |
Open Redirect |
$750 |
03/28/2021 |
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #1 |
R ando (@Rando02355205) |
Google |
Broken Access Control, IDOR |
- |
03/28/2021 |
How to bypass CloudFlare bot protection ? |
jychp (@jychp_fr) |
CloudFlare |
Logic flaw |
$0 |
03/27/2021 |
Increasing impact of Information Disclosure — Full Account Takeover ! |
Abhisek R (@abh1sek_r) |
- |
Information disclosure, Password reset flaw |
$0 (OOS) |
03/26/2021 |
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #2 |
R ando (@Rando02355205) |
Google |
Broken Access Control, IDOR |
- |
03/26/2021 |
Encrypted Payload -> Decrypted Execution ($600) : Stored XSS |
Shrirang Diwakar |
- |
Stored XSS |
$600 |
03/25/2021 |
PoC: The easiest 125 Euro’s I Ever made |
Thexssrat (@theXSSrat) |
- |
Logic flaw |
€125 |
03/25/2021 |
Exif meta data worth $XXXX |
Saddam Hussain (@wisdomfreak1) |
- |
Information disclosure |
- |
03/25/2021 |
How I leveraged XSS to make Privilege Escalation to be Super Admin! |
Asem Eleraky (@melotover) |
- |
XSS, Privilege escalation |
- |
03/25/2021 |
Multiple Authorization bypass issues in Google’s Richmedia Studio |
Zohar Shachar |
Google |
Authorization flaw |
$6,000 |
03/24/2021 |
Bypass rate limit to enumeration users through Google Drive |
Abdullah Mohamed (@3bodymo_) |
Google |
Rate limiting bypass |
$0 (Won’t fix) |
03/24/2021 |
Finding and exploiting race condition vulnerability on facebook server |
Dewanand Vishal (@dewcode91) |
Meta / Facebook |
Race condition |
$2,000 |
03/24/2021 |
Ad portals and the half blood vulnerability |
Adam (@whitechaitai) |
- |
Logic flaw |
$600+ |
03/23/2021 |
How I made it to Google HOF? |
Sudhanshu Rajbhar (@sudhanshur705) |
Google |
IDOR |
$1,000 |
03/21/2021 |
Finding My First Critical Vulnerability |
Thexssrat (@theXSSrat) |
- |
Information disclosure |
$250 |
03/21/2021 |
OTP brute-force via rate limit bypass |
Bilal Muqeet (@blmqt) |
- |
Bruteforce, Lack of rate limiting, OTP bypass |
- |
03/21/2021 |
Cross Site Port Attack - A Stranger’s Call |
Jerry Shah (@Jerry) |
- |
XSPA |
- |
03/21/2021 |
OAuth Misconfiguration found in small time-window of attack |
Muhammad Aamir (@Muhammad__Aamir) |
- |
OAuth misconfiguration |
$300 |
03/20/2021 |
A short story about an XSS in chat.mozilla.org (CVE-2021-21320) |
Guilherme Keerok (@k33r0k) |
Mozilla |
XSS |
$500 |
03/19/2021 |
How to Harpon Big Blue! |
Clark Voss (@clark_voss) |
IBM |
Logic flaw, Exposed registration page |
- |
03/19/2021 |
H2C Smuggling in the Wild |
Sean Yeoh (@seanyeoh) |
- |
HTTP request smuggling |
- |
03/18/2021 |
TikTok for Android 1-Click RCE |
Sayed Abdelhafiz (@dPhoeniixx) |
TikTok |
RCE, XSS, Insecure intents |
- |
03/18/2021 |
How I hacked Facebook: Part Two |
Alaa Abdulridha (@alaa0x2) |
Meta / Facebook |
SSRF, Account takeover, Cookie manipulation |
$54,580 |
03/18/2021 |
Stealing arbitrary GitHub Actions secrets |
Teddy Katz (@not_aardvark) |
GitHub |
Logic flaw |
$25,000 |
03/17/2021 |
Dangling DNS: Worksites.net |
Mohamed Elbadry (@_melbadry9) |
- |
Dangling DNS records, Subdomain takeover |
- |
03/17/2021 |
Abusing Data Protection Laws For D0xing & Account Takeovers |
Hx01 (@Hxzeroone) |
- |
SSTI, Account takeover |
- |
03/17/2021 |
CVE-2021-27076: A Replay-style Deserialization Attack Against Sharepoint |
Simon Zuckerbraun (@HexKitchen) |
Microsoft |
Insecure deserialization, RCE |
- |
03/17/2021 |
An unknown Linux secret that turned SSRF to OS Command injection |
secureITmania (@secureitmania) |
- |
SSRF, Command injection |
- |
03/17/2021 |
An Interesting Account Takeover!! |
Mayank Pandey (@mayank_pandey01) |
- |
IDOR, Account takeover, Weak encryption, Password reset flaw |
- |
03/17/2021 |
Voice Confusion When Commenting On Watch Party |
Prakash Panta (@prakashpanta268) |
Meta / Facebook |
Information disclosure |
$1,000 |
03/16/2021 |
API Misconfiguration which leads to unauthorized access to servicedesk tickets |
Gaurav Popalghat (@N008x) |
- |
Information disclosure |
- |
03/16/2021 |
De-anonymize the members of a private Facebook Group as a non-member. |
Baibhav Anand (@SpongeBhav) |
