List of bug bounty writeups

Table of contents

Bug bounty writeups published in 2022

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Hyperlink Injection On IRC Cloud Aswin K V (@deep_marketer_) IRCCloud Hyperlink injection - 06/26/2022
Bug: Cisco IOS SNMPv3 ACL Issues Gerry Gosselin (@ggPixelHealth) Cisco Information disclosure - 06/26/2022
mysqlnd/pdo password buffer overflow leading to RCE (CVE 2022-31626) & @cyberguru007’s analysis and PoC Charles Fol (@cfreal_) PHP Buffer Overflow, Memory corruption bug N/A (VDP) 06/25/2022
Moderation Filter Bypass in support.mozilla.org tomorrowisnew (@tomorrowisnew_) Mozilla Logic flaw OOS 06/25/2022
An Out Of Scope domain Leads To a Critical Bug[$1500] Shakti Mohanty (@3ncryptSaan) - Authorization flaw, Broken Access Control $1,500 06/24/2022
Miracle - One Vulnerability To Rule Them All Jang (@testanull) & peterjson (@peterjson) Oracle Insecure deserialization, SSRF, RCE - 06/23/2022
Pwn2Own 2021 Microsoft Exchange Exploit Chain Rskvp93 (@rskvp93) Microsoft SSRF, RCE - 06/23/2022
CVE-2022-31749: WatchGuard Authenticated Arbitrary File Read/Write (Fixed) Jake Baines (@Junior_Baines) WatchGuard Argument injection N/A (VDP) 06/23/2022
$1500 Of Broken Access Controls Tobydavenn - Broken Access Control $1,500 06/22/2022
Exploiting vulnerabilities in iOS Application Raj Singh Chauhan (@raj_singh_ch) - IDOR, Bruteforce, Lack of rate limiting, Account takeover, iOS bug - 06/22/2022
Widespread prototype pollution gadgets Gareth Heyes (@garethheyes) - Prototype pollution - 06/21/2022
XSS Vulnerability in IBM Content Navigator (CVE-2020-4757) Olivier Laflamme IBM XSS - 06/21/2022
Response Manipulation in the Admin panel lead to PII leakage Mahmoud Hamed (@7odamo_) UPS VDP Account takeover, HTTP response manipulation N/A (VDP) 06/20/2022
Every XSS is different Leonardo - XSS - 06/20/2022
Account Takeover by OTP bypass Vaibhav Kumar Srivastava - Information disclosure, Client-side enforcement of server-side security, OTP bypass, Account takeover N/A (VDP) 06/19/2022
Personal Access Token Disclosure in Asana Desktop Application Lauritz (@lauritz) Asana Information disclosure, Hardcoded credentials $6,100 06/18/2022
How I hacked one of the biggest Airline in the world Dali Jandro (@Sazouki_) - IDOR, Account takeover, Authorization flaw - 06/18/2022
Hacking a NFT Platform Muhammad Abdullah - SSRF 2 ETH 06/17/2022
How I was able to see likes and dislikes count which is hidden by victim | YouTube #2 Jay Jani (@JayJani007) Google Logic flaw, Authorization flaw - 06/17/2022
That Pipe is Still Leaking: Revisiting the RDP Named Pipe Vulnerability Gabriel Sztejnworcel (@sztejnworcel) Microsoft RCE - 06/16/2022
CSRF leads to account takeover in Yahoo! Retr02332 (@Retr02332) Yahoo CSRF, Account takeover $3,000 06/16/2022 Alternative link
Chaining MFA-Enabled IAM Users with IAM Roles for Potential Privilege Escalation in AWS Retr02332 (@Retr02332) Amazon Privilege escalation - 06/16/2022
The Android kernel mitigations obstacle race Man Yue Mo (@mmolgtm) Qualcomm Memory corruption bug, Android bug - 06/16/2022
XSS Blind Stored at Asset Domain Android Apps TikTok Aidil Arief TikTok Stored XSS $1,500 06/16/2022
Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive Proofpoint (@proofpoint) Microsoft Logic flaw $0 (Working as intended) 06/16/2022
Amazon Linux “log4j hotpatch” <1.3-5 local privilege escalation to root (race condition) Justin Steven (@justinsteven) Amazon Local Privilege Escalation - 06/15/2022
Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu Frédéric Basse (@FredoBasse) Google Hardware bug, Memory corruption bug - 06/15/2022
[BugTales] UnZiploc: From 0-click To Platform Compromise Daniel Komaromy (@kutyacica), Lorant Szabo (@szabolor) & Gyorgy Miru (@gymiru) Huawei Memory corruption bug, Logic flaw, RCE, Local privilege escalation - 06/14/2022
Hertzbleed Attack Yingchen Wang (@YingchenWang96), Riccardo Paccagnella (@ricpacca), Elizabeth Tang He, Hovav Shacham (@hovav), Christopher Fletcher & David Kohlbrenner (@dkohlbre) Intel, Cloudlfare, Microsoft Side-channel attack, Hardware bug, Cryptographic issues - 06/14/2022
Automating reflected XSS with burp-suite Intruder Santosh Kumar Sha (@killmongar1996) - Reflected XSS $750 06/14/2022
2FA Bypass via Basic Authentication on private bug bounty program Sharat Kaikolamthuruthil (@sharp488) - 2FA bypass - 06/14/2022
Zimbra Email - Stealing Clear-Text Credentials via Memcache injection Sonar (@SonarSource) Zimbra Memcache injection, CRLF injection N/A (VDP) 06/14/2022
403 bypass on a fortune 100 financial institution (P3) Damaidec - Information disclosure, Authorization flaw, Forced browsing - 06/14/2022
Cryptographic Side-Channels (Timing Leaks) in JSBN Soatok (@SoatokDhole) Xfinity Opensource Cryptographic issue, Side-channel attack, Timing attack - 06/14/2022
SynLapse – Technical Details for Critical Azure Synapse Vulnerability & TL;DR Tzah Pahima (@TzahPahima) Microsoft Cross-tenant vulnerability, RCE $60,000 06/14/2022
Bypassing CSP with dangling iframes Gareth Heyes (@garethheyes) Google, Mozilla CSP bypass - 06/14/2022
500$ Account Takeover IONC Xsolla Account takeover, Information disclosure, HTTP response manipulation $500 06/14/2022
How I was able to see likes and dislikes count which is hidden by victim | YouTube #1 Jay Jani (@JayJani007) Google Logic flaw, Authorization flaw - 06/14/2022
Microsoft Azure Synapse Pwnalytics James Sebree Microsoft Privilege escalation - 06/13/2022
Finding vulnerabilities in curl 7.83.0 without reading a single-line of C code Haxatron (@Haxatron1) curl SSRF, Information disclosure, HSTS bypass - 06/12/2022
Hacking 6.5+ million websites => CVE-2022-29455 (Elementor) Rotem Bar (@rotembar), Gal Nagli (@naglinagli) & Tomer Zait (@realgam3) - XSS - 06/12/2022
How I found a Critical Bug in Instagram and Got 49500$ Bounty From Facebook Neeraj Sharma (@root_n33r4j) Meta / Facebook IDOR $49,500 06/12/2022
Same bug different platform Prajwol Dhungana (@PrajwolDhunga14) Facebook Logic flaw, Authorization flaw - 06/11/2022
From blind SSRF to localhost dirbusting and asset enumeration Jovan Šikanja (@joshibeast) - SSRF - 06/11/2022
A Story of a Bug Found Fuzzing Abdulrhman Alqabandi (@qab) Google, Microsoft Browser bug, Memory corruption bug - 06/11/2022
My first CVE-2022–31289 Praveen Mali (@pmmali_) Sonatype Authentication bypass, 403 bypass, HTTP response manipulation N/A (VDP) 06/11/2022
How to download eBooks from Google Play Store without paying for them Yess (@Yess_2021xD) Google Payment bypass, Logic flaw - 06/09/2022
CVE-2022-1040 Sophos XG Firewall Authentication bypass Nguyễn Đình Biển (@biennd279) Sophos Authentication bypass, RCE - 06/09/2022
Chaining vulnerabilities to criticality in Progress WhatsUp Gold Shubham Shah (@infosec_au) Progress (WhatsUp Gold) SSRF, Local File Disclosure, Information disclosure - 06/09/2022
Autodesk Fusion 360 <= 2.0.12887 “Insert SVG” Blind XXE Giulio ‘linset’ Casciaro (@Lins3t) Autodesk XXE N/A (VDP) 06/09/2022
