| Story of an IDOR via HTTP |
Shuaib Oladigbolu (@_sawzeeyy) |
- |
IDOR |
- |
12/31/2019 |
| Exploiting HTML Injection in Email |
Shuaib Oladigbolu (@_sawzeeyy) |
- |
HTML injection |
- |
12/31/2019 |
| From POST to GET Open redirect |
Sourav Sahana (@kernel_rider) |
- |
Open redirect |
$450 |
12/31/2019 |
| Bug Hunting Journey of 2019 |
Sudhanshu Rajbhar (@sudhanshur705) |
Alibaba, Verizon Media, [Private program] |
XSS, Privilege escalation, Information disclosure |
$2,500 |
12/31/2019 |
| Exploiting a Self Stored XSS with an IDOR |
Shuaib Oladigbolu (@_sawzeeyy) |
- |
Self XSS, Stored XSS, IDOR |
- |
12/31/2019 |
| How did I earn $3133.70 from Google Translator? |
Beri Bey (@uppmen) |
Google |
XSS |
$3,133.70 |
12/30/2019 |
| Facebook Bug bounty Story: $X000 for an Information Disclosure Bug |
Circle Ninja (@circleninja) |
Facebook |
Information disclosure |
- |
12/29/2019 |
| How I made $7500 from My First Bug Bounty Found on Google Cloud Platform |
James Grunewald |
Google |
Logic flaw |
$7,500 |
12/29/2019 |
| Drop the mic?! no! Drop the connection ;) |
Sasi Levi (@sasi2103) |
Google |
DOM XSS |
- |
12/29/2019 |
| Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty |
Omkar Bhagwat (@th3_hidd3n_mist) |
- |
XSSI |
$0 (Duplicate) |
12/27/2019 |
| Bypassing Brand Collabs Manager Eligibility on Facebook |
Ajay Gautam (@evilboyajay) |
Facebook |
Authorization flaw |
$0 |
12/26/2019 |
| Subdomain takeover via pantheon |
Smaran Chand (@smaranchand) |
- |
Subdomain takeover |
- |
12/26/2019 |
| Microsoft Edge (Chromium) - EoP via XSS to Potential RCE |
Abdulrahman Al-Qabandi (@Qab) |
Microsoft |
XSS, RCE |
$40,000 |
12/24/2019 |
| SOP Bypass via browser-cache |
Aaron Costello (@ConspiracyProof) |
Keybase |
SOP bypass |
$1,500 |
12/24/2019 |
| Abusing ImageMagick to obtain RCE |
Strynx (@Strynx_Security) |
- |
ImageMagick, RCE |
$5,000 |
12/24/2019 |
| How we hacked one of the worlds largest Cryptocurrency Website |
Strynx (@Strynx_Security) |
- |
SQL injection, RCE |
- |
12/24/2019 |
| Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR) |
Vijay Kumar (@IndoAppSec) |
Airbnb |
IDOR |
$3,000 |
12/24/2019 |
| Bugbounty | A Dom Xss |
Jinone (@jinonehk) |
- |
DOM XSS |
$500 |
12/24/2019 |
| GraphQL IDOR leads to information disclosure |
Eshan Singh (@R0X4R) |
- |
IDOR |
- |
12/24/2019 |
| CSRF Token Bypasss — A Tale of my $2k bug |
Adeyefa Oluwatoba (@adeyefa_codes) |
- |
CSRF, Account takeover |
$2,000 |
12/23/2019 |
| reCAPTCHA Exploits |
Dr. Neal Krawetz (@hackerfactor) |
Google |
reCAPTCHA bypass |
$0 |
12/23/2019 |
| From broken link to subfolder takeover on Bukalapak |
wis4nggeni |
Bukalapak |
AWS flaw |
- |
12/23/2019 |
| 2 FA Bypass via CSRF Attack |
Vishal Bharad |
Mail.ru |
2FA bypass, CSRF |
$0 (Out of scope) |
12/23/2019 |
| Full Account Takeover (Android Application) |
Vishal Bharad |
- |
Information disclosure, Account takeover |
- |
12/21/2019 |
| Bypassing Captcha ! |
Abhishek Yadav (@abhishake100) |
- |
Captcha bypass |
$200 |
12/20/2019 |
| Account Takeover Through Password Reset Poisoning |
Vishal Bharad |
- |
Password reset flaw, Account takeover |
- |
12/19/2019 |
| #BugBounty — How Snapdeal (India’s Popular E-commerce Website) Kept their Users Data at Risk! |
Nanda Kumar (@nk00_nk) |
Snapdeal |
Insecure storage of sensitive information |
- |
12/19/2019 |
| [Google VRP] SSRF in Google Cloud Platform StackDriver |
Ron Chan (@ngalongc) |
Google |
SSRF |
- |
12/19/2019 |
| Abusing feature to steal your tokens |
Harsh Jaiswal (@rootxharsh) |
- |
OAuth flaw |
$3,750 |
12/17/2019 |
| BreakingApp – WhatsApp Crash & Data Loss Bug |
Dikla Barda, Roman Zaikin & Yaara Shriki |
Facebook |
DoS |
- |
12/17/2019 |
| [email protected] Disclosure via IDOR |
Pratyush Anjan Sarangi |
- |
IDOR |
$750 |
12/16/2019 |
| Stored Iframe Injection + CSRF = Account Takeover 😎😎 |
Rounak Dhadiwal (@XploiteR_D) |
- |
HTML injection, CSRF |
- |
12/16/2019 |
| How I Took Over 2 Subdomains with Azure CDN Profiles |
m0chan (@m0chan98) |
- |
Subdomain takeover |
- |
12/16/2019 |
| 4 Google Cloud Shell bugs explained |
[email protected] (@wtm_offensi) |
Google |
RCE |
- |
12/16/2019 |
| Authorization bug that every bug hunter missed on a popular program |
Ajinkya Pathare (@fellchase) |
- |
Authorization flaw |
- |
12/15/2019 |
| Vimeo upload function SSRF |
Sayed Abdelhafiz (@dPhoeniixx) |
- |
SSRF |
$5,000 |
12/13/2019 |
| How I was able to find a logical bug on Instagram? |
Jabir Khan (@Jabirkhan0x0) |
Facebook |
Logic flaw |
- |
12/13/2019 |
| Facebook New Account Verification Bypass |
Santosh Baral (@santoshbrl5) |
Facebook |
Authentication bypass |
$0 (Internal duplicate) |
12/13/2019 |
| Multiple Host Header Attacks after bypassing protection with… a Header Attack |
vict0ni (@vict0ni) |
- |
Host header injection |
- |
12/12/2019 |
| A $25 Easy Bug. |
Navneet (@na5n33t) |
- |
Session management flaw |
$25 |
12/12/2019 |
| SSRF via FFmpeg HLS processing |
Pflash Punk (@PflashPunk) |
- |
SSRF |
$0 (Duplicate) |
12/11/2019 |
|
| Blind Xss (A mind game to win the battle) |
Dirtycoder (@dirtycoder0124) |
- |
Blind XSS |
$1,000 |
12/11/2019 |
|
| AirDoS: Remotely render any nearby iPhone or iPad unusable |
Kishan Bagaria (@KishanBagaria) |
Apple |
DoS |
- |
12/10/2019 |
| Get pwned by scanning QR Code |
Nikhil Mittal (@c0d3G33k) |
Mozilla |
XSS, CSP bypass |
- |
12/10/2019 |
| Authentication Bypass |
Rushiikesh (@u1tran00b) |
- |
2FA bypass |
$700 |
12/09/2019 |
| Media deletion CSRF vulnerability on Instagram |
Pouya Darabi (@Pouyadarabi) |
Facebook |
CSRF |
$3,000 |
12/09/2019 |
| Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution. |
Vladimir Metnew (@vladimir_metnew) |
Telegram |
RCE |
$500 |
12/08/2019 |
| Reusing Cookies |
Ricardo Iramar dos Santos |
- |
Session management flaws |
$400 |
12/07/2019 |
| HTML Injection to XSS bypass in [REDACTED.com] |
Evan Ricafort (@evanricafort) |
- |
Reflected XSS |
$600 |
12/07/2019 |
| $150 XSS at Error Page of Respository Code |
Navneet (@na5n33t) |
- |
Reflected XSS |
$150 |
12/07/2019 |
| Google Chrome portal element fuzzing |
Pawel Wylecial (@h0wlu) |
Google |
RCE, Heap Buffer Overflow, Heap Use-After-Free |
$8,000 |
12/06/2019 |
| HTTP Request Smuggling + IDOR |
hipotermia (@hipotermia) |
- |
HTTP request smuggling, IDOR |
- |
12/05/2019 |
| XSS like a Pro |
Anas Mahmood (@AnasIsHere) |
- |
XSS |
$450 |
12/05/2019 |
| Dank Writeup On Broken Access Control On An Indian Startup |
Divyanshu Shukla |
- |
Unrestricted file upload, Authorization flaw |
- |
11/30/2019 |
| My first RCE: a tale of good ideas and good friends |
rez0 (@rez0__) |
- |
RCE, ImageTragick |
- |
11/29/2019 |
| How I turned Self XSS to Stored via CSRF |
Abhishek Yadav (@abhishake100) |
- |
Self XSS, CSRF |
$550 |
11/29/2019 |
| Hacking GitHub with Unicode’s dotless ‘i’ |
John Gracey (@jagracey) |
Github |
Logic flaw |
- |
11/28/2019 |
| XSS Stored On [ Outlook Web — Outlook Android App ] |
ElMahdi Mrhassel (@ElMrhassel) |
Microsoft |
Stored XSS |
$2,400 |
11/28/2019 |
Archived content |
| Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge |
Samm0uda (@samm0uda) |
Facebook |
Reflected XSS, Account takeover |
$5,000 |
11/27/2019 |
Archived content |
| Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings |
Johns Simon (@Johnssimon22) |
- |
Authorization flaw |
- |
11/27/2019 |
Archived content |
| How Did Tons of People Like Me on Tinder? |
Mustafa iran (@Mustafaran) |
- |
HTTP request smuggling |
$2,500 |
11/25/2019 |
| Finding a security bug in Discord and what it taught me |
Tristan Farkas (@TristanAtFarkas) |
Discord |
OAuth flaw |
- |
11/24/2019 |
| CORS Misconfiguration to Account TakeOver [Out of scope to grab items In-Scope] |
Mashoud1122 (@mashoud1122) |
- |
CORS misconfiguration, Open redirect, Reflected XSS, Session management flaw |
$1,500 |
11/24/2019 |
| The AccountTakeOver Killing Chain |
أنس روبي (@xhzeem) |
- |
Account takeover, CSRF, Self-XSS |
- |
11/23/2019 |
| Exploiting padding oracles with fixed IVs |
Teddy Katz (@not_aardvark) |
- |
Padding oracle, Account takeover |
- |
11/23/2019 |
| IDOR via Websockets |
Shuaib Oladigbolu (@_sawzeeyy) |
- |
IDOR |
- |
11/23/2019 |
| Stories Of IDOR-Part 2 |
Shivbihari Pandey (@ninja_pandit_) |
- |
IDOR |
$3,650 |
11/21/2019 |
| Disable Any Unconfirmed Account in Facebook |
Lokesh Kumar (@lokeshdlk77) |
Facebook |
Bruteforce |
$1,000 |
11/21/2019 |
| 700$ Denial of Service(DoS) vulnerability in script-loader.php (CVE-2018-6389) |
Pankaj Thakur (@Nep_1337_1998) |
- |
DoS |
$700 |
11/21/2019 |
| How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads |
Mohamed Daher |
- |
XSS |
$1,054 |
11/20/2019 |
| Cracking reCAPTCHA, Turbo Intruder style |
James Kettle (@albinowax) |
Google |
Race condition |
$0 |
11/20/2019 |
| Subdomain Takeover via Campaignmonitor.com |
Mohamed Haron (@m7mdharon) |
- |
Subdomain takeover |
$900 |
11/20/2019 |
| How I could delete Facebook Ask for Recommendations post’s place objects in comments |
Raja Sudhakar (@Rajasudhakar) |
Facebook |
IDOR |
- |
11/20/2019 |
| Broken session management leads to bypass 2FA and Permanent access to Facebook user’s |
Mahmoud Barakat (@0xBarakat) |
Facebook |
Authentication bypass |
- |
11/19/2019 |
| Million Users PII Leak Data Leak |
Shivbihari Pandey (@ninja_pandit_) |
- |
Information disclosure, Blind XSS |
$3,250 |
11/18/2019 |
| XSS in GMail’s AMP4Email via DOM Clobbering |
Michał Bentkowski |
Google |
XSS, DOM Clobbering |
- |
11/18/2019 |
| This is How I was able to hunt a rare bug in a private program |
Abida Fahd |
- |
Lack of authentication, Privilege escalation |
- |
11/18/2019 |
| My First Bug ($500) |
Abhishek Yadav (@abhishake100) |
- |
No valid SPF records |
$500 |
11/18/2019 |
| Bypassing the patch for my previous Instagram bug. |
Baibhav Anand (@iBaibhavJha) |
Facebook |
Authorization flaw, Logic flaw |
- |
11/18/2019 |
| Privilege Escalation with simple recon |
Mayur Gupta (@RisingHunter_) |
- |
Privilege Escalation, Blind XSS |
- |
11/16/2019 |
| LDAP Admin Account Bypassed :) |
Himanshu Pdy (@himanshu_pdy_01) |
- |
LDAP injection, Authentication bypass |
- |
11/16/2019 |
| Authenticated CORS with Access-Control-Allow-Origin: * |
BitK (@BitK_) |
Chromium |
Caching issue, Browser bug |