Meta / Facebook |
GraphQL bug, Information disclosure |
$4,500 |
03/15/2021 |
Facebook Group Members Disclosure. |
Baibhav Anand (@SpongeBhav) |
Meta / Facebook |
Information disclosure |
$9,000 |
03/15/2021 |
IDOR Vulenebility with empty response still exposing sensitive details of customers! |
Rahul Varale |
- |
IDOR |
- |
03/14/2021 |
How I Found Sql Injection on 8x8 , Cengage,Comodo,Automattic,20 company |
Ahmad A Abdulla (@lu3ky13) |
Automattic, IBM, 8x8 |
SQL injection |
- |
03/12/2021 |
Finding keys under the door |
Naveen Prakaasham K S V |
Paytm |
Stored XSS, Unrestricted file upload |
- |
03/12/2021 |
Account Takeover Via Reset Password Worth 2000$ |
Ashutosh mishra (@ashutoshmish_ra) |
- |
Password reset flaw, Account takeover |
$2,000 |
03/12/2021 |
[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF ) |
Rio Mulyadi (@riomulyadi_) |
Google |
Blind XSS |
$3,133.70 |
03/11/2021 |
Messing with GitHub’s fork collaboration for fun and profit |
Teddy Katz (@not_aardvark) |
GitHub |
Broken Access Control |
$30,000 |
03/10/2021 |
Business Logic Error on Registration Leads to SMS Validation Bypass |
pleorqy (@pleorqy) |
- |
2FA bypass |
- |
03/10/2021 |
Chain of Low Level Bugs and Misconfigurations Leads to Account Takeover |
pleorqy (@pleorqy) |
- |
Reflected XSS, Clickjacking, Account takeover |
- |
03/10/2021 |
Finding Basic Authtoken in JAVASCRIPT file BY Full Automation |
Santosh Kumar Sha (@killmongar1996) |
- |
Information disclosure |
- |
03/10/2021 |
Exploiting HTTP Request Smuggling (TE.CL)— XSS to website takeover |
Kleiton Kurti (@kleiton0x7e) |
- |
HTTP request smuggling, XSS |
- |
03/09/2021 |
Alternative link |
Write Up – Google VRP N/A: SSRF Bypass With Quadzero In Google Cloud Monitoring |
Omar Espino (@omespino) |
Google |
SSRF |
$0 (N/A) |
03/08/2021 |
Dangling DNS: Amazon EC2 IPs (Current State) |
Mohamed Elbadry (@_melbadry9) |
8x8 |
Dangling DNS records, Subdomain takeover |
- |
03/08/2021 |
Stored XSS in Google Ads Android Application— $3133.70 |
Ashish Dhone (@ashketchum_16) |
Google |
Stored XSS, HTML injection |
$3,133.70 |
03/07/2021 |
Finding Hidden Login Endpoint Exposing Secret Client ID |
Ahmad Halabi (@Ahmad_Halabi_) |
- |
Information disclosure |
$700 |
03/07/2021 |
Exploiting a hidden and forgotten Bug |
Aditya Verma (@0cirius0) |
- |
SSRF |
- |
03/07/2021 |
The easiest $2500 I got it from bug bounty program |
Abdullah Mohamed (@3bodymo_) |
Uber |
Information disclosure |
$2,500 |
03/06/2021 |
GKE Autopilot Node Compromise via SSH Metadata |
Anthony Weems |
Google |
Container escape |
$1,337 |
03/05/2021 |
GKE Autopilot Node Compromise via startup-script |
Anthony Weems |
Google |
Container escape |
$1,337 |
03/05/2021 |
Leveraging Template injection to takeover an account. |
Akash Methani (@0xAkash) |
- |
CSTI, XSS |
- |
03/04/2021 |
Low hanging fruits on Facebook Group Room. Unable to remove post on group when post room add with event ($500) |
Randy Arios |
Meta / Facebook |
Logic flaw |
$500 |
03/04/2021 |
Stored XSS at Trello.com |
Maor Dayan (@mord1234) |
Trello |
Stored XSS |
- |
03/04/2021 |
Content Injection (RCE) in Yandex Browser for Android [2018]
|
Nightwatch Cybersecurity (@nightwatchcyber) |
Yandex |
MiTM |
$0 |
03/03/2021 |
The Invincible Kid |
Samip Aryal |
Meta / Facebook |
Logic flaw |
$500 |
03/03/2021 |
How I Might Have Hacked Any Microsoft Account |
Laxman Muthiyah (@laxmanmuthiyah) |
Microsoft |
Account takeover, Password reset flaw, Bruteforce, 2FA bypass |
$50,000 |
03/02/2021 |
Microsoft Edge Browser For IOS - Address Bar Spoofing Vulnerability |
Rafay Baloch (@rafaybaloch) |
Microsoft |
Address Bar Spoofing |
- |
03/02/2021 |
GKE Autopilot Node Compromise via local-storage PersistentVolume |
Anthony Weems |
Google |
Container escape |
$1,337 |
03/01/2021 |
Exploiting CORS to perform an IDOR Attack leading to PII Information Disclosure |
Harsh Parekh (@notmarshmllow) |
- |
CORS misconfiguration, Information disclosure |
- |
03/01/2021 |
Secret Key Exposure in API Config Directory |
Ahmad Halabi (@Ahmad_Halabi_) |
- |
Information disclosure |