De-Anonymization attacks against Proton services reversemode (@reversemode) Proton AG Privacy issue, Information disclosure, HTML injection, Local Privilege Escalation - 06/08/2022
Extracting Clear-Text Credentials Directly From Chromium’s Memory & Go BLUE! A Protection Plan for Credentials in Chromium-based Browsers Zeev Ben Porat Google Browser bug $0 (Won’t fix) 06/08/2022
Account Takeover by Chaining Two IDORs Demon (@R29k_) - IDOR, Account takeover - 06/08/2022
Exploiting Amazon active vulnerability Benjamin Walter Amazon Payment bypass, Logic flaw $0 (Informative) 06/08/2022
CVE-2022-26937: Microsoft Windows Network File System NLM Portmap Stack Buffer Overflow Yuki Chen (@guhe120), Guy Lederfein (@glederfein) & Jason McFadyen Microsoft Buffer Overflow, Memory corruption bug - 06/08/2022
Security Vulnerability in GitLab: Sending Arbitrary Requests through Jupyter Notebooks Daniel Fürst (@DnlFrst) GitLab HTML injection $1,500 06/07/2022
An unusual way to find XSS injection in one minute Andrey Onishchenko TimeWeb CSTI, XSS - 06/07/2022
Another vision for SSRF phor3nsic (@phor3nsic_br) - SSRF - 06/06/2022
If It’s a Feature!!! Let’s Abuse It for $750 Shakti Mohanty (@3ncryptSaan) - CSRF $750 06/05/2022
How Attacker could have suffocated the company staff Muhammad Abdullah - Default credentials $1,400 06/05/2022
Is Exploiting A Null Pointer Deref For LPE Just A Pipe Dream? Michael DePlante (@izobashi) Microsoft (Bitdefender) Memory corruption bug - 06/02/2022
How I Mass hunt for Admin Panel Access…🤩 Ratnadip Gajbhiye (@scspcommunity) Gemeente Delft (The City of Delft) Default credentials - 06/02/2022
Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty Chen Cohen (@chencococococo) Microsoft RCE $20,000 06/01/2022
How I found a GoldMine but got No Gold Muhammad Abdullah - Old components with known vulnerabilities $0 06/01/2022
SQL injection to Remote Command Execution (RCE) Kwadwo Amoako - SQL injection, RCE - 05/31/2022
From open redirect to RCE in one week byq (@ByQwert) Mail.ru Open redirect, SSRF, Insecure deserialization, LFI, RCE - 05/31/2022
Abusing Facebook’s feature for a permanent account confusion(logic vulnerability) Liv Facebook 2FA bypass, DoS, Logic flaw - 05/31/2022
How to find & access Admin Panel by digging into JS files…🥰 Ratnadip Gajbhiye (@scspcommunity) - Weak credentials, WAF bypass - 05/30/2022
External Authentication bypass in ingress-nginx Niemiec Marcin (@xvnpw) Kubernetes Path traversal, Authentication bypass $500 05/29/2022
Exploiting iOS app for fun and profit Bijan Murmu (@0xbijan) - Account takeover, Information disclosure - 05/29/2022
Hall of Fame Vice Media ? hacking while sleepy… Muhammad Syahrul Haniawan Vice Media Subdomain takeover N/A (VDP) 05/29/2022
Weird Email Verification Bypass Vaibhav Atkale - Email verification bypass - 05/28/2022
A Simple SQL Injection in an Air Force Website Corben Leo (@hacker_) U.S. Dept Of Defense SQL injection N/A (VDP) 05/27/2022
Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553) Brian (@hoyahaxa) IBM XSS, RCE - 05/27/2022
Social Media Take Over = Easy Money Jesse Clark (@Hogarth45_) - Broken Link Hijacking - 05/26/2022
How an Open Redirection Leads to an Account Takeover? Mahendra Purbia (@Mah3Sec_) - Open redirect, Account takeover - 05/26/2022
Hijacking Over 100k GoDaddy Websites Jonathan Cran (@jcran), Shpend Kurtishaj (@shpendk) & Maxim Gofnung GoDaddy Subdomain takeover - 05/25/2022
The Printer Goes BRRRRR!!! & Slides Mehdi Talbi (@abu_y0ussef), Rémi Jullian (@netsecurity1) & Thomas Jeunet (@cleptho) HP, Lexmark, Canon Memory corruption bug $60,000 05/25/2022