$0 (won’t fix) |
11/15/2019 |
| Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE) |
Daniel Marte (@DanielM59720745) |
- |
IDOR |
- |
11/15/2019 |
| Taking over Facebook Page Tabs |
Sagar Tanur (@Sagarvd01) |
Facebook |
Broken link hijacking |
$0 (informative) |
11/14/2019 |
| [Server Side Request Forgery] Blind SSRF due to Sentry Misconfiguration |
Kent Bayron (@bayronkentoy) |
- |
SSRF |
$300 |
11/14/2019 |
| Command Injection Through BLH |
Shankar R (@trapp3r_hat) |
Facebook |
Broken link hijacking |
$0 (informative) |
11/14/2019 |
| Mass XS-Search using Cache Attack |
terjanq (@terjanq) |
Google |
XS-Search |
- |
11/12/2019 |
| How I accidentally took down GitHub Actions |
Teddy Katz (@not_aardvark) |
GitHub |
Denial of Service, Commit Hash Collisions |
$5,000 |
11/12/2019 |
| Bug Bounty: Broken API Authorization |
Th3hidd3nmist (@th3_hidd3n_mist) |
- |
Authorization flaw |
$440 |
11/12/2019 |
| How i Bought VPS, Hosting, Domain only $0.01 |
Zerb0a |
- |
Payment tampering |
$500 |
11/12/2019 |
| Keylogging users via Slack themes |
Matt Langlois (@fletchto99) |
Slack |
CSS injection |
$500 |
11/11/2019 |
| My First SSRF Using DNS Rebinding |
Marek Geleta (@marek_geleta) |
- |
SSRF, DNS rebinding |
- |
11/11/2019 |
| DOM-Based XSS | Bug Bounty Writeup |
HacknPentest (@HacknPentest) |
- |
DOM XSS |
$100 |
11/10/2019 |
| BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎 |
Akash Agrawal (@akashmagrawal) |
- |
2FA bypass, Lack of rate limiting |
- |
11/08/2019 |
| How I Hacked Dutch Government in 5 Minutes? Twitter Account Takeover |
Numan ÖZDEMİR (@numanozdemircom) |
Dutch Government |
Broken link hijacking |
$0, Swag |
11/06/2019 |
| A simple post auth bypass leads to unauthorized web server access |
Hein Thant Zin (@H3Lowr) |
- |
Default credentials |
$750 |
11/08/2019 |
| Bypassing GitHub’s OAuth flow |
Teddy Katz (@not_aardvark) |
GitHub |
OAuth flaw, Authorization bypass |
$25,000 |
11/05/2019 |
| [bugbounty] A Simple SSRF |
Jinone (@jinonehk) |
- |
SSRF, DNS Rebinding |
- |
11/05/2019 |
| XSS will never die |
Oleksandr Opanasiuk (@Lekssik2) |
- |
XSS |
- |
11/02/2019 |
| Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty |
Sam Curry (@samwcyo) |
- |
Null byte buffer overflow |
$40,000 |
11/01/2019 |
| Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security§ion=sessions&view |
Naufal Septiadi |
Facebook |
Logic flaw |
$500 |
10/30/2019 |
| GraphQL introspection leads to sensitive data disclosure |
Eshan Singh (@R0X4R) |
- |
Information disclosure |
- |
10/30/2019 |
| 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!) |
YoKo Kho (@YokoAcc) |
Avast |
Reflected XSS |
$5,000 |
10/29/2019 |
| Cross Site Request Forgery Critical Exploitable IN Infected Site? |
Hossam Mesbah |
- |
CSRF |
- |
10/29/2019 |
| XSS to Account Takeover |
Tomi (@noobe_io) |
- |
XSS, CSRF |
- |
10/29/2019 |
| [Leak] Can I take the user information, please?!! |
Mohamed Sayed (@FlEx0Geek) |
- |
Information disclosure |
- |
10/29/2019 |
| How I hacked 50+ Companies in 6 hrs |
Vignesh C (@pwn_r00t) |
- |
SSTI, RCE |
- |
10/29/2019 |
| [Writeup — FB] Crash web — app through application form of job application pages |
TienDat |
Facebook |
DoS |
- |
10/28/2019 |
| Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO) |
YoKo Kho (@YokoAcc) |
Opera |
RTLO |
- |
10/26/2019 |
| How to Takover a ldap server. |
Ashish Kunwar (@D0rkerDevil) |
- |
Exposed LDAP server |
- |
10/25/2019 |
| Session Expiration Bypass in Facebook Creator App |
Ajay Gautam (@evilboyajay) |
Facebook |
Session expiration bypass |
$1,500 |
06/22/2019 |
| How I earned by finding confidential customer data including plain-text passwords! |
Sushant Soni (@sushantsoni5392) |
- |
Directory listing, Information disclosure |
- |
10/24/2019 |
|
| NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] |
Nightwatch Cybersecurity (@nightwatchcyber) |
Google |
NFC |
- |
10/24/2019 |
|
| (POC) Disclose members in any closed Facebook group |
Ahmad Talahmeh |
Facebook |
Information disclosure |
$3,000 |
10/22/2019 |
|
| [ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google ) |
Danang Tri Atmaja (@danangtriatmj) |
Google |
Authentication flaw |
- |
10/21/2019 |
|
| How PayPal helped me to generate XSS |
Pflash Punk (@PflashPunk) |
Paypal |
Reflected XSS |
$250 |
10/20/2019 |
|
| Escalating Privileges like a Pro |
Gaurav Narwani (@gauravnarwani97) |
- |
Privilege escalation |
- |
10/20/2019 |
|
| Hunting for bounties antihack.me case study |
0xSha (@0xsha) |
AntiHack.me |
RCE, XSS, Logic flaw, Information disclosure |
- |
10/20/2019 |
| [email protected] Disclosure via IDOR |
Pratyush Anjan Sarangi |
- |
IDOR, Information disclosure |
$750 |
10/18/2019 |
| 1-800-Flowers Credentials and message log leak via facebook.com/facebook |
Philippe Harewood (@phwd) |
Facebook |
AWS misconfiguration |
- |
10/17/2019 |
| How I was able to bypass OTP code requirement in Razer [The story of a critical bug] |
Ananda Dhakal (@dhakal_ananda) |
Razer |
OTP bypass |
$1,000 |
10/16/2019 |
| How I found RCE But Got Duplicated |
Smile Hacker |
- |
Unrestricted file upload, RCE |
- |
10/15/2019 |
| [ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint. |
TienDat |
Facebook |
Information disclosure |
$500 |
10/15/2019 |
| How I bypassed 2 Factor Authentication |
Hemant Singh Manral |
- |
2FA bypass |
$250 |
10/15/2019 |
| An inconsistent CSRF |
Smaran Chand (@smaranchand) |
- |
CSRF |
$0 |
10/15/2019 |
| Finding SQL injections fast with white-box analysis — a recent bug example |
frycos (@frycos) |
Zoho |
SQL injection |
- |
10/13/2019 |
| Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. |
Rohit kumar (@rohitcoder) |
Facebook |
Authorization flaw |
- |
10/12/2019 |
| Bypass Uppercase filters like a PRO (XSS Advanced Methods) |
Eduardo Nuri |
- |
XSS |
$1,000 |
10/11/2019 |
| How i Hacked BASF Company !! |
Murtada Kamil |
BASF |
Lack of authentication |
- |
10/10/2019 |
| EXIF Geolocation Data Not Stripped From Uploaded Images |
Sourav Newatia (@souravnewatia) |
- |
Information disclosure |
$500 |
10/09/2019 |
| How “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce / eStores |
Prateek Tiwari |
Samsung |
Information disclosure |
- |
10/05/2019 |
| From Multiple IDORs leading to Code Execution on a different Host Container |
Rahul (@Rahul_R95) |
- |
IDOR, RCE |
- |
10/04/2019 |
| How I made 1000$ with AT&T Bug Bounty(H1) |
Adesh Kolte (@AdeshKolte) |
AT&T |
CSRF, Account takeover |
$1,000 |
10/02/2019 |
| REST framework Admin Panel bypass and how I recon for this vulnerability |
Aziz Hakim (@hackerb0y_) |
- |
Authentication bypass |
- |
10/02/2019 |
| GraphQL Introspection leads to Sensitive Data Disclosure. |
Pranay Bafna |
- |
Information disclosure |
- |
10/02/2019 |
| How to get RCE on AEM instance without Java knowledge |
byq (@ByQwert) |
- |
RCE |
$1,000 |
10/01/2019 |
| Stealing login credentials with Reflected XSS |
mehulpanchal007 (@007_sharky) |
- |
Reflected XSS |
$100 |
10/01/2019 |
| One Way to Find Hidden IDOR Vulnerability |
Vulkey_Chen (@Vulkey_Chen) |
- |
IDOR |
¥3,000 (~ $28) |
10/01/2019 |
| Bug Hunting: Xss On Cookie Popup Warning |
vict0ni (@vict0ni) |
- |
Reflected XSS |
- |
09/30/2019 |
| Spear texting via parameter injection |
Kyle (@B3nac) |
- |
Parameter tampering |
$900 |
09/29/2019 |
| XSS Is Love <3 ! |
Nirmal Dahal (@TheNittam) |
- |
XSS |
- |
09/29/2019 |
| Stories Of IDOR |
Shivbihari Pandey (@ninja_pandit_) |
- |
IDOR |
- |
09/28/2019 |
| OnePlus Open/Unvalidated Redirects & Forwards |
Mainak Sadhukhan |
OnePLus |
Open redirect |
- |
09/26/2019 |
| Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure |
Sam Curry (@samwcyo) |
Atlassian |
Path traversal |
$11,000 |
09/25/2019 |
| Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork - 1,000 USD |
YoKo Kho (@YoKoAcc) |
Paypal |
Information disclosure |
$1,000 |
09/24/2019 |
| ONEPLUS XSS vulnerability in Customer Support Portal |
Mainak Sadhukhan |
OnePLus |
XSS |
- |
09/24/2019 |
| Fuzzing Till |
Verneet (@err0rrrrr) |
- |
SSTI |
- |
09/23/2019 |
| Broken Link Hijacking - s3 buckets |
Tutorgeeks (@tutorgeeks) |
Google |
Broken link hijacking |
- |
09/22/2019 |
| [Bug Bounty] Exploiting Cookie Based XSS by Finding RCE |
Tomi (@noobe_io) |
- |
Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE, XSS |
- |
09/22/2019 |
| [Case Study] OAuth Misconfiguration leads to Account Takeover |
Gaurang Bhatnagar (@0xgaurang) |
- |
OAuth flaw, Account takeover |
- |
09/21/2019 |
| Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public |
Guhan Raja (@havocgwen) |
Facebook |
Privilege escalation |
$500 |
09/21/2019 |
| A Simple bypass of Registration Activation that Lead to many Bug - |
YoKo Kho (@YoKoAcc) |
- |
Information disclosure, IDOR, CSRF |
- |
09/21/2019 |
| Bug or Feature? GitHub Adventure #001 |
Dominik Opyd (@oad_earth) |
- |
OAuth flaw, Open redirect |
$0 |
09/21/2019 |
| Stored XSS on Zendesk via Macro’s PART 2 |
Hariharan.s |
Zendesk |
Stored XSS |
- |
09/20/2019 |
| IDOR in One plus leads to leak User personal Info. |
Aditya Sharma (@Assass1nmarcos) |
OnePlus |
IDOR |
$0, Swag |
09/20/2019 |
Archived content |
| How I able to Takeover 10 subdomains in a Private Program ? |
Mohamed Haron (@m7mdharon) |
- |
Subdomain takeover |
$500 |
09/20/2019 |
| Business ID leak via Creative Hub redirect |
Philippe Harewood (@phwd) |
Facebook |
Open redirect |
- |
09/20/2019 |
| Admin hijacked by Sea Surf Pirates |
Gaurav Narwani (@gauravnarwani97) |
Dolibarr |
Stored XSS, CSRF, Account takeover |
- |
09/19/2019 |
|
| SSRF | Reading Local Files from DownNotifier server |
Dr.FarFar (@3XS0) |
- |
SSRF |
- |
09/18/2019 |
| RCE with Flask Jinja Template Injection |
AkShAy KaTkAr (@AkShAy KaTkAr) |
- |
SSTI, RCE |
- |
09/17/2019 |
| Client, not client! |
Tung Pun |
- |
LFI |
$1,000 |
09/15/2019 |
| Google Referer Leak Bug |
Jayateertha G (@JayateerthaG) |
Google |
Referer leakage, information disclosure |
- |
09/15/2019 |
| How I found a simple and weird Account takeover bug |
Bijan Murmu (@0xBijan) |
- |
Account takeover, Lack of authentication |
- |
09/14/2019 |
| OTP Manipulation |
Kishan choudhary (@choudhary_1337) |
- |
OTP bypass |
$300 |
09/14/2019 |
| Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3) |