$800 |
03/01/2021 |
Join Facebook Group With Unpublish Page |
gevakun |
Meta / Facebook |
Authorization flaw |
- |
03/01/2021 |
RocketChat - Unauthenticated access to messages |
Rojan Rijal (@uraniumhacker) |
RocketChat |
Authorization flaw |
N/A (VDP) |
03/01/2021 |
SSRF to fetch AWS credentials with full access to multiple services |
Zonduhackerone (@zonduu1) |
- |
SSRF |
- |
02/28/2021 |
Big Bugs: Bitbucket Pipelines Kata Containers Build Container Escape |
Alex Chapman (@ajxchapman) |
- |
RCE |
- |
02/28/2021 |
Admin Panel Accessed Via SQL Injection… (Ezy Boooom…😅) |
Ratnadip Gajbhiye (@scspcommunity) |
- |
SQL injection |
- |
02/28/2021 |
Bragging Rights: Killing File Uploads softly |
Manas Harsh (@ManasH4rsh) |
- |
Unrestricted file upload, Stored XSS |
- |
02/28/2021 |
Jira Auth Bypass bug in Google Acquisition (Apigee) |
Jayateertha Guruprasad (@JayateerthaG) |
Google |
Authentication bypass |
- |
02/28/2021 |
Somebody Call The Plumber, GraphQL is Leaking Again… |
N0ur5 |
- |
Information disclosure, GraphQL bug |
- |
02/28/2021 |
Any Account Takeover Through Privilege Escalation |
Shubham Chaskar (@chaskar_shubham) |
- |
Privilege escalation, Account takeover |
- |
02/28/2021 |
Kubernetes man in the middle using LoadBalancer or ExternalIPs (CVE-2020-8554) |
champtar |
Kubernetes |
MiTM |
$1,000 |
02/28/2021 |
Host MITM attack via IPv6 rogue router advertisements (K8S CVE-2020-10749 / Docker CVE-2020-13401 / LXD / WSL2 / …) |
champtar |
Kubernetes |
MiTM |
$1,000 |
02/28/2021 |
Story About Stop 10000+ users to get Their job notification |
PJBorah |
- |
Logic flaw |
- |
02/27/2021 |
Somebody Call The Plumber, GraphQL is Leaking Again… |
N0ur5 |
- |
Information disclosure, GraphQL bug |
$2,000 |
02/27/2021 |
IDOR which allowed me to view Personal Email Addresses of More than 50K Users! |
Savir Suda (@savxiety) |
- |
IDOR, Password reset flaw |
- |
02/26/2021 |
SSRF: Bypassing hostname restrictions with fuzzing |
Dominic (@dee__see) |
Elastic |
SSRF |
- |
02/26/2021 |
Account Takeover - Smoking with ‘null’ |
Jerry Shah (@Jerry) |
- |
Account takeover, Authentication flaw |
- |
02/26/2021 |
Stealing user passwords through a VPN’s SSO |
Alain Mowat (@plopz0r) |
- |
Open redirect, SSTI |
- |
02/25/2021 |
Poisoning your Cache for 1000$ - Approach to Exploitation Walkthrough |
Gal Nagli (@naglinagli) |
- |
Web cache poisoning, Stored XSS |
$1,000 |
02/25/2021 |
Hijacking Reset Password Link in https://www.niteflirt.com/ via Host Header Poising (Write Up) |
Evan Ricafort (@evanricafort) |
Niteflirt |
Host header injection, Account takeover, Password reset flaw |
$50 |
02/25/2021 |
CSRF through URL with # tag parameter |
Tommysuriel |
- |
CSRF |
$100 |
02/25/2021 |
CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux |
John Jackson (@johnjhacking) |
Keybase |
Unencrypted storage |
$1,000 |
02/22/2021 |
Grafana Admin Panel bypass in Google Acquisition(VirusTotal) |
Jayateertha Guruprasad (@JayateerthaG) |
Google |
Default credentials |
- |
02/22/2021 |
Let’s know How I have explored the buried secrets in Xamarin application |
secureITmania (@secureitmania) |
- |
Hardcoded API keys, Information disclosure |
- |
02/21/2021 |
RCE On A Laravel Private Program |
Yasho (@YShahinzadeh) |
- |
RCE |
- |
02/20/2021 |
Is Math.random() Safe? from missing rate limit to bypass 2fa and possible sqli |
Yasser Mohammed (@boomneroli) |
- |
Race condition, Lack of rate-limiting, OTP bypass, SQL injection |
- |
02/20/2021 |
Account Takeover via Response Manipulation worth 1800$.. |
Ashutosh mishra (@ashutoshmish_ra) |
- |
Authentication bypass, OTP bypass, Account takeover |
$1,800 |
02/20/2021 |
Build Pipeline Security |
xssfox (@xssfox) |
Amazon |
RCE |
- |
02/18/2021 |
Account Take Over by Response Manipulation |
Naveen J (@thevillagehackr) |
- |
Authentication bypass, Account takeover |
- |
02/17/2021 |
Expose information about Partner accounts in Partner portal |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, GraphQL bug |
$3,600 |
02/17/2021 |
Expose Facebook object type (including private objects) |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, Logic flaw |