How I made it into the United Nations hall of fame as I slept Vikaran (@vikaran101) United Nations XSS N/A (VDP) 05/25/2022
How I Found a company’s internal S3 Bucket with 41k Files Tarun Koyalwar (@KoyalwarTarun) - AWS misconfiguration $250 05/24/2022
Spoofing Microsoft 365 Like It’s 1995 Steve Borosh (@424f424f) Microsoft Spoofing, Phishing $0 (Won’t fix) 05/24/2022
CVE-2022-22977: VMware Guest Authentication Service LPE (FIXED) Jacob Baines (@Junior_Baines) VMware Local Privilege Escalation - 05/24/2022
How I Get Bounty From Takeover Account RyuuKhagetsu (@h4x0r_dz) - IDOR, Information disclosure, Password reset flaw, Account takeover - 05/23/2022
Breaking Reverse Proxy Parser Logic Blake Jacobs (@z0idsec) - Path traversal - 05/22/2022
Finding vulnerabilities in Swiss Post’s future e-voting system - Part 2 reversemode (@reversemode) Swiss Post Insecure deserialization, Crypto bugs - 05/22/2022
2FA Bypass on private bug bounty program due to improper caching mechanism Sharat Kaikolamthuruthil (@sharp488) - 2FA bypass - 05/22/2022
2FA Bypass on private bug bounty program due to CSRF token misconfiguration Sharat Kaikolamthuruthil (@sharp488) - 2FA bypass - 05/22/2022
Vulnerability In PayPal worth 200000$ bounty, Attacker can Steal Your Balance by One-Click h4x0r_dz (@h4x0r_dz) Paypal Clickjacking $0 (Informative) 05/22/2022
A business Logic issue worth $1500 Mohsin Khan (@tabaahi_) - Logic flaw $1,500 05/21/2022
How I was able to down a service of Microsoft ? Denial of Service (DOS) Attack on Microsoft. Harsh Banshpal (@harshbanshpal) Microsoft DoS $0 (OOS) 05/21/2022
PayPal IDOR via billing Agreement Token (closed Informative, payment fraud) h4x0r_dz (@h4x0r_dz) Paypal IDOR $0 (OOS) 05/21/2022
Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web Avinash Sudhodanan (@sudoavi) & Andrew Paverd (@ajpaverd) Dropbox, Meta / Facebook (Instagram), LinkedIn, Wordpress & Zoom Account takeover, Pre-hijacking attack - 05/20/2022
Leaking Your GitHub Repositories With Snyk Code Ron Masas (@RonMasas) Snyk Path traversal, Broken Access Control N/A (VDP) 05/20/2022
How I was able to access IBM internal documents Mohamed Taha (@Mohamed12742780) IBM Information disclosure, IDOR - 05/19/2022 Alternative link
From Wayback to Account Takeover Mohamed Taha (@Mohamed12742780) Plex Information disclosure, Account takeover $120 05/19/2022
CVE-2022-21404: Another Story Of Developers Fixing Vulnerabilities Unknowingly Because Of CodeQL Paulino Calderon (@calderpwn) Oracle Insecure deserialization - 05/19/2022
Exploiting an Unbounded memcpy in Parallels Desktop: A Pwn2Own 2021 Guest-to-Host Virtualization Escape RET2 Systems (@ret2systems) Parallels Memory corruption bug $40,000 05/19/2022
A Tale of Confusing IDOR Avi (@naaash) TikTok IDOR $2,500 05/18/2022
Variant Cloud Analysis jspin (@jespinhara) - Default credentials - 05/18/2022
Vulnerability in Huawei’s AppGallery can download paid apps for free Dylan Roussel (@evowizz) Huawei Payment bypass, Logic flaw - 05/18/2022
Stealing Google Drive OAuth tokens from Dropbox Sivanesh Ashok (@sivaneshashok) & Sreeram KL (@kl_sree) Dropbox CSRF, SSRF, Account takeover $1,728 05/17/2022
Bypassing WAF to Weaponize a Stored XSS ne555 - Stored XSS - 05/17/2022
Hacking Swagger-UI - from XSS to account takeovers Dawid Moczadło (@kannthu1) Shopify, Paypal, GitLab, Atlassian, Yahoo, Microsoft, Jamf & others DOM XSS, Account takeover - 05/16/2022
Impact of an Insecure Deep Link Yashar Shahinzadeh (@YShahinzadeh) & Аli Dinifаr (@binb4sh) CafeBazaar Insecure deeplink, Android bug - 05/16/2022