YoKo Kho (@YoKoAcc) |
- |
Race condition, RCE, Unrestricted file upload |
- |
09/14/2019 |
| I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead |
Anand Prakash (@sehacure) |
Uber |
Information disclosure |
$6,500 |
09/13/2019 |
| How two dead accounts allowed remote crash of any instagram android user |
Valerio brussani (@val_brux) |
Facebook |
DoS |
- |
09/13/2019 |
| Unauthorized access to all user information leaks |
C1h2e1 (@C1h2e11) |
- |
Information disclosure |
- |
09/13/2019 |
| HTTP Request Smuggling CL.TE |
memN0ps (@memN0ps) |
- |
HTTP request smuggling |
- |
09/13/2019 |
| Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. |
HackerOn2Wheels (@HackerOn2Wheels) |
- |
RCE, Unrestricted file upload |
$3,000 |
09/13/2019 |
| Facebook employee internal tool and conversations leaked in Facebook video |
Philippe Harewood (@phwd) |
Facebook |
Information disclosure |
- |
09/12/2019 |
| How I could have hacked your Uber account |
Anand Prakash (@sehacure) |
Uber |
Account takeover, IDOR |
$6,500 |
09/12/2019 |
| How does my recon win $250 in 15 minutes |
Hein Thant Zin (@H3Lowr) |
- |
Open redirect |
$250 |
09/12/2019 |
| Add users to roles on Facebook pages without an invitation consent |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw |
- |
09/12/2019 |
| Pwn Them All #BugBounty |
Bilal Khan (@bilalmerokhel) |
- |
Host header injection, Password reset flaw |
- |
09/11/2019 |
| Subscribe to the list of requesters to join a Facebook live video using MQTT |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw |
- |
09/10/2019 |
| H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress |
Julien Ahrens (@MrTuxracer) |
Uber |
Stored XSS, SQL injection |
- |
09/10/2019 |
| Telegram addresses another privacy issue |
Dhiraj (@RandomDhiraj) |
Telegram |
Logic flaw, Privacy issue |
€2,500 |
09/09/2019 |
| Accessing 2 million Verizon Pay Monthly contracts |
Daley Bee (@daley) |
Verizon |
Information disclosure, Authentication bypass, IDOR |
- |
09/09/2019 |
| Oculus identity verification bypass through brute-force |
karthik kumar reddy (@karthiksunny007) |
Facebook |
OTP bypass, Lack of rate limiting |
$750 |
09/09/2019 |
| XSS in Zoho Mail |
Anas Mahmood (@AnasIsHere) |
Zoho Mail |
XSS |
$200 |
09/08/2019 |
| Exploiting JSONP and Bypassing Referer Check |
Osama Avvan (@osamaavvan) |
- |
Information disclosure, JSONP flaw |
- |
09/07/2019 |
| Write up of two HTTP Requests Smuggling |
C1h2e1 (@C1h2e11) |
- |
HTTP request smuggling |
- |
09/07/2019 |
| Finding Gem in Someone’s Report: Instant $500USD at HackerOne Platform |
Hisoka Morou |
- |
Information disclosure |
$500 |
09/07/2019 |
| DOM Based XSS in Private Program |
Mohamed Haron (@m7mdharon) |
- |
DOM XSS |
$500 |
09/05/2019 |
| Readme.com Account Takeover |
Ankush Goel (@0xankush) |
Readme.com |
Password reset flaw |
$0 |
09/05/2019 |
| Exposed Jenkins to RCE on 8 Adobe Experience Managers |
Corben Leo (@hacker_) |
- |
RCE |
- |
09/04/2019 |
| Add new user with Admin permission and takeover the organization |
Tarek Mohamed (@Conan0x3) |
- |
Authorization flaw, Privilege escalation |
- |
09/04/2019 |
| RCE using Path Traversal |
inc0gbyt3 (@incogbyte) |
- |
RCE, Path traversal |
- |
09/02/2019 |
| HTML to PDF converter bug leads to RCE in Facebook server |
Samm0uda (@samm0uda) |
Facebook |
RCE |
$1,000 |
09/02/2019 |
Archived content |
| Google Cloud Blog platform vulnerability |
Alexandru Coltuneac (@dekeeu) |
Google |
XSS |
- |
09/01/2019 |
| Graphql Bug to Steal Anyone’s Address |
Pratik Yadav (@PratikY9967) |
- |
Information disclosure |
- |
09/01/2019 |
| My First LFI |
Tirtha Mandal (@tirtha_mandal) |
- |
LFI |
$1,000 |
08/31/2019 |
| Shodan is your friend!!! If you ignore him you will lose many… |
Vijaysimha Reddy Bathini (@fatratfatrat) |
- |
SQL injection, Authentication bypass |
- |
08/28/2019 |
| How to look for JS files Vulnerability for fun and profit? |
Yeasir Arafat |
- |
Information disclosure |
- |
08/27/2019 |
| Private bug bounty $ USD: “RCE as root on Marathon-Mesos instance” |
@omespino |
- |
RCE |
- |
08/27/2019 |
| How I Hacked Instagram Again |
Laxman Muthiyah (@LaxmanMuthiyah) |
Facebook |
Password reset flaw, Account takeover |
$10,000 |
08/26/2019 |
| Bug Bounty: Bypassing a crappy WAF to exploit a blind SQL injection |
Robin Verton (@robinverton) |
- |
Blind SQL injection |
- |
08/25/2019 |
| Create living room polls as a Facebook page analyst |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw |
$5,000 |
08/24/2019 |
| From Github Recon To Account Takeover |
Dipak kumar Das (@d1pakdas) |
- |
Information disclosure, Account takeover |
- |
08/24/2019 |
| Cookie worth a fortune |
Gaurav Narwani (@gauravnarwani97) |
- |
Reflected XSS |
- |
08/23/2019 |
|
| One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse |
Lorenzo Stella |
1Password, Keeper, Dashlane |
Information disclosure, Content leak |
- |
08/22/2019 |
| Rights Manager Graph API Disclosure of business employee to non business employee |
Jafar Abo Nada (@Jafar_Abo_Nada) |
Facebook |
Information disclosure |
- |
08/22/2019 |
| Instagram account is reactivated without entering 2FA ($500) |
Aman Shahid (@amansmughal) |
Facebook |
2FA bypass, Authentication flaw |
$500 |
08/21/2019 |
| Sending Message as page being an analyst/ advertiser? |
Baibhav Anand (@iBaibhavJha) |
Facebook |
Authorization flaw |
$0 |
08/21/2019 |
| How I made my first $$$ from finding a bug in Facebook |
Aayush Pokhrel (@aayushpok) |
Facebook |
Authorization flaw |
- |
08/21/2019 |
| How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener |
Sergey Kashatov (@iframe0x01) |
ok.ru |
Privilege escalation |
$500 |
08/20/2019 |
| Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device |
Arvind |
Facebook |
Authorization flaw |
- |
08/19/2019 |
| U.S. Department of Defense - Info Disclosure and SQLi Writeup |
Aaron Esau (@arinerron) |
U.S. Dept Of Defense |
Information disclosure, SQL injection |
- |
08/19/2019 |
| Removing profile pictures for any Facebook user |
Philippe Harewood (@phwd) |
Facebook |
IDOR |
$2,500 |
08/19/2019 |
| How I was able to earn 1000$ with just 10 minutes of bug bounty? |
Ninad Mathpati (@ninad_mathpati) |
- |
Password reset flaw |
$1,000 |
08/17/2019 |
| ByPassing fix of Domain Blocking feature in Business Manager |
Rohit kumar (@rohitcoder) |
Facebook |
Authorization flaw, Logic flaw |
- |
08/15/2019 |
| Facebook Messenger exposing deleted messages using [Remove for Everyone] |
Renwa |
Facebook |
Logic flaw |
- |
08/15/2019 |
| BookMyShow account takeover using social login |
Sukhmeet Singh (@MadGuyyy) |
BookMyShow |
OAuth flaw, Account takeover |
$₹2000 (~ $28) |
08/15/2019 |
| [Business Logic] Bypassing Nickname Feature |
Kent Bayron (@bayronkentoy) |
- |
Logic flaw |
$50 |
08/14/2019 |
| [Business Logic Bug] Bypassing Nickname Feature |
Kent Bayron / kntx (@bayronkentoy) |
- |
Logic flaw |
$50 |
08/14/2019 |
| BugBounty WriteUp — take attention and get Stored XSS |
Oleksandr Opanasiuk (@Lekssik2) |
- |
Stored XSS |
- |
08/14/2019 |
| How I XSSed Admin Account |
Gaurav Narwani (@gauravnarwani97) |
- |
Stored XSS, Account takeover |
- |
08/13/2019 |
|
| SSRF Vulnerability in https://app.[REDACTED].com |
Evan Ricafort (@evanricafort) |
- |
SSRF |
$0 (Duplicate) |
08/13/2019 |
| Reporting - Amazon 1 click device XSS |
Sneakerhax (@sneakerhax) |
Amazon |
XSS |
- |
08/12/2019 |
| Clickjacking DOM XSS on Google.org |
Thomas Orlita (@ThomasOrlita) |
Google |
Clickjacking, DOM XSS |
- |
08/12/2019 |
| Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up) |
Evan Ricafort (@evanricafort) |
- |
DoS |
$300 |
08/10/2019 |
| Two Easy RCE in Atlassian Products |
Valeriy Shevchenko |
Atlassian |
RCE |
- |
08/09/2019 |
| Read other user support tickets in https://support..com (Write Up) |
Evan Ricafort (@evanricafort) |
- |
IDOR |
$120 |
08/09/2019 |
| Privilege Escalation using Api endpoint |
Ronak Patel (@ronak_9889) |
- |
Privilege Escalation |
- |
08/09/2019 |
| Writing my Medium blog to complete account takeover |
Rotem Reiss (@rotem_reiss) |
Medium |
Stored XSS, Account takeover |
$1,000 |
08/09/2019 |
| Exploiting Out Of Band XXE using internal network and php wrappers |
Mahmoud Gamal (@Zombiehelp54) |
- |
XXE |
- |
08/06/2019 |
| Exploiting Out Of Band XXE using internal network and php wrappers |
Mahmoud Gamal (@Zombiehelp54) |
- |
XXE |
- |
08/06/2019 |
| BugBounty WriteUp — Creative thinking is our everything (Race Condition + Business Logic Error) |
Oleksandr Opanasiuk (@Lekssik2) |
- |
Race condition, Logic flaw |
- |
08/05/2019 |
| Stored XSS on LaporBug.id |
rizal (@sayadarijawa) |
LaporBug.id |
Stored XSS |
- |
08/05/2019 |
| Vulnerability in Hangouts Chat: from open redirect to code execution |
VulnerabilityLabs |
Google |
Open redirect, RCE |
$7,500 |
08/04/2019 |
| Leveraging AngularJS-based XSS to Privilege Escalation |
Shawar Khan (@ShawarkOFFICIAL) |
- |
XSS, Privilege escalation |
- |
08/04/2019 |
| How I Found XSS By Searching In Shodan |
D1vy4n5hu 5hukl4 (@justm0rph3u5) |
- |
Reflected XSS |
- |
08/04/2019 |
| No Rate limiting eligible for bounty ? |
Smaran Chand (@smaranchand) |
- |
Lack of rate limiting |
- |
08/03/2019 |
| From Sub domain Takeover to Open-Redirect |
Anil Tom (mr_4nk) |
- |
Subdomain takeover, Open redirect |
$150 |
08/02/2019 |
| One Misconfig (JIRA) to Leak Them All- Including NASA and Hundreds of Fortune 500 Companies! |
Avinash Jain (@logicbomb_1) |
- |
Information disclosure |
- |
08/02/2019 |
| Bypassing CORS |
VulnerabilityLabs |
- |
CORS misconfiguration |
- |
08/01/2019 |
| Complete information disclosure using Broken Access Control |
Bhavesh Thakur (@Bhavesh_Thakur_) |
- |
Information disclosure, Authorization flaw |
$100 |
08/01/2019 |
| Download predictions details of ads plans of any business. |
Samm0uda (@samm0uda) |
Facebook |
IDOR |
- |
08/01/2019 |
Archived content |
| Internal path disclosure in Instagram server |
Samm0uda (@samm0uda) |
Facebook |
Internal path disclosure, Information disclosure |
- |
08/01/2019 |
Archived content |
| Access portal of Facebook mobile retailers and see earnings and referrals reports. |
Samm0uda (@samm0uda) |
Facebook |
IDOR, Authorization flaw |
$500 |
08/01/2019 |
Archived content |