$500 |
02/17/2021 |
Ability to find Facebook employee’s test accounts which lead to the disclosure of internal information. |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, GraphQL bug |
$500 |
02/17/2021 |
Disclose internal CMS objects content |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, Authorization flaw |
$500 |
02/17/2021 |
Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, GraphQL bug |
$500 |
02/17/2021 |
XSS in Facebook CDN due to improper filtering of uploaded files extensions |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
XSS |
$500 |
02/17/2021 |
Enumerate internal cached URLs which lead to data exposure |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, Caching issue |
$4,800 |
02/17/2021 |
Make recruiting referrals on behalf of employees |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Authorization flaw, GraphQL bug |
$3,000 |
02/17/2021 |
Leaking Facebook user information to external websites / Setting some cookies values |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
GraphQL bug, Logic flaw, Information disclosure |
$2,000 |
02/17/2021 |
Access private information about SparkAR effect owners who has a publicly viewable portfolio |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Authorization flaw, Information disclosure, GraphQL bug |
$1,500 |
02/17/2021 |
Open redirect in Instagram.com |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Open redirect |
$500 |
02/17/2021 |
Story of a very lethal IDOR. |
Vedant Tekale (@_justYnot) |
- |
XSS, IDOR, Account takeover |
N/A (VDP) |
02/17/2021 |
From AWS S3 Misconfiguration to Sensitive Data Exposure |
Jadek Mark (@mase289) |
- |
AWS misconfiguration |
- |
02/17/2021 |
Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story) |
Imre Rad (@ImreRad) |
Google |
Configuration file injection, RCE |
- |
02/16/2021 |
Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story) |
Imre Rad (@ImreRad) |
Google |
RCE |
- |
02/16/2021 |
Hunting for bugs in Telegram’s animated stickers remote attack surface |
polict (@polict_) |
Telegram |
Memory corruption bug, DoS |
- |
02/16/2021 |
I Own your Cloud Shell: Taking over “Azure Cloud Shell” Kubernetes Cluster Through Unsecured Kubelet API 30,000$ Bounty |
Chen Cohen (@chencococococo) |
Microsoft |
Privilege escalation, RCE |
$30,000 |
02/15/2021 |
Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Authorization flaw, Logic flaw |
$12,500 |
02/15/2021 |
Full account takeover worth $1000 Think out of the box |
Mohsin Khan (@tabaahi_) |
- |
Account takeover, CSRF, IDOR |
$1,000 |
02/15/2021 |
Delete linked payments accounts of a Facebook page (or user) |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Authorization flaw, Logic flaw |
$1,000 |
02/15/2021 |
URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs. |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Logic flaw |
$500 |
02/15/2021 |
Leak of internal categorySets names and employees test accounts. |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure |
$500 |
02/15/2021 |
View orders and financial reports lists for any page shop |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
Information disclosure, Authorization flaw |
$500 |
02/15/2021 |
Header manipulation to get the premier feature for free |
Saddam Hussain (@wisdomfreak1) |
- |
Logic flaw |
- |
02/14/2021 |
Stored XSS in icloud.com — $5000 |
Vishal Bharad |
- |
Stored XSS |
$5,000 |
02/14/2021 |
My first bounty (stored-xss) |
Karan sharma (@karansh491) |
- |
Stored XSS |
$1,000 |
02/14/2021 |
IDOR via Websockets allow me to takeover any users account |
Mohsin Khan (@tabaahi_) |
- |
IDOR |
$450 |
02/14/2021 |
How I Hacked Everyone’s Resume/CV’s and Got €€€ |
Vishal Bharad |
- |
IDOR, Authorization flaw, Information disclosure |
$250 |
02/14/2021 |
Changing other users Episode title & description - IDOR Vulnerability in [REDACTED] (Write Up) |
Evan Ricafort (@evanricafort) |
- |
IDOR |
$1,150 |
02/13/2021 |
[GITLAB] — Server Side Request Forgery in “Project Import” page. |
Lyubomir Tsirkov |