Multiple bugs chained to takeover Facebook Accounts which uses Gmail. Youssef Sammouda (@samm0uda) Meta / Facebook XSS, CSRF, Account takeover $44,625 05/14/2022
My New Discovery In Oracle E-Business Login Panel That Allowed To Access For All Employees Information’s & In Some cases Passwords At More Than 1000 Companies Orwa Atyat (@GodfatherOrwa) & Abdullah Nawaf (@XHackerx007) - Exposed registration page - 05/14/2022
From android app to access admin dashboard Oday Alhalabi (@OdayAlhalabi) - Exposed registration page, Account takeover - 05/13/2022
Forging OAuth tokens using discovered client id and client secret Basyouni (@AshrafBasyoni4) - Information disclosure, Account takeover - 05/12/2022
New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108) Nguyễn Tiến Giang (@testanull) Microsoft Insecure deserialization, RCE - 05/12/2022
Takeover seller accounts worth billions & millions Bijan Murmu (@0xBijan) - IDOR, Account takeover - 05/12/2022
Spoofing SaaS Vanity URLs for Social Engineering Attacks Tal Peleg Box, Zoom, Google URL spoofing - 05/11/2022
Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) Oliver Lyak (@ly4k_) Microsoft Active Directory Privilege Escalation - 05/10/2022
The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF… Renwa (@RenwaX23) - CSS injection, Clickjacking, Account takeover, XSS, Cookie bomb, Self-XSS, CSRF $3,850 05/10/2022
ResolveURI RXSS Imperva Waf Bypass Ahsan Shahid (@hunter0x8) - XSS - 05/10/2022
RCE via Dependency Confusion Samrat Gupta (@Sm4rty_) - Dependency confusion - 05/10/2022
Account verification code bypass lead to a $4000 bounty Mohsin Khan (@tabaahi_) - OTP bypass $4,000 05/08/2022
Can analyzing javascript files lead to remote code execution? Asem Eleraky (@melotover) - Unrestricted file upload, RCE - 05/08/2022
How I Paid For My Holiday With Bug Bounty Tobydavenn - XSS, Broken Access Control, IDOR, Unrestricted file upload - 05/08/2022
P1 Bug — PII information disclosure Huntersherlock - Information disclosure, IDOR - 05/08/2022
Its all about 2fa bypass, or Account Takeover anjaneyulu kanakatla - Password reset flaw, Account takeover, OTP bypass - 05/08/2022
The $16,000 Dev Mistake Daniel Marte (@Masonhck3571) - Information disclosure $16,000 05/07/2022
Cloudflare Pages, part 1: The fellowship of the secret, Part 2: The two privescs, Part 3: The return of the secrets & Cloudflare writeup Sean Yeoh (@seanyeoh) & James Hebden (@devec0) Cloudflare Command injection, Container escape, Bash Path injection, RCE, Local Privilege Escalation, Information disclosure - 05/06/2022
A Fun SSRF through a Headless Browser Corben Leo (@hacker_) - SSRF - 05/06/2022
Advanced sqlmap Case Study Peter M (@h1pmnh) - SQL injection - 05/06/2022
How We hacked (bypassed) Admin Panel just by JS file Zhenwar Hawlery (@zhenwarx) & moSec (@moe1n1) - Information disclosure - 05/06/2022
CVE-2022-0540 - Authentication bypass in Seraph Khoa Dinh (@_l0gg) - Authentication bypass - 05/06/2022
Chained Bug: XML File Upload to XSS to CSRF to Full Account Take Over (ATO) Zulfi Al-Farizi - XSS, CSRF, Account takeover $0 (Duplicate) 05/06/2022
Samsung Galaxy - Any App Can Install Any App In The Galaxy App Store Ken Gannon (@Yogehi) Samsung Android bug, Insecure intent - 05/04/2022
Samsung Flow - Any App Can Read The External Storage Ken Gannon (@Yogehi) Samsung Android bug, Insecure intent - 05/04/2022
Remotely permanent crash any Instagram user via permanent DoS in user DM’s. Naveen (@NaveenHax) Meta / Facebook DoS $1,575 05/04/2022