| View orders and financial reports lists for any page shop. |
Samm0uda (@samm0uda) |
Facebook |
Authorization flaw |
$500 |
08/01/2019 |
Archived content |
| Bypassing CORS |
Saad Ahmed (@XSaadAhmedX) |
- |
CORS misconfiguration |
- |
08/01/2019 |
| RCE in Ruby using Mustache Templates |
Rhys Elsmore (@rhyselsmore) |
- |
RCE |
- |
08/01/2019 |
| Reposted [2017]: LinkedIn Hacker’s Experience |
Alexandru Coltuneac (@dekeeu) |
LinkedIn |
Stored XSS |
- |
07/30/2019 |
| Reposted [2019]: Hacking YouTube for #fun and #profit |
Alexandru Coltuneac (@dekeeu) |
Google |
Authorization flaw |
- |
07/30/2019 |
| Paypal bug $10K - All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts |
Mohd haji (@mohdhaji24) |
Paypal |
IDOR |
$10,500 |
07/30/2019 |
| SQL Injection in private-site.com/login.php |
Mohamed Haron (@m7mdharon) |
- |
SQL injection |
$0 (Out of scope) |
07/30/2019 |
| 1st Bounty Story | Rewarded 300$ (IDOR) |
Md Hridoy |
- |
IDOR |
$300 |
07/29/2019 |
| Story of an IDOR via Email |
Shuaib Oladigbolu (@_sawzeeyy) |
- |
IDOR |
- |
07/29/2019 |
| Old GitHub Profile Takeover! |
Mohamed Haron (@m7mdharon) |
- |
Github account takeover |
$1,000 |
07/28/2019 |
| Chaining Cache Poisoning To Stored XSS |
Rohan aggarwal (@nahoragg) |
- |
Web cache poisoning, Stored XSS |
- |
07/28/2019 |
| Solr Injection by abusing Local Parameters on Zomato.com |
Ronak Patel (@ronak_9889) |
Zomato |
Solr Injection |
$700 |
07/27/2019 |
| Story about Facebook Oauth Account Takeover |
Zerb0a |
iLOTTE |
Account takeover, OAuth flaw |
IDR 2.000.000 (~ $150) |
07/26/2019 |
| Facebook BugBounty: Tale of an Instagram bug disclosing user’s phone number via checkpoint |
Bijan Murmu (@0xBijan) |
Facebook |
Information disclosure |
- |
07/26/2019 |
| Full Account Takeover via Changing Email And Password of any User through API Parameters |
Adesh Kolte (@AdeshKolte) |
- |
IDOR, Password reset flaw, Account takeover |
- |
07/26/2019 |
| Price Parameter Tampering On Bukalapak |
Apapedulimu (@LocalHost31337) |
Bukalapak |
Parameter tampering |
$150 |
07/24/2019 |
| How I found the most critical bug in live bug bounty event? |
Lakshay (@inn0c3ntd3v1L) |
- |
Password reset flaw, Account takeover |
- |
07/24/2019 |
| XSS to RCE in … |
Hungry Bytes (@hungrybytes) |
Github |
XSS, RCE |
- |
07/24/2019 |
| Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV - plex.tv (Write Up) |
Evan Ricafort (@evanricafort) |
Plex TV |
Information disclosure, Path disclosure |
$0 |
07/24/2019 |
| XX to XXX in one day |
Baibhav Anand (@iBaibhavJha) |
WePay, [Private program] |
Account takeover, Parameter tampering |
- |
07/23/2019 |
| Pwning child company to get access to ParentCompany’s Slack Team |
Parth Malhotra (@Parth_Malhotra) |
- |
SQL injection, Default credentials |
- |
07/23/2019 |
| XSS On Twitter [Worth 1120$] |
Bywalks (@bywalkss) |
- |
XSS |
$1,120 |
07/22/2019 |
| Reflected XSS in Ebay.com |
Sukhmeet Singh (@MadGuyyy) |
Ebay |
Reflected XSS |
$0, HoF |
07/22/2019 |
| Subscribe to typing notifications for any Instagram user |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw |
$5,750 |
07/21/2019 |
| Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up) |
Evan Ricafort (@evanricafort) |
Clause |
HTML injection |
$250 |
07/21/2019 |
| Shopping Products For Free- Parameter Tampering Vulnerability |
D1vy4n5hu 5hukl4 (@justm0rph3u5) |
- |
Parameter tampering, Payment tampering |
- |
07/21/2019 |
| Exploiting a Tricky Blind SQL Injection inside LIMIT clause |
Rahul Maini |
- |
SQL injection |
- |
07/21/2019 |
| Get Page Inbox notifications for any Facebook page |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw, Information disclosure |
- |
07/20/2019 |
| Microsoft ID Open Redirect |
Burninator Sec |
Microsoft |
Open redirect |
$0 |
07/19/2019 |
| Microsoft Office 365 - Outlook XSS |
Abdulrahman Al-Qabandi (@Qab) |
Microsoft |
XSS |
- |
07/19/2019 |
| SQL Injection in Forget Password Function |
Khaled Gaber |
- |
SQL injection |
- |
07/18/2019 |
| How to lock a GitHub user out of their repos (bug or feature?) |
Teserakt AG |
Github |
DoS |
$0 (Feature) |
07/18/2019 |
| Сookie-based XSS exploitation | $2300 Bug Bounty story |
Max (@iSecMax) |
- |
XSS |
$2,300 |
07/17/2019 |
| Account Takeover Vulnerability :) |
Sumit Jain (@sumit_cfe) |
- |
Password reset flaw, Account takeover |
- |
07/17/2019 |
| How Recon helped me to to find a Facebook domain takeover |
Sudhanshu Rajbhar (@sudhanshur705) |
Facebook |
Subdomain takeover |
$500 |
07/17/2019 |
| Facebook Informative Bug From Triaged |
Circle Ninja (@circleninja) |
Facebook |
Lack of rate limiting |
$0 |
07/17/2019 |
| CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook |
Lokesh Kumar (@lokeshdlk77) |
Facebook |
CSRF |
$3,000 |
07/16/2019 |
| Bypass CSRF With ClickJacking Worth $1250 |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
CSRF, Clickjacking |
$1,250 |
07/16/2019 |
| What do Netcat, SMTP and self XSS have in common? Stored XSS |
Plenum (@plenumlab) |
- |
Stored XSS |
- |
07/16/2019 |
| How I Could Get The Instagram Username of Anyone on Tinder |
Shahar Albeck |
Tinder |
Information disclosure |
- |
07/16/2019 |
| The Bugs Are Out There, Hiding in Plain Sight |
A Bug’z Life (@abugzlife1) |
- |
IDOR, SSRF, Information disclosure, CORS misconfiguration |
$9,000 |
07/15/2019 |
| 500$ bounty: Man in the Middle on Slack |
Wiard van Rij / Sysrant (@RijWiard) |
Slack |
MiTM |
$500 |
07/15/2019 |
| Facebook Bug : Sending messages as a page with jobmanager permission |
Devansh batham (@devanshwolf) |
Facebook |
Authorization flaw, Privilege escalation |
$0 (Duplicate) |
07/15/2019 |
| [TOKOPEDIA] Site-wide CSRF through GraphQL request |
Rafie Muhammad (@rafiem777) |
Tokopedia |
CSRF |
- |
07/15/2019 |
| How I Could Have Hacked Any Instagram Account |
Laxman Muthiyah (@LaxmanMuthiyah) |
Facebook |
Race condition, Rate limiting bypass |
$30,000 |
07/14/2019 |
| Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program |
Sam Curry (@samwcyo) |
Tesla |
Blind XSS |
$10,000 |
07/14/2019 |
| Hacking intoTinder’s Premium Model |
Sanskar Jethi (@sansyrox) |
Tinder |
Authorization flaw |
$0 |
07/14/2019 |
| Account takeover on Airbnb acquisition | An Unusual Bug Part-2 🐛 |
PRince CHaddha (@princechaddha) |
Airbnb |
IDOR, Account takeover |
Swag |
07/13/2019 |
| Facebook Bug bounty page admin disclose bug {Facebook Android app} |
Yusuf Furkan (@h1_yusuf) |
Facebook |
Information disclosure |
$500 |
07/12/2019 |
| XSS on Google Custom Search Engine |
KL Sreeram (@kl_sree) |
Google |
XSS |
- |
07/11/2019 |
| Story of my Biggest Bounty ever : Command Execution on Jenkin |
Jay Jani (@JayJani007) |
- |
RCE |
$8,000 |
07/11/2019 |
| SQL Injection Bug Bounty POC! |
Arif-ITSEC111 |
- |
SQL injection |
€5,000 |
07/11/2019 |
| Tale of account takeover — Sensitive info Disclosure + Broken Access Control |
Md Saqib (@sakyb7) |
- |
IDOR, Account takeover |
$2,650 |
07/10/2019 |
| OAuth authentication bypass on Airbnb acquisition using 1-char Open Redirect |
Evgeniy Yakovchuk (@h1_sp1d3r) |
Airbnb |
Open redirect, OAuth token theft, Account takeover |
- |
07/10/2019 |
| A malicious editor of a page can support to a community action which can’t be unsupported by the admin! |
mAshraf |
Facebook |
Authorization flaw |
- |
07/09/2019 |
| Information Disclosure via Misconfigured AWS to AWS Bucket Takeover |
Pratyush Anjan Sarangi |
- |
AWS flaw |
- |
07/08/2019 |
| Cleartext password in LocalStorage (Writeup) |
ruv lol |
- |
Violation of secure design principles |
$1,500 |
07/07/2019 |
| Blind (time-based) SQLi - Bug Bounty |
Jspin |
- |
SQL injection |
- |
07/05/2019 |
| Facebook Vulnerability: Unremovable Co-Host in facebook page events |
Ritish Kumar Singh |
Facebook |
Logic flaw, DoS |
$500 |
07/04/2019 |
| Account Takeover Using CSRF(json-based) |
shub rathore (@shub66452) |
- |
CSRF, Account takeover |
$1,000 |
07/04/2019 |
| Story of a stored xss to full account takeover vulnerability(N/A to accepted) |
Jatin Aesthetic (@techyfreakk) |
- |
Stored XSS |
- |
07/04/2019 |
| Finding hidden gems vol. 4: Rakefile a.k.a. how to get AWS keys again |
Mateusz Olejarka |
- |
Information disclosure, Github leak |
- |
07/03/2019 |
| Yeah! I got P2 in 1 minute - Stored XSS via Markdown Editor |
Schopath |
- |
Stored XSS |
- |
07/02/2019 |
|
| Injecting {{6*200}} to $1200 |
Gaurav Narwani (@gauravnarwani97) |
- |
SSTI |
$1,200 |
07/02/2019 |
|
| Another Download Protection Bypass in Google Chrome – BIN files in Mac OS |
Nightwatch Cybersecurity (@nightwatchcyber) |
Google |
Browser flaw |
$1,000 |
07/02/2019 |
|
| How I escalated RFI into LFI |
Hassan Khan Yusufzai (@Splint3r7) |
- |
RFI, LFI |
- |
07/01/2019 |
| Accidental IDOR |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
IDOR |
- |
07/01/2019 |
| Stored XSS on Indeed |
Tirtha Mandal (@tirtha_mandal) |
Indeed |
Stored XSS |
$1,500 |
06/30/2019 |
| One more Parameter manipulation bug (🤑) |
Kanchan Singh Yadav (@KanchanSingh0) |
- |
Parameter tampering |
- |
06/28/2019 |
| Facebook BugBounty : Short story on Page admin disclosure |
Bijan Murmu (@0xBijan) |
Facebook |
Authorization flaw, Privilege escalation |
- |
06/28/2019 |
| Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution |
Reegun J (@reegun21) |
Microsoft |
RCE |
- |
06/28/2019 |
| Gain adfly SMTP access with SSRF via Gopher Protocol |
Zerb0a |
Adf.ly |
SSRF |
- |
05/27/2019 |
| View Facebook payouts for any Facebook Trivia Game |
Philippe Harewood (@phwd) |
Facebook |
Information disclosure |
$0 (Informative) |
05/27/2019 |
| 1-Click Account Takeover in Virgool.io — a Nice Case Study |
Yasho (@YShahinzadeh) |
Virgool |
Account takeover, Open redirect |
- |
06/27/2019 |
| CORS To CSRF Attack |
Osama Avvan (@osamaavvan) |
- |
CORS misconfiguration, CSRF |
- |
06/27/2019 |
| Toggle Group Rules Agreement as a non-member |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw |
- |
06/26/2019 |
| Sensitive Information Disclosure: Web Cache Deception Attack |
Wasim Shaikh (@Wa_sim_sim) |
Intuit |
Information disclosure |
$0, HoF |
06/26/2019 |
| Download .arexport files for any public AR Studio Effect |
Philippe Harewood (@phwd) |
Facebook |
IDOR |
- |
06/24/2019 |
| CSV injection at Comment Section. |
Navneet (@na5n33t) |
- |
CSV injection |