Gitlab |
SSRF |
$1,500 |
02/13/2021 |
[GITLAB] — Just another SSRF issue. |
Lyubomir Tsirkov |
Gitlab |
SSRF |
$1,000 |
02/13/2021 |
OAuth Misconfiguration Leads to Full Account takeover |
Yasser Mohammed (@boomneroli) |
- |
OAuth flaw, Clickjacking, CSRF, Account takeover |
- |
02/13/2021 |
[GITLAB] — Just another SSRF issue. |
Lyubomir Tsirkov |
GitLab |
SSRF |
$1,000 |
02/12/2021 |
How I was able to get extra coins |
Saddam Hussain (@wisdomfreak1) |
- |
Logic flaw, Android app bug |
- |
02/12/2021 |
Leaked Credentials gives access to internalfb.com |
Philippe Harewood (@phwd) |
Meta / Facebook |
Information disclosure |
$6,000 |
02/11/2021 |
Hacking Chess.com and Accessing 50 Million Customer Records |
Sam Curry (@samwcyo) |
Chess.com |
Reflected XSS, Information disclosure, Account takeover |
- |
02/11/2021 |
The “P” in Telegram stands for Privacy |
Dhiraj (@RandomDhiraj) |
Telegram |
Privacy issue |
$3,000 |
02/11/2021 |
Escalating reflected XSS with HTTP Smuggling |
Hazana (@hazanasec) |
- |
HTTP request smuggling, Reflected XSS |
- |
02/11/2021 |
Fastest Subdomain Take Over & DNS Misconfiguration Hunt. |
Kabeer (@iTheKabeer) |
- |
Subdomain takeover, DNS zone transfer |
- |
02/10/2021 |
Sending ephemeral message to any Facebook user |
Rahul Kankrale (@RahulKankrale) |
Meta / Facebook |
IDOR |
- |
02/10/2021 |
A Tale of 2nd $xxx Bounty from Facebook |
Kunjan Nayak |
Meta / Facebook |
Logic flaw |
$500 |
02/10/2021 |
Self-XSS to rXSS via Uploaded File Name |
P4nda (@InfoSecP4nda) |
- |
Self-XSS, Reflected XSS |
- |
02/09/2021 |
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies |
Alex Birsan |
Paypal, Shopify, Apple, Netflix, Yelp, Uber, Microsoft & more! |
Dependency confusion |
$130,000+ |
02/09/2021 |
Abusing URI Parsers for fun and profit |
Mohammad Owais (@_mohammadowais) |
- |
URL validation bypass |
$500 |
02/08/2021 |
Duplicate Registration - The Twinning Twins |
Jerry Shah (@Jerry) |
- |
Account takeover, Authentication flaw |
- |
02/08/2021 |
Bigbasket Bug Bounty Writeup |
Lohith Gowda M (@lohi_gowda_) |
- |
Insecure Local Storage |
- |
02/08/2021 |
Reflected XSS on a Public Program |
Naveen J (@thevillagehackr) |
- |
Reflected XSS |
- |
02/08/2021 |
How I Gain Access to the Server Administration of a Million-Dollar Company |
Marx Chryz Del Mundo |
- |
Privilege escalation, Mass assignment |
$5,000 |
02/06/2021 |
Escalating SSRF to RCE |
Sander Wind (@SanderWind) |
- |
SSRF, RCE |
- |
02/06/2021 |
XXE To AWS Metadata Disclosure |
Al-Madjus (@AlMadjus) |
- |
XXE |
$2,000 |
02/04/2021 |
Facebook Messenger Desktop App Arbitrary File Read |
Renwa (@RenwaX23) |
Meta / Facebook |
Arbitrary file read |
$2,000 |
02/04/2021 |
Page Admin Disclosed In Groups Due To Improper Session Handling In Facebook Web |
Samip Aryal |
Meta / Facebook |
Information disclosure |
- |
02/04/2021 |
Redwood Report2Web XSS and Frame injection |
vict0ni (@vict0ni) |
- |
Reflected XSS, Frame injection |
- |
02/04/2021 |
Bug bounty failure stories to learn from: how we ended up to hack a bank with no reward |
Red Timmy Security (@redtimmysec) |
- |
DoS, Default credentials |
- |
02/04/2021 |
Open Redirect vulnerability found using link parameter |
Muhammad Aamir (@Muhammad__Aamir) |
- |
Open redirect |
$100 |
02/04/2021 |
Microsoft Remote Desktop Web Access Authentication Timing Attack |
Matt Dunn |
Microsoft |
Timing attack, Authentication flaw |
- |
02/04/2021 |
How I was able to Turn a XSS into a Account Takeover |
Josh Fam (@Pullerze) |
- |
Web cache poisoning, Stored XSS, Account takeover, OAuth flaw, Logic flaw |
- |
02/03/2021 |
CVE-2020-9759 - Getting root on webOS |
Andreas Lindh (@addelindh) |
LG |
Local Privilege escalation, Browser bug |
- |
02/03/2021 |
Spoofing and Attacking With Skype |
mr.d0x (@mrd0x) |
Microsoft |
Spoofing |
- |
02/02/2021 |
Stealing Chat session ID with CORS and execute CSRF attack |
Sunil Yedla (@sunilyedla2) |
- |
CSRF, CORS misconfiguration |
- |
02/02/2021 |
Applying Offensive Reverse Engineering to Facebook Gameroom |
Eugene Lim (@spaceraccoonsec) |
Meta / Facebook |
Insecure deserialization |