Business Logic Errors - Art of Testing Cards Jerry Shah (@Jerry) - Payment bypass, Logic flaw - 05/04/2022
How i found a vulnerability that leads to access any users’ sensitive data and got $500 Mr Robert | Ahmed M Hassan (@Mr_Robert20) Flickr Information disclosure $500 05/04/2022
[UNPATCHED] Cli: gh run download implementation allows overwriting git repository configuration upon artifacts downloading Vladimir Metnew (@vladimir_metnew) GitHub RCE $500 05/04/2022
Hacking a Bank by Finding a 0day in DotCMS Shubham Shah (@infosec_au) & Hussein Daher (@HusseiN98D) - Directory traversal, Unrestricted file upload, RCE - 05/03/2022
CVE-2022-25262 | JetBrains Hub single-click SAML response takeover Yurii Sanin (@SaninYurii) JetBrains Authorization flaw, SAML bug, OAuth flaw - 05/03/2022
How I got a lousyT-Shirt from the Dutch Government. Mava (@mava656) Dutch Government Old components with known vulnerabilities - 05/03/2022
ATO without any interaction [aws cognito misconfiguration] Shreyaskoli (@SPY8OY) GitHub Account takeover, Lack of rate limiting $550 04/30/2022
Page Admin Disclosure when Posting a Reel Syd Ricafort (@devsyd11) Meta / Facebook Spoofing $1,000 04/30/2022
Sensitive Data Exfiltration through XSS ($450) Zulfi Al-Farizi - Token leak $450 04/30/2022
Exploitation of an SSRF vulnerability against EC2 IMDSv2 Yassine Aboukir (@Yassineaboukir) - SSRF - 04/28/2022
Contact Point Deanonymization Vulnerability in Meta Lokesh Kumar (@lokeshdlk77) Meta / Facebook Information disclosure $12,000 04/28/2022
Wiz Research discovers “ExtraReplica”— a cross-account database vulnerability in Azure PostgreSQL Wiz (@wiz_io) Microsoft Cross-tenant vulnerability, Privilege escalation, Authentication bypass - 04/28/2022
2FA Secret value disclosure leads to 2FA Bypass - Bug Bounty Writeup Aditya Singh / rook1337 (@imrook1337) - 2FA bypass, Information disclosure - 04/28/2022
Encrypting our way to SSRF in VMWare Workspace One UEM (CVE-2021-22054) Keiran Sampson (@hpy_downunder), James Hebden (@devec0) & Shubham Shah (@infosec_au) VMware SSRF - 04/27/2022
Bypassing WAF for $2222 Divyansh Sharma - WAF bypass, Path traversal $2,222 04/27/2022
Azure Monitor – Malicious KQL Query Joosua Santasalo (@SantasaloJoosua) Microsoft Privilege escalationn - 04/27/2022
Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages? Team Nautilus (@AquaSecTeam) GitHub Logical flaw - 04/26/2022
Fuzzing and credentials leakage..awesome bug hunting writeup Abdalrahman Alshammas - Hardcoded credentials, Information disclosure - 04/26/2022
Unlock any blur text/picture without membership/subscription on Scribd.com |By Neuchi Neil Neuchi Scribd.com Payment bypass, Logic flaw N/A 04/25/2022
How I got Apple Hall Of Fame ! shubhdeep (@Shubhdeeppp) Apple Content injection - 04/23/2022
How I Bypassed 2FA while Resetting Password Sufiyan Gouri (@gouri_sufyan) - 2FA bypass, Password reset flaw - 04/23/2022
Adventures Into The MeowCorp Bug Bounty Program Nirmal Thapa (@tnirmalz) - Information disclosure, Weak credentials, SSRF, .git folder disclosure, RCE - 04/21/2022
Security issues with cloudflare/odoh-server-go and the ODoH RFC draft Frans Rosén (@fransrosen) Cloudflare SSRF - 04/21/2022
Smashing the Modern Web Tech Stack — Part 1: The Evolving Threat Landscape in 2022 and DOM-based XSS in Cloud-Native React Apps. MalwareJoe - Open redirect, XSS - 04/21/2022
Open Redirection into Bentley System Amit Kumar (@Amitlt2) Bentley Systems XSS - 04/21/2022