$0 (VDP) |
06/24/2019 |
| Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference) |
Muhammad Asim Shahzad |
- |
Password reset flaw, IDOR, Account takeover |
$1,200 |
06/22/2019 |
| Page Admin Disclosure | Facebook Bug Bounty 2019 |
Ajay Gautam (@evilboyajay) |
Facebook |
Authorization flaw |
$1,000 |
06/22/2019 |
| How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105 |
Bryan Appleby (@bryapp) |
Microsoft |
XSS |
- |
06/21/2019 |
| Catching support emails from my internet service provider |
Sander Lentink |
T-Mobile |
Email account takeover |
$0 (VDP), Swag |
06/21/2019 |
| $1800 worth Clickjacking |
Osama Avvan (@osamaavvan) |
- |
Clickjacking |
$1,800 |
06/21/2019 |
| About a Sucuri RCE…and How Not to Handle Bug Bounty Reports |
Julien Ahrens (@MrTuxracer) |
Sucuri |
RCE |
$750 |
06/22/2019 |
| IDOR: Payment Fraud |
Vibhurushi Chotaliya (@Vibhurushi) |
- |
IDOR, Payment tampering |
- |
06/20/2019 |
| Self XSS To Evil XSS |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
XSS |
$0 |
06/20/2019 |
| A Fight For Duplicate Marked Bug: Story of BBC Hall Of Fame |
Wasim Shaikh (@Wa_sim_sim) |
BBC |
XSS |
$0 (HoF) |
06/20/2019 |
| How a classical XSS can lead to persistent ATO Vulnerability? |
Milind Purswani (@MilindPurswani) & Yash Sodha (@y_sodha) |
- |
XSS, Account takeover |
- |
06/19/2019 |
| Facebook Vulnerability: Unremovable Co-Host in facebook group events |
Ritish Kumar Singh |
Facebook |
Logic flaw |
$500 |
06/19/2019 |
| Account Takeover with Clickjacking |
Osama Avvan (@osamaavvan) |
- |
Clickjacking |
- |
06/19/2019 |
| XSS Filter Evasion |
m0z (@LooseSecurity) |
- |
XSS |
- |
06/17/2019 |
| Business user Employees could have applied block list to all ad accounts listed in the business manager. |
Rohit kumar (@rohitcoder) |
Facebook |
Authorization flaw, Logic flaw |
$500 |
06/17/2019 |
| Reflected XSS in Tokopedia Train Ticket |
Jon Bottarini (@jon_bottarini) |
New Relic |
Reflected XSS |
IDR 3.000.000 (~ $212) |
06/17/2019 |
| Using Burp Suite match and replace settings to escalate your user privileges and find hidden features |
Jon Bottarini (@jon_bottarini) |
New Relic |
Client-side enforcement of server-side security |
$500 |
06/17/2019 |
| Parameter Pollution issue in API resulting $XXX |
Smaran Chand (@smaranchand) |
- |
Parameter pollution |
- |
06/17/2019 |
| SQl Injection |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
SQl Injection |
$500 |
06/17/2019 |
| Bypassing XSS filter and Stealing User Payment Data |
Osama Avvan (@osamaavvan) |
- |
XSS |
$0 (Duplicate) |
06/17/2019 |
| Password Bypass and Something Else… |
Vibhurushi Chotaliya (@Vibhurushi) |
- |
Authentication bypass |
$600 |
06/16/2019 |
| How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration? |
Muhammad Asim Shahzad |
Dropbox |
AWS flaw |
$1,500 |
06/16/2019 |
| Account Takeover Worth $900 |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
Account takeover, CSRF |
$900 |
06/16/2019 |
| Stealing Cookies to Login in any Account |
Osama Avvan (@osamaavvan) |
- |
Cookie theft |
$900 |
06/16/2019 |
| Bug Bounty - Information Disclosure through error message + WAF Bypass led to Local File Inclusion |
Λявєη (@spenkkkkk) & Çlirim Emini (@0xcela) |
- |
WAF bypass, LFI, Information disclosure |
- |
06/15/2019 |
| Complete Web Server Access |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
Unrestricted file upload, RCE |
$500 |
06/15/2019 |
| Fullscreen API Attack’s Revisited and the FaceBook NA Story |
Circle Ninja (@circleninja) |
Facebook |
Fullscreen API Attack |
$0 (N/A) |
06/15/2019 |
| XSSing Google Employees — Blind XSS on googleplex.com |
Thomas Orlita (@ThomasOrlita) |
Google |
Blind XSS |
- |
06/15/2019 |
| Admin Account total Information Disclosure |
Nishant Saurav (@inishantsinha) |
- |
Source code disclosure, Information disclosure |
$200 |
06/15/2019 |
| IDOR — Account Takeover |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
IDOR |
$500 |
06/14/2019 |
| How spending our Saturday hacking earned us 20k |
Matti Bijnens (@MattiBijnens) |
- |
IDOR |
$20,000 |
06/14/2019 |
| IDOR — Account Takeover |
Injector Pca / SaadAhmed (@XSaadAhmedX) |
- |
IDOR |
- |
06/14/2019 |
| Chaining Improper Authorization To Race Condition To Harvest Credit Card Details : A Bug Bounty Story |
Mandeep Jadon (@1337tr0lls) |
- |
Authorization flaw, Race condition |
- |
06/13/2019 |
| Redstrom Denial Of Service — Write Up |
Zerb0a |
- |
DoS |
$0, Swag |
06/12/2019 |
| Reflected XSS on Error Page |
Tomi (@noobe_io) |
- |
Reflected XSS |
- |
06/11/2019 |
| Facebook Vulnerability: Non-unfriendable user in /hacked workflow |
Ritish Kumar Singh |
Facebook |
Logic flaw |
$1,500 |
06/11/2019 |
| Account takeover using IDOR and the misleading case of error 403. |
Plenum (@plenumlab) |
- |
IDOR |
- |
06/11/2019 |
| IDOR Leads To Project Takeover |
Hariharan.s |
- |
IDOR |
- |
06/09/2019 |
| Don’t underestimates the Errors They can provide good $$$ Bounty! |
Aditya Sharma (@Assass1nmarcos) |
Mamba |
Information disclosure, Path disclosure |
$200 |
06/07/2019 |
| How I was able to get private ticket response panel and FortiGate web panel via blind XSS |
Bijan Murmu (@0xBijan) |
- |
Blind XSS |
$1,250 |
06/06/2019 |
| Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) |
Nikhil Mittal (@c0d3G33k) |
Microsoft |
Browser bug |
$15,000 |
06/06/2019 |
| Unicode vs WAF — XSS WAF Bypass |
Prial Islam Khan (@prial261) |
- |
XSS |
- |
06/05/2019 |
| Bypassing CSP with policy injection |
Gareth Heyes (@garethheyes) |
Paypal |
CSP bypass |
$900 |
06/05/2019 |
| REMOTE CODE EXECUTION ! 😜 Recon Wins |
Vishnuraj KV |
- |
RCE |
- |
06/04/2019 |
| Chaining multiple low-impact bugs to arbitrary file read in GitLab |
Li Rongxi (@nyan_gawa) |
GitLab |
Directory traversal |
- |
06/04/2019 |
| Simple PathTraversal bypass |
fr0stNuLL |
- |
Path traversal |
- |
06/03/2019 |
| Missing access control at play store |
Vishwaraj Bhattrai (@vishwaraj101) |
Google |
Authorization flaw |
- |
06/03/2019 |
| The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise |
Avinash Jain (@logicbomb_1) |
- |
RFI, SSRF |
- |
06/02/2019 |
| Story of a uri based xss with some simple google dorking |
Jatin Aesthetic (@techyfreakk) |
- |
XSS |
- |
06/02/2019 |
| Edmodo Account Deactivation Vulnerability |
Shankar R |
Edmodo |
CORS misconfiguration |
$0 |
06/01/2019 |
| My First CSRF to Account Takeover worth $750 |
Nishant Saurav (@inishantsinha) |
- |
CSRF, Account takeover |
$750 |
05/30/2019 |
| Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty |
HackerOn2Wheels (@HackerOn2Wheels) |
- |
Stored XSS, MIME sniffing |
- |
05/30/2019 |
| Stored XSS on Edmodo |
Rohit Verma (@rv0x00) |
Edmodo |
Stored XSS |
- |
05/28/2019 |
| Source Code disclose Vulnerability |
Mohamed R. Serwah (@mohamedrserwah) |
- |
Source code disclosure |
- |
05/27/2019 |
| An unexploited CORS misconfiguration reflecting further issues. |
Smaran Chand (@smaranchand) |
- |
CORS misconfiguration |
- |
05/27/2019 |
| How did I bypass a Custom Brute Force protection and why that solution is not a good idea? |
dortz |
- |
Bruteforce, Authentication flaw |
- |
05/25/2019 |
| Disclose files content from Facebook internal CDNs |
Samm0uda (@samm0uda) |
Facebook |
Weak encryption |
$12,500 |
05/25/2019 |
Archived content |
| Google bug bounty: LFI on production servers in “springboard.google.Com” — $13,337 USD |
VulnerabilityLabs |
Google |
LFI |
$13,337 |
05/24/2019 |
| Multiple API issues due to Fixed Authorization token. |
Mustafa Khan (@by6153) |
- |
Authorization flaw |
- |
05/24/2019 |
| From file upload to email:pass |
fr0stNuLL |
- |
Unrestricted file upload |
- |
05/24/2019 |
| Security assessment on the staging domains |
Tutorgeeks (@tutorgeeks) |
- |
Lack of authentication |
- |
05/24/2019 |
| Instagram GitHub Token with public_scope found In Travis CI Build Logs |
Philippe Harewood (@phwd) |
Facebook |
Information disclosure |
$0 (Informative) |
05/24/2019 |
| How I acquired $XXX bounty by investing 99 cents |
Smaran Chand (@smaranchand) |
- |
Logic flaw |
- |
05/24/2019 |
| Escalating subdomain takeovers to steal cookies by abusing document.domain |
Ameya (@iamTakeMyHand) |
Postmates |
Subdomain takeover |
- |
05/23/2019 |
| Determine a Facebook user from an email address |
Philippe Harewood (@phwd) |
Facebook |
Information disclosure |
$1,000 |
05/22/2019 |
| Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts |
Family guy |
Google |
Privilege escalation, Authorization flaw |
- |
05/21/2019 |
| Local File Inclusion in peering.google.com |
Jafar Abo Nada (@Jafar_Abo_Nada) |
Google |
LFI |
$3,133.7 |
05/21/2019 |
| Leaking OpenID tokens with “ — the bug right infront of you |
Zseano (@zseano) |
- |
OpenID flaw |
- |
05/21/2019 |
| WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD |
@omespino |
Google |
LFI |
$13,337 |
05/21/2019 |
| Open-redirect to Account Takeover. |
Rishabh (@__cypher__) |
- |
Open redirect, Account takeover |
- |
05/19/2019 |
| A base64 encoded parameter. |
Navneet (@na5n33t) |
- |
HTML injection |
$75 |
05/19/2019 |
| XSSed my way to 1000$ |
Gaurav Narwani (@gauravnarwani97) |
- |
XSS |
$1,100 |
05/17/2019 |
|
| Stealing Downloads from Slack Users |
David Wells |
Slack |
CSRF |
- |
05/17/2019 |
| Bypassing Instagram’s stories restriction |
Baibhav Anand (@iBaibhavJha) |
Facebook |
Logic flaw |
$500 |
05/17/2019 |
| ‘Try-Harder’ for XSS |
Frans Hendrik Botes (@initroott) |
- |
Reflected XSS |
- |
05/17/2019 |
| From parameter pollution to XSS |
Mo’men Basel |
- |
Parameter pollution, XSS |
- |
05/16/2019 |
| You do not need to run 80 reconnaissance tools to get access to user accounts |
Stefano Vettorazzi (@stefanohablando) |
- |
Open redirect |
- |
05/15/2019 |
| Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties] |
Komodo Security |
Google |
Stored XSS, MIME sniffing |
- |
05/15/2019 |
| Think Outside the Scope: Advanced CORS Exploitation Techniques |
Ayoub (@sandh0t) |
- |
CORS misconfiguration |
$1,500 |
05/14/2019 |
| Stored XSS on Techprofile Microsoft |
Mohammad Ali Syarief |
Microsoft |
Stored XSS |
- |
05/09/2019 |
| BLIND SSRF in *.stripe.com due to Sentry Misconfiguration |
Oktavandi (@0ktavandi) |
Stripe |
Blind SSRF |
- |
05/09/2019 |