- |
02/02/2021 |
1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group |
nhiephon (@_nhiephon) |
Meta / Facebook |
Information disclosure |
- |
02/02/2021 |
Spoofing and Attacking With Skype |
mr.d0x (@mrd0x) |
Microsoft |
Spoofing |
- |
02/02/2021 |
Access developer tasks list of any Facebook Application (GraphQL IDOR) |
Amine Aboud (@amineaboud) |
Meta / Facebook |
IDOR |
- |
02/01/2021 |
Disclose the FB profile of Facebook employees who create official announcement messages (Bug Bounty) |
Amine Aboud (@amineaboud) |
Meta / Facebook |
Information disclosure |
- |
02/01/2021 |
An Account Takeover Vulnerability Due to Response Manipulation. |
Avanish Pathak (@avanish46) |
- |
Authentication bypass, Account takeover |
$4,100 |
01/31/2021 |
An unexpected bug |
Nitin yadav (@Nitinydv14) |
- |
Bruteforce |
- |
01/31/2021 |
An Interesting Account Takeover Vulnerability |
Avanish Pathak (@avanish46) |
- |
IDOR, Account takeover |
- |
01/30/2021 |
Android apk leaks access token to takeover the whole infrastructure |
Santosh Kumar Sha (@killmongar1996) |
- |
Information disclosure, Hardcoded credentials |
- |
01/30/2021 |
How I chained P4 To P2 [Open Redirection To Full Account Takeover] |
Bishal Shrestha (@bishal0x01) |
- |
Open redirect, Account takeover |
- |
01/30/2021 |
Broken Access Control & Stored XSS - Easy Hunt |
Kabeer (@iTheKabeer) |
- |
Stored XSS, IDOR |
- |
01/29/2021 |
Destroying Armies and Villages through Cross-Site Scripting - Bug Bounty Write-up |
Fábio Freitas (@0xfabiof) |
InnoGames |
Stored XSS |
$1,000 |
01/29/2021 |
Cors Blimey: The power of chaining CORS |
Hazana (@hazanasec) |
- |
CORS misconfiguration, Stored XSS, CSRF |
- |
01/28/2021 |
Launching Internal & Non-Exported Deeplinks On Facebook |
Ashley King (@AshleyKingUK) & Rahul Kankrale (@RahulKankrale) |
Meta / Facebook |
CSRF |
$4,000 |
01/28/2021 |
Analysing Crash Messages To Achieve Blind Root Command Injection |
Shawar Khan (@ShawarkOFFICIAL) |
- |
Command injection |
- |
01/28/2021 |
Remote Code Execution – LimeSurvey (CVE-2018-7556) |
yeuchimse (@yeuchimse) |
- |
RCE |
- |
01/28/2021 |
OTP Bypass Account Takeover to Admin Panel — Ft. Header Injection |
Avinash Jain (@logicbomb_1) |
- |
OTP bypass, Account takeover |
- |
01/28/2021 |
Business Logic Error Methodology (easy way) + PoC-s |
Vuk Ivanovic |
- |
Logic flaw |
- |
01/28/2021 |
How We Escaped Docker in Azure Functions |
Intezer |
Microsoft |
Privilege escalation |
- |
01/27/2021 |
Weird functionality leads to Account Takeover (Millions of Users affected) |
Sahil Mehra (@nullr3x) |
- |
Account takeover, Authentication flaw |
$4,000 |
01/27/2021 |
Bragging Rights(Part 1): Short story of a bug wave |
Manas Harsh (@ManasH4rsh) |
- |
IDOR, Stored XSS, SSRF, Subdomain takeover, Hardcoded credentials |
$1,550 |
01/27/2021 |
Hijacking Google Drive Files (Documents, Photo & Video) Through Google Docs Sharing |
santuySec (@santuySec) |
Google |
Clickjacking |
$0 (Duplicate) |
01/27/2021 |
$500 For No Rate Limit On Forgot Password Page |
BBHC (@community_bug) |
- |
Lack of rate-limiting, Password reset flaw |
$500 |
01/27/2021 |
Finding SSRF BY Full Automation |
Santosh Kumar Sha (@killmongar1996) |
- |
SSRF |
- |
01/27/2021 |
BMW Bug Bounty – Account Verification Bypass writeup |
Pethuraj (@Pethuraj) |
BMW |
OTP bypass, Bruteforce, Lack of rate-limiting |
- |
01/26/2021 |
Leaking issues from linked Jira – Atlassian Confluence Server |
yeuchimse (@yeuchimse) |
Atlassian |
XS-Search |
$600 |
01/25/2021 |
Get paid by smuggling, the legal way |
James Ling (@James_puppykok) |
- |
HTTP Request Smuggling |
- |
01/25/2021 |
Chaining a self XSS to Account Takeover |
Arman Sameer (@ArmanSameer95) |
- |
Self XSS, Reflected XSS, Account takeover |
- |
01/25/2021 |
IDOR Revealing Images CDN Links |
susan wagle |
- |
IDOR |
- |
01/25/2021 |
Bypassing WAF with incorrect proxy settings for Hunting Bugs. |
Shaurya Sharma (@ShauryaSharma05) |
- |
URL validation bypass |
- |
01/25/2021 |
Sql Injection via hidden parameter |
Rutvik Hajare (@HajareRutvik) |
- |
SQL injection |
- |
01/24/2021 |
$10,000 for automatic email confirmation bug in Microsoft’s Edge browser |
Karan Chaudhary (@0xKaran) |
Microsoft |
Logic flaw |
$10,000 |
01/23/2021 |
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps |
CaptainFreak (@0xCaptainFreak) |
- |
Local File Read, RCE |
- |
01/23/2021 |
CSRF Protection Bypass in Atlassian Confluence Server |
yeuchimse (@yeuchimse) |
Atlassian |
CSRF |
$3,600 |
01/22/2021 |
Page Admin Disclosure When Replying Comments |
Prakash Panta (@prakashpanta268) |
Meta / Facebook |
Information disclosure |
$500 |
01/22/2021 |
Staff Information Disclosure on Support Ticketing System ($x,xxx) |
Ph.Hitachi |
- |
Information disclosure |
- |
01/22/2021 |
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card |
Yogev Bar-On |
Amazon |
RCE |
$18,000 |
01/21/2021 |
Story Behind Sweet SSRF. |
Rohit Soni (@streetofhacker) |
- |
SSRF, XSS |
- |
01/21/2021 |
SSRF Exploitation in Libreoffice Spreadsheet File Converter |
R4id3n (@R4id3n__) |
- |
SSRF |
- |
01/21/2021 |
[Bug Bounty] 600$ Info Disclosure: obtain any user’s backup data |
Tommaso De Ponti |
- |
Information disclosure, IDOR |
- |
01/19/2021 |
Open-redirect [in email] |
Akhil |
- |
Open redirect |
- |
01/19/2021 |
Simple & Sweet: Bypass email update restriction to change emails of team members |
Sunil Yedla (@sunilyedla2) |
- |
Logic flaw, Authorization flaw |
- |
01/19/2021 |
The Embedded YouTube Player Told Me What You Were Watching
(and more) |
David Schütz (@xdavidhu) |
Google |
Information disclosure |
$1,337 |
01/18/2021 |
How I was rewarded a $1000 bounty after abusing File Upload functionality to Stored XSS Vulnerability leading to credential theft of a vistor in a website. |
Kunal Khubchandani (@iamkun4l) |
- |
Unrestricted file upload, Stored XSS |
$1,000 |
01/18/2021 |
Let’s know How I have explored the buried secrets in React Native application |
secureITmania (@secureitmania) |
- |
Information disclosure, Hardcoded credentials |
- |
01/18/2021 |
ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792 |
Ashley King (@AshleyKingUK) |
Apple, Google |
Insecure deeplink, Information disclosure |
$0 |
01/17/2021 |
Strange Admin Panel Bypass Story | | Bug Bounty |
Ranjeet Kumar Singh (@geekboyranjeet) |
- |
Authentication bypass, Account takeover |
- |
01/17/2021 |
My first and last crit of 2020 on Hackerone |
Takester (@dhiraj_ramteke) |
- |
Lack of rate-limiting, Bruteforce, IDOR, Password reset flaw, Account takeover |
- |
01/16/2021 |
Finding 0day to hack Apple |
Harsh Jaiswal (@rootxharsh) &Rahul Maini (@iamnoooob) |
Apple |
RCE |
$50,000 |
01/16/2021 |
Weaponizing Apify for mass bug bounty $$$ |
Randy Gingeleski (@gingeleski) |
- |
Akamai ARL attack |
- |
01/16/2021 |
Hacking naked Akamai ARL at scale |
Randy Gingeleski (@gingeleski) |
- |
Akamai ARL attack |
- |
01/15/2021 |
BitLocker Lockscreen bypass |
Jonas L (@jonasLyk) |
Microsoft |
Lockscreen bypass, Local privilege escalation |
- |
01/15/2021 |
Attack of the clones 2: Git CLI remote code execution strikes back |
Vitor Fernandes (@Rapt00rVF) |
GitHub |
RCE |
- |
01/15/2021 |
How I hijacked the top-level domain of a sovereign state |
Fredrik N. Almroth (@Almroot) |
Internet Bug Bounty |
Domain takeover |
- |
01/15/2021 |
Insertion Of Malicious Links For Execution In Profile Picture - Unvalidated User Input In MS Sharepoint 2019 (CVE-2020-1456) |
David (@slashcrypto) & user_x73x76x6E |
Microsoft |
XSS |
- |
01/15/2021 |
Irremovable Facebook group album photos and entire album under certain circumstances (Bounty: 1000 USD) |
Shubham Bhamare (@theshubh77) |
Meta / Facebook |
Logic flaw |
$1,000 |
01/14/2021 |
Tale of 2 TOOTB Bugs: Google and WhatsApp |
Circle Ninja (@circleninja) |
Google, Meta / Facebook |
Information disclosure, Logic flaw |
$0 |
01/14/2021 |
How I managed to trigger a Stored-XSS in an online store with the help of Cache Poisoning |
Schizo! |
- |
Web cache poisoning, Stored XSS |
N/A (VDP) |
01/14/2021 |
Story of a really cool SSRF bug. |
Vedant Tekale (@_justYnot) |
- |
SSRF |
- |
01/13/2021 |
Making Clouds Rain :: Remote Code Execution in Microsoft Office 365 |