| 4x CSRFs Chained For Company Account Takeover |
A Bug’z Life (@abugzlife1) |
- |
CSRF, Account takeover |
$3,000 |
05/08/2019 |
| pcextreme.nl fake bug bounty |
Daniel Maksimovic |
pcextreme.nl |
SSRF, XSS |
$0 (150€ + 150€ platform credit promised but not delivered) |
05/08/2019 |
| SQL injection through User-Agent |
fr0stNuLL |
- |
SQL injection |
- |
05/08/2019 |
| Subdomain takeover [Awarded $200] |
Friendly (@SkeletorKeys) |
ownCloud |
Subdomain takeover |
$200 |
05/07/2019 |
| Server Side Request Forgery(SSRF){port issue hidden approch } |
Deepak Holani (@w_hat_boy) |
- |
SSRF |
- |
05/03/2019 |
| Tale of a Wormable Twitter XSS |
@0xSobky |
Twitter |
XSS |
$2,940 |
05/02/2019 |
| Why You Shouldn’t Use a Password Manager For Your Linode Account |
@0xSobky |
Linode |
Account takeover, Information disclosure |
- |
05/02/2019 |
| XSS attacks on Googlebot allow search index manipulation |
Tom Anthony (@TomAnthonySEO) |
Google |
Logic flaw |
- |
05/01/2019 |
| Remote code execution On Microsoft edge using URL Protocol |
Matt harr0ey (@harr0ey) |
Microsoft |
RCE |
$0 (N/A) |
05/01/2019 |
| From NA to $3000 : Facebook’s URL spoofing vulnerability |
Rahul Kankrale (@RahulKankrale) |
Facebook |
URL spoofing |
$3,000 |
04/30/2019 |
| From Reflected XSS to Account Takeover — Showing XSS Impact |
A Bug’z Life (@abugzlife1) |
- |
Reflected XSS, Account takeover |
- |
04/30/2019 |
| Don’t Follow The Masses: Bug Hunting in JavaScript Engines |
Dimitri Fourny (@dimitrifourny) |
Google |
Buffer overflow |
$7,500 |
04/29/2019 |
|
| Two-Factor Authentication Bypass |
Gaurav Narwani (@gauravnarwani97) |
- |
2FA bypass |
- |
04/29/2019 |
|
| Broken Access: Posting to Google private groups through any user in the group |
Elber Andre (@Elber333) |
Google |
Autorization flaw |
$0 (N/A) |
04/27/2019 |
| Denial of Service using Cookie Bombing |
Ronak Patel (@ronak_9889) |
- |
DoS, Cookie bombing |
$350 |
04/26/2019 |
| How to bypass a 2FA with a HTTP header |
Yumi |
- |
2FA bypass |
- |
04/26/2019 |
| for PayPal security team,“get user balances and transaction details” is not a vulnerability! |
Todaro (@tod4ro) |
Paypal |
Information disclosure |
$0 (N/A) |
04/26/2019 |
| Missing Authorization check while deleting App Review for Marketing API |
Family guy |
Facebook |
Authorization flaw |
- |
04/25/2019 |
| Stealing local storage data through XSS |
Harshad Gaikwad (@h4rsh4d) |
- |
Stored XSS, Account takeover |
$800 |
04/25/2019 |
| The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! |
Avinash Jain (@logicbomb_1) |
- |
LFI, SSRF, Cloudflare bypass |
- |
04/25/2019 |
| CSRF Attack can lead to Stored XSS |
Mohamed Sayed (@FlEx0Geek) |
- |
CSRF, Stored XSS |
- |
04/25/2019 |
| A picture that steals data |
Sergey Kashatov (@iframe0x01) |
- |
Information disclosure |
- |
04/24/2019 |
| Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos |
Ruby Nealon (@_ruby) |
Zendesk |
Information disclosure |
$3,000 |
04/23/2019 |
| Facebook’s Burglary Shopping List |
John Moss (@x41x41x41) |
Facebook |
Information disclosure |
$5,000 |
04/23/2019 |
| The neglected bug that can infect All Facebook users who pay for leads ads. |
Hesham Watany |
Facebook |
CSV injection |
$0 (Out of scope) |
04/23/2019 |
| Yet Other Examples of Abusing CSRF in Logout |
Soroush Dalili (@irsdl) |
- |
CSRF |
- |
04/23/2019 |
| [XSS] Reflected XSS Bypass Filter |
Mohamed Sayed (@FlEx0Geek) |
- |
Reflected XSS |
- |
04/23/2019 |
| Disclose the content of internal Facebook Javascript modules. |
Samm0uda (@samm0uda) |
Facebook |
Authorization flaw |
- |
04/22/2019 |
Archived content |
| Ssrf to Read Local Files and Abusing the AWS metadata |
Pratik Yadav (@PratikY9967) |
- |
SSRF |
- |
04/21/2019 |
| [CONFIRMATION BYPASS ] |
Navneet (@na5n33t) |
- |
Email confirmation bypass, Information disclosure |
$0 (VDP) |
04/21/2019 |
| Twitter - protected tweets exposure |
terjanq (@terjanq) |
Twitter |
Information disclosure |
$560 |
04/19/2019 |
| Responsible disclosure: improper access control in Gitlab private project. |
Riccardo Padovani (@rpadovani93) |
GitLab |
Authorization flaw |
$2,000 |
04/19/2019 |
| Scary Tickets😨 |
Uranium238 (@uraniumhacker) |
- |
Ticket Trick |
- |
04/19/2019 |
| PDFReacter SSRF to ROOT Level Local File Read which led to RCE |
Armaan Pathan (@armaancrockroax) |
- |
SSRF, RCE |
- |
04/18/2019 |
| Code execution - Evernote |
Dhiraj (@mishradhiraj_) |
Evernote |
RCE, Path traversal |
- |
04/17/2019 |
| How I was able to Bypass XSS Protection on HackerOne’s Private Program |
Security Executions Code BugHunter |
- |
XSS |
- |
04/16/2019 |
| Banner Grabbing to DoS and Memory Corruption |
Daniel V. |
- |
DoS<, Information disclosure |
- |
04/16/2019 |
| A $5000 IDOR… |
Mr.Hacker (@mr_hacker0007) |
- |
IDOR |
$5,000 |
04/16/2019 |
| How i found credential enriched redis dump |
Ashish Kunwar (@D0rkerDevil) |
- |
File disclosure, Information disclosure |
$0 |
04/16/2019 |
| Just 5 minute to get my 2nd stored XSS on Edmodo.com |
ZishanAdThandar (@ZishanAdThandar) |
Edmodo |
Stored XSS |
$0, Swag |
04/15/2019 |
| How I hacked Vending Machine |
Valeriy Shevchenko |
- |
Violation of secure design principles |
€300 gift card |
04/15/2019 |
| Google Groups Authorization Bypass |
Daniel Marad |
Google |
Authorization flaw |
$500 |
04/15/2019 |
| The Outlook Winner is Dash |
marcan2020 (@marcan2020) |
Microsoft |
Authorization flaw |
$0 (N/A) |
04/15/2019 |
| How I gained access to revenue and traffic data of thousands of Shopify stores |
Ayoub Fathi (@ayoubfathi) |
Shopify |
IDOR |
$0 (Policy violation) |
04/15/2019 |
| Web Cache Deception to API endpoint attack using cached token header |
Kunal pandey (@kunalp94) |
- |
Web cache deception |
$250 |
04/13/2019 |
| [RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638) |
Mohamed Haron (@m7mdharon) |
- |
RCE |
$2,250 |
04/12/2019 |
| Unauthenticated Account Takeover Through HTTP Leak |
Nik srivastava (@niksthehacker) |
- |
HTML injection, HTTP Leak, Account takeover |
- |
04/11/2019 |
| Account Takeover by chaining two vulnerabilities. |
Sheraz Khalid |
- |
CSRF, Open redirect, Account takeover |
- |
04/10/2019 |
| Multiple xss in *.skype.com & Multiple xss in *.skype.com (2) |
Jayateertha G (@JayateerthaG) |
Microsoft |
XSS |
$0, HoF |
04/10/2019 |
| Spokeo Bug bounty Experience |
Nur A Alam Dipu |
Spokeo |
XSS |
$0 (Can’t reproduce) |
04/10/2019 |
| Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652 |
Julien Ahrens (@MrTuxracer) |
Dropbox (Dell KACE vendor) |
RCE |
- |
04/09/2019 |
| SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central |
Elber Andre (@Elber333) |
Microsoft |
SSRF, XSPA |
- |
04/09/2019 |
| Obtaining XSS Using Moodle Features and Minor Bugs |
Daniel Thatcher |
Moodle |
Login CSRF, XSS |
$0 (VDP) |
04/09/2019 |
| XSS “403 forbidden” bypass (Akamai Security )write up |
Security Executions Code BugHunter |
- |
XSS |
- |
04/08/2019 |
| How I got a trip to amsterdam through bug bounty |
Ninad Mathpati (@ninad_mathpati) |
- |
Bruteforce |
- |
04/07/2019 |
| Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice |
Ron Chan (@ngalongc) |
Uber |
SSRF, Path traversal, Account takeover |
- |
04/07/2019 |
| Email content spoofing at IKEA.com |
Jonathan Bouman (@JonathanBouman) |
Ikea |
Email content spoofing |
$50 |
04/06/2019 |
| Edmodo — IDOR to view private files of any class |
Rohan Pagey (@rohan_x3) |
Edmodo |
IDOR |
- |
04/06/2019 |
| Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers |
Armaan Pathan (@armaancrockroax) |
PortSwigger |
MiTM |
- |
04/06/2019 |
| Google Ads — Information Disclosure via null pointer exception |
Valerio brussani (@val_brux) |
Google |
Information disclosure |
- |
04/04/2019 |
| Handlebars template injection and RCE in a Shopify app |
Mahmoud Gamal (@Zombiehelp54) |
Shopify |
SSTI, RCE |
10,000 |
04/04/2019 |
| Leaked Salesforce API access token at IKEA.com |
Jonathan Bouman (@JonathanBouman) |
Ikea |
Information disclosure |
$250 |
04/04/2019 |
| DownNotifier SSRF |
_m_q_t (@_m_q_t) |
DownNotifier |
SSRF |
- |
04/04/2019 |
| How I am able to hijack you. |
terjanq (@terjanq) |
Google |
Logic flaw |
- |
04/03/2019 |
| Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow |
Ritish Kumar Singh |
Facebook |
Logic flaw |
$1,000 |
04/02/2019 |
| FileZilla Untrusted Search Path & FileZilla ‘fzsftp’ Untrusted Search Path |
Chris Lyne (@lynerc) |
FileZilla (EU-FOSSA 2) |
RCE |
- |
04/02/2019 |
| How I was able to get your facebook private friend list [Responsible Disclosure] |
Raja Sekar Durairaj |
Facebook |
Information disclosure |
$10,000 |
04/01/2019 |
| EdM0d0 IDOR Vulnerabilities |
Pratyush Anjan Sarangi |
Edmodo |
IDOR |
$0, Swag |
04/01/2019 |
| Comma is forbidden! No worries!! Inject in insert/update queries without it |
Ahmed Sultan (@0x4148) |
- |
SQL injection |
$10,000 |
03/31/2019 |
|
| Recon in 2 minutes and got $250 easy |
Cryptographer |
Snapchat |
Missing secure flag |
$250 |
03/31/2019 |
|
| How I was able to turn self xss into reflected xss |
Hein Thant Zin (@H3Lowr) |
- |
Reflected XSS |
$300 |
03/31/2019 |
| alert(“A tale of 3 XSS!”) |
Gaurav Narwani (@gauravnarwani97) |
- |
XSS |
- |
03/29/2019 |
|
| My very first bug: a dreaded dupe and then an IDOR jackpot! |
John H4X00R (@JohnH4X00R) |
Yahoo |
IDOR |
$5,000 |
03/28/2019 |
| How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup) |
Yash Sodha (@y_sodha) |
Google |
CSRF |
$3,133.70 |
03/26/2019 |
| An Unusual Bug 🐛 on Braintree [PayPal] |
PRince CHaddha (@princechaddha) |
Paypal |
DoS |
$3,200 |
03/25/2019 |
| Twitter Denial of Service bug or How i could prevent all followers from reading or accessing literally ANY tweets! |
Seif Elsallamy |
Twitter |
DoS |
$1,120 |
03/25/2019 |
| Stored (XSS) on [google.com] |
Security Executions Code BugHunter |
Google |
Stored XSS |
- |
03/25/2019 |
| Stored XSS in the guide’s GameplayVersion (www.dota2.com) |
Security Executions Code BugHunter |
Dota 2 |
Stored XSS |
$750 |
03/25/2019 |
| Self (XSS) on [komunitas.bukalapak.com] |
Security Executions Code BugHunter |
Bukalapak |
Self XSS |
$50 |
03/25/2019 |
| Reflected (XSS)on [alibabacloud.com] |
Security Executions Code BugHunter |
Alibaba |
Reflected XSS |
- |
03/25/2019 |
| Self (XSS) on [komunitas.bukalapak.com] |