Steven Seeley (@steventseeley) |
Microsoft |
RCE |
- |
01/12/2021 |
Stealing User Information Via XSS Via Parameter Pollution |
Hamza Avvan (@hamzaavvan) |
- |
Open redirect, XSS |
$1,250 |
01/12/2021 |
CSRF with IDOR - A Deadly Combo |
Jerry Shah (@Jerry) |
- |
CSRF, IDOR |
- |
01/12/2021 |
Unrestricted File Upload |
Binamra Pandey |
- |
Unrestricted file upload |
- |
12/12/2021 |
Guest Blog Post: Leaking silhouettes of cross-origin images |
Aleksejs Popovs (@aleksejspopovs) |
Mozilla, Chrome |
Side-channel information leakage, Browser bug |
- |
01/11/2021 |
Stealing Your Private YouTube Videos, One Frame at a Time |
David Schütz (@xdavidhu) |
Google |
IDOR |
$5,000 |
01/11/2021 |
UNEP Breached, 100K+ Employee Records Accessed |
Jackson Henry (@JacksonHHax), John Jackson (@johnjhacking), Nick Sahler (@nicksahler) & Aubrey Cottle |
United Nations |
Information disclosure |
N/A (VDP) |
01/11/2021 |
Weblogic Remote Code Execution (Exploiting CVE-2019-2725) |
Mahmoud Gamal (@Zombiehelp54) |
- |
RCE |
- |
01/10/2021 |
Unauthorized Access to OData Entities + $2K Bounty From Microsoft |
Borna Nematzadeh (@LogicalHunter) |
Microsoft |
Authorization flaw, Information disclosure |
$2,000 |
01/10/2021 |
How I was able to Regain access to account deleted by Admin leading to $$$ |
Rajesh Ranjan (@rajesh_ranjan) |
- |
Logic flaw, Authorization flaw |
- |
01/10/2021 |
A ‘Novel’ Way to Bypass Executable Signature Checks with Electron |
Parsia Hackerman (@cryptogangsta) |
- |
Local privilege escalation |
- |
01/08/2021 |
Create post on any Facebook page |
Pouya Darabi (@Pouyadarabi) |
Meta / Facebook |
IDOR |
$30,000 |
01/08/2021 |
Exploiting Application-Level Profile Semantics (APLS) |
Niemand (@niemand_sec) |
- |
APLS misconfiguration, API misconfiguration |
- |
01/08/2021 |
Blind XSS in Google Analytics Admin Panel — $3133.70 |
Ashish Dhone |
Google |
Blind XSS |
$3,133.70 |
01/08/2021 |
Information Disclosure through Signup Endpoint |
Sunil Yedla (@sunilyedla2) |
- |
Information disclosure |
- |
01/08/2021 |
Facebook: Linkshim protection bypass using fb://webview |
Rahul Kankrale (@RahulKankrale) |
Meta / Facebook |
Open redirect |
- |
01/08/2021 |
$10,000 for a vulnerability that doesn’t exist |
Valeriy Shevchenko (@Krevetk0Valeriy) |
- |
Path traversal |
$10,500 |
01/07/2021 |
Github Organization Takeover By Claiming Owner Invitation |
Abss (@absshax) |
Github |
Account takeover, Logic flaw |
$5,000 |
01/07/2021 |
Stored XSS on Product Description [HIGH] — $400 |
Emanuel Beni Harijanto |
- |
Stored XSS |
$400 |
01/07/2021 |
Subdomain Take Over Worth 100£ |
c0d3x27 (@c0d3x27) |
- |
Subdomain takeover |
£100 |
01/07/2021 |
Finding bugs on Chess.com |
Seqrity (@seqrity9) |
Chess.com |
Lack of rate limiting, Bruteforce, CSRF |
$180 |
01/07/2021 |
Nick’s infrequently updated blog |
Nick Booher |
Cloudflare |
WAF bypass, IP spoofing |
- |
01/06/2021 |
Achieving Remote Code Execution By Exploiting Variable Check Feature |
Shawar Khan (@ShawarkOFFICIAL) |
- |
RCE |
- |
01/06/2021 |
Incident Response during Christmas |
TMO |
- |
Subdomain takeover |
- |
01/05/2021 |
Each and every request make sense… |
Akshar Tank |
- |
Privilege escalation, Exposed JWT generation endpoint |
- |
01/05/2021 |
Privilege Escalation: From being a normal user to admin |
Akshar Tank |
- |
Privilege escalation, Broken access control |
- |
01/05/2021 |
Exploiting Max. Character Limitation |
Sunil Yedla (@sunilyedla2) |
- |
Logic flaw, DoS |
$400 |
01/05/2021 |
Patch. Bypass. Repeat: Story of a FaceBook Page Admin Disclosure bug worth $5000 |
Shubham Bhamare (@theshubh77) |
Meta / Facebook |
Information disclosure |
$5,000 |
01/04/2021 |
Expose the email address of Workplace users |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
IDOR, Information disclosure |
$5,000 |
01/03/2021 |
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers |
Youssef Sammouda (@samm0uda) |
Meta / Facebook |
XSS, Account takeover |
$30,000 |
01/01/2021 |
API based IDOR to leaking Private IP address of 6000 businesses |
Rafi Ahamed (Leonidas D. Ace) |
- |
IDOR |
- |
01/01/2021 |