Komodo Security |
Google |
Authorization flaw |
$500 |
03/25/2019 |
| Facebook Marketing Confidential Call Transcript |
Philippe Harewood (@phwd) |
Facebook |
Information disclosure |
$500 |
03/24/2019 |
| Google Books X-Hacking |
terjanq (@terjanq) |
Google |
XS-Search |
$1,337 |
03/21/2019 |
| How to hunt for Malvertising ads on Android |
Kyle (@B3nac) |
- |
Android flaw |
- |
03/21/2019 |
| A real XSS in OLX Bug Bounty |
Paulo Choupina (@PauloChoupina) |
OLX |
Reflected XSS |
$0 (VDP), HoF |
03/21/2019 |
| Slack announcement-only channel post restriction bypass |
Rodney Beede |
Slack |
Authorization flaw, Logic flaw |
$0, Out of scope |
03/20/2019 |
| Disclose private/scheduled streams of any Livestream user due to open .m3u8 endpoint |
Abss TBH @abss_tbh |
Livestream |
Information disclosure |
$1,000 |
03/20/2019 |
| Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560) |
Kevin Backhouse (@kevin_backhouse) |
Facebook |
Integer overflow |
$10,000 |
03/19/2019 |
| Discovering a zero day and getting code execution on Mozilla’s AWS Network |
Shubham Shah (@infosec_au) & Mathias Karlsson (@avlidienbrunn) |
Mozilla |
RCE |
$500 |
03/19/2019 |
| DoS Across Facebook Endpoints |
Max Pasqua |
Facebook |
DoS |
$750 |
03/19/2019 |
| From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin |
Heige (@80vul) |
Microsoft |
DOM XSS |
$0 |
03/19/2019 |
| Should you be concerned about LastPass uploading your passwords to its server? |
Avinash Kumar (@itsavinash_) |
LastPass |
Information disclosure, Logic flaw |
- |
03/18/2019 |
| Stealing local storage data through XSS |
Harshad Gaikwad (@h4rsh4d) |
OLX |
Reflected XSS |
$0, HoF |
03/17/2019 |
| Disclosure of Pending Roles for any Facebook Page |
Avinash Kumar (@itsavinash_) |
Facebook |
IDOR |
$4,000 |
03/16/2019 |
| Target Finds Cross-Site Scripting in Microsoft SharePoint |
Target |
Microsoft |
XSS |
- |
03/15/2019 |
| How I was able to pwned 30000+ user’s webhook |
gujjuboy10x00 (@vis_hacker) |
- |
IDOR |
- |
03/14/2019 |
| Privilege escalation on private program. |
Imran Parray (@CreedHackers) |
- |
Privilege escalation, Information disclosure |
- |
03/14/2019 |
| User Account Takeover [Password Change]— Nice Catch! |
Rohit kumar (@rohitcoder) |
- |
Account takeover, Password reset flaw |
- |
03/14/2019 |
| Write up – $1,000 usd in 5 minutes, xss stored in outlook.com (ios browsers) |
@omespino |
Microsoft |
Stored XSS |
$1,000 |
03/14/2019 |
| WordPress 5.1 CSRF to Remote Code Execution |
Simon Scannell (@scannell_simon) |
WordPress |
CSRF, RCE, HTML injection |
$950 |
03/13/2019 |
| OLX Bug Bounty: Reflected XSS |
Mukhammad Akbar (@abaykandotcom) |
OLX |
Reflected XSS |
- |
03/13/2019 |
| My First Stored XSS on Edmodo.com |
ZishanAdThandar (@ZishanAdThandar) |
Edmodo |
Stored XSS |
- |
03/13/2019 |
| Hack Your Form-New vector for Blind XSS |
Youssef A. Mohamed (@GeneralEG64) |
- |
Blind XSS, Stored XSS |
$800 |
03/13/2019 |
| How I found Blind XSS Vulnerability in redacted.com |
ssid (@newp_th) |
- |
Blind XSS |
- |
/27/2019 |
| Inserting malware into anyone’s Google Earth Projects Archive |
Thomas Orlita (@ThomasOrlita) |
Google |
IDOR, XSS, Authorization flaw |
$0 |
03/29/2019 |
| Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. |
Armaan Pathan (@armaancrockroax) |
- |
CSRF, Bruteforce |
- |
03/12/2019 |
| Escalating SSRF to RCE |
Youssef A. Mohamed (@GeneralEG64) |
- |
SSRF, RCE |
- |
03/12/2019 |
| CVE-2018-16794 on fs.thefacebook.com |
Philippe Harewood (@phwd) |
Facebook |
SSRF |
$1,000 |
03/11/2019 |
| SQL injection for $50 bounty, but still worth reading!! |
Ronaldo Messi |
- |
SQL injection |
$50 |
03/10/2019 |
| Account Takeover Using Cross-Site WebSocket Hijacking (CSWH) |
Sharan Panegav (@PanegavSharan) |
- |
Cross-Site WebSocket Hijacking (CSWH), Account takeover |
- |
03/09/2019 |
| Vimeo SSRF with code execution potential. |
Harsh Jaiswal (@rootxharsh) |
Vimeo |
SSRF |
$5,000 |
03/08/2019 |
| Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack |
Ron Masas |
Facebook |
Side-channel attack, Cross-Site Frame Leakage (CSFL) |
- |
03/07/2019 |
| Facebook Messenger server random memory exposure through corrupted GIF image |
Dzmitry Lukyanenka (@vulnano) |
Facebook |
Information disclosure |
$10,000 |
03/06/2019 |
| 3 XSS in ProtonMail for iOS |
Vladimir Metnew (@vladimir_metnew) |
Apple |
XSS |
$1,000 |
03/06/2019 |
| Fixed : Register any email address on Facebook Account |
Sameer Rao |
Facebook |
Authorization flow |
- |
03/05/2019 |
| Fixed : Brute-force Instagram account’s passwords |
Sameer Rao |
Facebook |
Bruteforce, Rate limiting bypass |
- |
03/05/2019 |
| Facebook exploit – Confirm website visitor identities |
Tom Anthony (@TomAnthonySEO) |
Facebook |
Information disclosure, IDOR |
$1,000 |
03/04/2019 |
| Auditing GitHub Repo Wikis for Fun and Profit |
Smeege (@SmeegeSec) |
- |
Misconfigured Github wiki |
$500 |
03/04/2019 |
| XSS in Edmodo within 5 Minute (My First Bug Bounty) |
Vala Keyur (@valakeyur) |
Edmodo |
Reflected XSS |
- |
03/04/2019 |
| A simple Account takeover misusing JWT late expiration |
Scalar (@mrprajapati_360) |
- |
Authorization flaw, Logic flaw |
- |
03/03/2019 |
| Bypassing a restrictive JS sandbox |
Licencia para Hackear |
Private program, static-eval library |
JS sandbox breakout, RCE |
- |
03/01/2019 |
| Yet Another (unexpected) Hack for Bounty |
Pumudu Ruhunage |
Sli.do |
Information disclosure |
$150 |
03/01/2019 |
| Horizontal Privilege Escalation on Quora which can compromise all users on Quora |
SpyD3r (@TarunkantG) |
Quora |
Privilege escalation |
- |
02/26/2019 |
| [Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com |
Mohamed Haron (@m7mdharon) |
Yahoo |
Reflected XSS |
- |
02/26/2019 |
| How I alert(1) in Azure DevOps |
SpyD3r (@TarunkantG) |
Microsoft |
XSS, CSP bypass |
- |
02/26/2019 |
| Web Cache Deception Attack leads to user info disclosure |
Kunal pandey (@kunalp94) |
- |
Web cache deception, Information disclosure |
$300 |
02/25/2019 |
| Chain of hacks leading to Database Compromise! |
Avinash Jain (@logicbomb_1) |
- |
LFI, SSRF |
- |
02/23/2019 |
| Bug Bounty 101 — Always Check The Source Code |
Mohamed Haron (@m7mdharon) |
- |
Lack of rate limiting, Information disclosure |
- |
02/23/2019 |
| Download any organisation Data — S3 amazonaws Misconfiguration |
Chand Singh (@Chand_42) |
- |
Authorization flaw |
$2,500 |
02/22/2019 |
| Subdomain Misconfiguration lead to AWS S3 Buckets Reader |
Mohamed Haron (@m7mdharon) |
- |
Subdomain takeover |
$800 |
02/22/2019 |
| Exploiting Google Calendars |
Rojan Rijal (@uraniumhacker) & Brandon Nguyen (@cmdrsnuggle) |
Uber, Shopify, Netflix |
Authorization flaw, Information disclosure |
- |
02/22/2019 |
| Swiss_E-Voting_Publications |
setuid0 (@setuid0) |
Swiss E-Voting |
XSS, XXE, RCE, Lack of authentication, Authentication flaw, Hardcoded credentials |
- |
02/21/2019 |
| Abusing autoresponders and email bounces |
Inti De Ceukelaire |
Google, Intigriti |
Information disclosure, Logic flaw |
- |
02/21/2019 |
| Reflected XSS at https://photos.shopify.com/ |
Ahamed Morad (@Modam3r5 |
Shopify |
Reflected XSS |
$0, Out of scope |
02/21/2019 |
| How I Registered Multiple Accounts in PrivateInternetAccess VPN Service for FREE |
Spade |
PrivateInternetAccess VPN |
Logic flaw |
$1,000 |
02/20/2019 |
| Bug Writeup: FBCTF IDOR |
George Osterweil |
Facebook |
IDOR |
$0, Duplicate |
02/20/2019 |
| Leakage of Client Secret, Server tokens of all Uber developer applications |
Anand Prakash (@sehacure) |
Uber |
Information disclosure |
$5,000 |
02/19/2019 |
| Multiple Stored XSS On Tokopedia |
Apapedulimu (@Apapedulimu) |
Tokopedia |
Stored XSS, Blind XSS |
- |
02/19/2019 |
| Using URI to pop shells via the Discord Client |
RagSec (@rag_sec) |
Discord |
URI abuse, Social engineering |
$0, Out of scope |
02/18/2019 |
| DoS on WAF Protected Sites by Abusing Cookie |
Anas Mahmood (@AnasIsHere) |
Upwork |
DoS |
$400 |
02/18/2019 |
| 2 Subdomains Takeover via Unbounce in a Private Program |
Mohamed Haron (@m7mdharon) |
- |
Subdomain takeover |
$0, Duplicate |
02/18/2019 |
| Stored XSS on Edmodo |
Rohit kumar (@rohitcoder) |
Edmodo |
Stored XSS |
$0, Duplicate |
02/18/2019 |
| $1.000 SSRF in Slack |
Elber Andre (@Elber333) |
Slack |
SSRF |
$1,000 |
02/17/2019 |
| Bypass password confirmation in Facebook “DYI” feature |
Samm0uda (@samm0uda) |
Facebook |
Authorization flaw, IDOR |
- |
02/16/2019 |
Archived content |
| Facebook/Workplace Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk |
Rohit kumar (@rohitcoder) |
Facebook |
Information disclosure |
$1,000 |
02/16/2019 |
| Subdomain Takeover via Wufoo Service in a Private Program |
Mohamed Haron (@m7mdharon) |
- |
Subdomain takeover |
- |
02/16/2019 |
| Open Redirect in SLACK |
Mukhammad Akbar (@abaykandotcom) |
Slack |
Open redirect |
$0, N/A |
02/16/2019 |
| Bypassing rate limit abusing misconfiguration rules |
Daniel V. |
- |
Rate limiting bypass |
- |
02/15/2019 |
| Subdomain Takeover via HubSpot |
Mohamed Haron (@m7mdharon) |
- |
Subdomain takeover |
- |
02/15/2019 |
| Souq.com Subdomain Takeover via jazzhr.com service |
Mohamed Haron (@m7mdharon) |
Souq.com |
Subdomain takeover |
$0, Informative |
02/15/2019 |
| Never Stop at Banner Grabbing |
Gaurav Narwani (@gauravnarwani97) |
- |
Information disclosure |
$241.93 |
02/14/2019 |
|
| Third Party Android App Storing Facebook Data Insecurely (Facebook Data Abuse Program) |
Nightwatch Cybersecurity (@nightwatchcyber) |
Facebook |
Information disclosure, Lack of authentication |
- |
02/14/2019 |
|
| [SSRF] Server Side Request Forgery in a private Program developers.example.com |
Mohamed Haron (@m7mdharon) |
- |
SSRF |
$200 |
02/14/2019 |
| Disclose private attachments in Facebook Messenger Infrastructure - 15,000$ |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$15,000 |
02/13/2019 |
| Facebook CSRF protection bypass which leads to Account Takeover |
Samm0uda (@samm0uda) |
Facebook |
CSRF |
$25,000 |
02/12/2019 |
Archived content |
| Hacking YouTube for #fun and #profit |
Alexandru Coltuneac (@dekeeu) |
Google |
IDOR |
- |
02/12/2019 |
| Export Facebook audience network reports of any business |
Samm0uda (@samm0uda) |
Facebook |
Authorization flaw |
- |
02/12/2019 |
Archived content |
| I Found Clickjacking on Google CSE. Is This Important? |
Mukhammad Akbar (@abaykandotcom) |
Google |
Clickjacking |
$0 |
02/10/2019 |
| Csrf Bypass Using Cross Frame Scripting |
Mr.Hacker (@mr_hacker0007) |
- |
CSRF |
- |
02/10/2019 |
| How I hacked ASUS? |
Mustafa Kemal Can (@muskecan) |
Asus |
RCE, Unrestricted file upload |
- |
02/09/2019 |
| Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. |
Sahil Tikoo (@viperbluff) |
- |
Information disclosure |
- |
02/09/2019 |
| Design Flaws - Scenario One and Fix |
Alli-Balogun Faruq (@node_shack) |
- |
Logic flaw |
- |
02/08/2019 |
| Paypal’s Security Check Bypassed |
Anees Khan (@AneesEthical) |
Paypal |
Logic flaw |
$0, N/A |
02/08/2019 |
| Internal paths disclosure due to improper exception handling |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure |
- |
02/07/2019 |
Archived content |
| Leak of private/in-development app ids, names and translation requests |
Samm0uda (@samm0uda) |
Facebook |
IDOR |
- |
02/07/2019 |
Archived content |
| LFI To 10 Servers Pwn |
Nirmal Dahal (@TheNittam) |
- |
LFI, RCE |
- |
02/07/2019 |
| How i was able to dump SqlDB | Simple bug |
clever idi0t |
- |
Directory listing, SQL injection, Authentication bypass |
- |
02/07/2019 |
| Cache Deception: How I discovered a vulnerability in Medium and helped them fix it |
Yuval Shprinz |
Medium |
Cache deception |
$100, Swag |
02/06/2019 |
| Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard |
Lee Christensen (@tifkin_) |
Microsoft |
Path traversal, RCE |
- |
02/06/2019 |
| Jumping Over The Fence |
Shahar Albeck |
- |
Open redirect |
- |
02/05/2019 |
| How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com) |
Vartul Goyal (@hackvartul) |
Microsoft |
2FA bypass |
$0 |
02/05/2019 |
| Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages |
Paul (@padannewitz) |
- |
Mass assignment |
$5,000 |
02/05/2019 |
| Reverse RDP Attack: Code Execution on RDP Clients |
Eyal Itkin |
Microsoft |
Path traversal |
$0 |
02/05/2019 |
| A Unique XSS Scenario in SmartSheet || $1000 bounty |
Rohan Chavan (@rohanchavan1918) |
Smartsheet |
Stored XSS |
$1,000 |
02/03/2019 |
| How I was able to Extract Information of Other Users- Exploiting IDOR |
Rupika Luhach (@Rup_Ki_Rani) |
Knowyourmeds.com |
IDOR |
$0, Duplicate |
02/02/2019 |
| LFI in Apigee portals |
[email protected] (@wtm_offensi) |
Google |
LFI |
- |
01/31/2019 |
| How I found a simple bug in Facebook without any Test |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw |
- |
01/31/2019 |
| $7.5k Google Cloud Platform organization issue |
Ezequiel Pereira (@epereiralopez) |
Google |
Logic flaw |
$7,500 |
01/30/2019 |
| How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds. |
Piyush Raj (@0x48piraj) |
WeeQuizz |
Information disclosure |
$0, No response |
01/30/2019 |
| Publish tweets by any other user |
Kedrisec (@kedrisec) |
Twitter |
IDOR |
$7,560 |
01/30/2019 |
| Guest blog: Eray Mitrani - Hacking isn’t an exact science |
Eray Mitrani (@ErayMitrani) |
- |
Authorization flaw |
- |
01/29/2019 |
| Protonmail XSS — Stored |
Chand Singh (@Chand_42) |
Protonmail |
Stored XSS, Bruteforce |
- |
01/29/2019 |
| Unsecured access to personal data of a million Leo Express users |
Thomas Orlita (@ThomasOrlita) |
Leo Express |
Authorization flaw, XSS |
- |
01/29/2019 |
| Hijacking accounts by retrieving JWT tokens via unvalidated redirects |
Shawar Khan (@ShawarkOFFICIAL) |
- |
Open redirect, Token theft |
- |
01/27/2019 |
| A short tale of Account verification bypass |
Satyendra Kumar |
- |
Email verification bypass, Authorization flaw |
- |
01/27/2019 |
| Chaining Tricky OAuth Exploitation To Stored XSS |
Rohan aggarwal (@nahoragg) |
- |
Stored XSS, OAuth flaw |
- |
01/27/2019 |
| Misconfiguration-Whatsapp Messenger |
Pratheesh P Narayanan |
Facebook |
Logic flaw |
$0, Informative |
01/26/2019 |
| AntiHack IDOR on Create Submission |
Syahrul Akbar Rohmani (@sahruldotid) |
AntiHack.me |
IDOR |
$0, Swag |
01/26/2019 |
| Facebook Change Product Availability as a PageAnalyst |
onehackzero |
Facebook |
Logic flaw, Authorization flaw |
- |
01/25/2019 |
| How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc) |
Luke Berner |
Google, Microsoft, Facebook |
Logic flaw, Authentication flaw |
- |
01/25/2019 |
|
| Magento – RCE & Local File Read with low privilege admin rights |
Daniel Le Gall |
Magento |
LFI, RCE, Path traversal |
- |
01/24/2019 |
| Antihack.me Blind XSS To PHP File Upload Vulnerability |
SayCure (@SaycureIO) |
AntiHack.me |
Blind XSS |
- |
01/24/2019 |
|
| Privilege Escalation to Highest Admin Privileges |
Gaurav Narwani (@gauravnarwani97) |
- |
IDOR, Privilege escalation |
- |
01/23/2019 |
|
| Frappé Technologies ERPNext Server Side Template Injection |
Brian Hyde |
ERPNext |
SSTI |
$0 |
01/23/2019 |
| Enroll in Facebook Ad-break program without Facebook approval |
Samm0uda (@samm0uda) |
Facebook |
Logic flaw, Authorization flaw |
- |
01/22/2019 |
Archived content |
| Disclose page’s admins and its Monetization payout details |
Samm0uda (@samm0uda) |
Facebook |
IDOR, Information disclosure |
- |
01/22/2019 |
Archived content |
| Disclose page violations and its eligibility to use Ad-breaks |
Samm0uda (@samm0uda) |
Facebook |
IDOR, Information disclosure |
- |
01/22/2019 |
Archived content |
| Disclose Instagram business account linked to a Facebook page |
Samm0uda (@samm0uda) |
Facebook |
IDOR, Information disclosure |
- |
01/22/2019 |
Archived content |
| Change payment account of any Facebook commerce page |
Samm0uda (@samm0uda) |
Facebook |
Logic flaw, Authorization flaw |
- |
01/22/2019 |
Archived content |
| Expose business email and payment account balance of any Facebook commerce page. |
Samm0uda (@Samm0uda) |
Facebook |
IDOR, Information disclosure |
- |
01/22/2019 |
| Reveal if a Facebook merchant page has pending or completed orders. |
Samm0uda (@Samm0uda) |
Facebook |
IDOR, Information disclosure |
- |
01/22/2019 |
| Bruteforce Instagram account’s passwords (lack of rate limiting protection). |
Samm0uda (@samm0uda) |
Facebook |
Bruteforce, Lack of rate limiting |
- |
01/22/2019 |
| Generate Access Tokens for any Facebook user |
Samm0uda (@samm0uda) |
Facebook |
IDOR |
- |
01/22/2019 |
| Modify users profiles of techprep.fb.com |
Samm0uda (@samm0uda) |
Facebook |
Authorization flaw |
- |
01/22/2019 |
| Uploading files to api.techprep.fb.com |
Samm0uda (@samm0uda) |
Facebook |
File upload XSS |
- |
01/22/2019 |
| Reflected XSS in Zomato |
Sudhanshu Rajbhar (@sudhanshur705) |
Zomato |
Reflected XSS |
$250 |
01/21/2019 |
| How I Found and Reporting Vulnerabilities to AntiHack.me by Tomi |
Tomi (@nahoragg) |
AntiHack.me |
IDOR, LFI |
$0, Swag |
01/20/2019 |
| A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram |
Rohan aggarwal (@nahoragg) |
- |
CORS miconfiguration |
- |
01/20/2019 |
| Oauth Misconfiguration lead to complete account takeover |
Jackson kv (@Jacksonkv22) |
- |
CSRF, OAuth flaw, Account takeover |
- |
01/20/2019 |
| XSS Through SWF file! |
Friendly (@SkeletorKeys) |
- |
SWF XSS |
$200 |
01/18/2019 |
| Bypass Content Security Policy framing restriction rule - OLX |
Taha Ibrahim Draidia |
OLX |
CSP bypass |
- |
01/17/2019 |
| Command Injection PoC |
NoGe |
- |
Command injection |
- |
01/15/2019 |
| Facebook Vulnerability: Unremovable facebook group admin |
Ritish Kumar Singh |
Facebook |
Logic flaw |
$500 |
01/15/2019 |
| #BugBounty How I Hack Billion $ Company |
Sadiq West |
- |
Directory listing |
$500 |
01/15/2019 |
| Abusing MySQL clients to get LFI from the server/client |
Jarkko Vesiluoma (@jvesiluoma) |
- |
LFI |
- |
01/15/2019 |
| Gaining access to Uber’s user data through AMPScript evaluation |
Shubham Shah (@infosec_au) |
Uber |
AMPScript injection |
$23,000 |
01/14/2019 |
| Turning Self XSS to good XSS via access control |
Yusuf Yazir (@Hacklad) |
- |
Stored XSS, Self XSS |
- |
01/13/2019 |
| Hack Your Form – New vector for Blind XSS |
Youssef A. Mohamed (@GeneralEG64) |
Facebook |
Blind XSS |
$800 |
01/13/2019 |
| Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty |
Ajay Gautam (@evilboyajay) |
Facebook |
IDOR |
- |
01/11/2019 |
| Facebook PageAnalyst Could Add oneself as Moderator on Group |
onehackzero |
Facebook |
Authorization flaw |
- |
01/11/2019 |
| AntiHack.me Multiple Vulnerabilities |
Tomi |
AntiHack.me |
LFI, IDOR |
$0, Swag |
01/11/2019 |
| View the contact list for a Messenger Kid as a parent-approved contact |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw |
- |
01/08/2019 |
| Tips for bug bounty beginners from a real life experience |
Renaud Martinet (@karouf) |
YNAB |
XSS, SQL injection |
$1,500 |
01/08/2019 |
| When Cookie Hijacking + HTML Injection become dangerous |
Daniel V. |
- |
Cookie Hijacking, HTML Injection |
- |
01/07/2019 |
| Reflected XSS ON ASUS. |
Thejus Krishnan |
Asus |
Reflected XSS |
$0, HoF |
01/06/2019 |
| Stored XSS Via Alternate Text At Zendesk Support |
Hariharan.s |
Zendesk |
Stored XSS |
- |
01/06/2019 |
| How I hacked Altervista.org |
Jacopo Tediosi (@jacopotediosi) |
Altervista |
Open redirect |
$0, HoF |
01/05/2019 |
| Facebook Android Application |
Ash King |
Facebook |
Authorization flaw |
$750 |
01/05/2019 |
| How I could have taken over any Pinterest account |
Arnold Anthony (@armold9anthony) |
Pinterest |
CSRF, Account takeover |
$2,400 |
01/05/2019 |
| How I stumbled upon a Stored XSS(My first bug bounty story). |
Parth Shah |
Edmodo |
Stored XSS |
- |
01/04/2019 |
| Cookie Based Self-XSS to Good XSS |
Brian Hyde |
- |
XSS |
$616 |
01/04/2019 |
| Stealing Side-Channel Attack Tokens in Facebook Account Switcher |
Max Pasqua |
Facebook |
Token theft |
$1,000 |
01/04/2019 |
| Yes I can see your OTP |
Vulnerables |
- |
IDOR |
- |
01/03/2019 |
| A Tricky Open Redirect |
Anas Mahmood (@AnasIsHere) |
- |
Open Redirect |
$200 |
01/03/2019 |
| How I was able to Harvest other Vine users IP address |
Prial Islam Khan (@prial261) |
Vine |
IDOR |
$5,040 |
01/02/2019 |
| How i found web shell on AntiHack.me and Awarded Gold Coin And SWAG |
Rudra Sarkar (@rudr4_sarkar) |
AntiHack.me |
RCE |
- |
01/01/2019 |
| A Curious Case From Little To Complete Email Verification Bypass |
Megaman (@N0_M3ga_Hacks) |
- |
Email validation bypass, Authorization flaw |
- |
01/01/2019 |