Gaining Unlimited access to graph AuditLogs endpoint using complex filters with non-privileged user account Joosua Santasalo (@SantasaloJoosua) Microsoft Information disclosure, Privilege escalationn - 04/21/2022
Exploiting a File Upload Vulnerability — A Directory Traversal Attack Kwadwo Amoako - Unrestricted file upload, Path traversal - 04/20/2022
CVE-2022-21449: Psychic Signatures in Java, A few clarifications about CVE-2022-21449, Lab by @datadoghq & Lab by @SecCodeWarrior Neil Madden (@neilmaddog) Oracle Signature bypass, Crypto bug - 04/19/2022
AWS’s Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation Unit 42 (@Unit42_Intel) Amazon Privilege escalation, Container escape - 04/19/2022
Palisade identifies Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace Palissade (@PalisadeLLC) Rarible XSS $5,000 04/18/2022
Stored XSS To Other Users Via Messages Tobydavenn - Stored XSS - 04/18/2022
SQL Injection in Harvard’s Subdomain Bibek Neupane (@nb1b3k) Harvard SQL injection - 04/17/2022
XSLeaking with my best bud SOP Ha Anh Hoang Microsoft Information disclosure - 04/15/2022
How we spoofed ENS domains for $15k Hacxyk. (@Hacxyk) ENS Homograph attack $15,000 04/15/2022
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #4 R ando (@Rando02355205) Google Broken Access Control - 04/15/2022
[3/3] Cache Poisoning & Lateral Movement @ GitLab IP GitLab Broken Access Control - 04/15/2022
CVE-2022-26133 - Bitbucket Data Center - Java Deserialization Vulnerability Benny Jacob (@bennyyjacob) Atlassian Insecure deserialization - 04/14/2022
Multiple Vulnerabilities in Cisco Expressway Christian Mehlmauer (@firefart) Cisco Memory leak, Exposed administrative interface - 04/14/2022
United Nations bug bounty[writeup] Debprasad Banerjee United Nations Information disclosure N/A (VDP) 04/14/2022
Abusing Azure Hybrid Workers for Privilege Escalation – Part 2: An Azure PrivSec Story Josh Magri (@passthehashbrwn) Microsoft Privilege escalation $10,000 04/14/2022
Blinding Snort: Breaking The Modbus OT Preprocessor Claroty’s Team82 (@Claroty) Cisco Memory corruption bug - 04/14/2022
Bypass Rate Limit — A blank space leads to this random encounter! Roxst4r (@mveswar98) - Password reset flaw, Rate-limiting bypass - 04/14/2022
[2/3] XSS Through The Front-Door @ GitLab IP GitLab XSS, CSP bypass, DOM-based JavaScript injection - 04/13/2022
Threat Evasion for aws:multifactorAuthPresent condition using Cloudshell Falcnix (@falcnix) Amazon MFA bypass - 04/13/2022
Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities Kasif Dekel (@kasifdekel) & Ronen Shustin (@ronenshh) Microsoft DoS, Memory corruption bug - 04/13/2022
Bypass Apple Corp SSO on Apple Admin Panel Stealthy (@stealthybugs) Apple Path traversal $6,000 04/12/2022
CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client Rhino Security Labs (@RhinoSecurity) Amazon Local Privilege Escalation - 04/12/2022
IDOR (Insecure Direct Object Reference) leads to listing all valid Users and edit their Profiles Ahmed Hassan Drexel University IDOR - 04/12/2022
CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed) Jacob Baines (@Junior_Baines) Microsoft Local Privilege Escalation - 04/12/2022
XSS - The LocalStorage Robbery Jerry Shah (@Jerry) & ethicalbughunter (@ethicalbughuntr) - XSS - 04/12/2022
Broken session control leads to access the admin panel even after revoking the access!! — #ZOHO Naveenroy Zoho Broken Access Control - 04/12/2022
NotGitBleed Aaron Devaney GitHub Information disclosure - 04/11/2022
AWS RDS Vulnerability Leads to AWS Internal Service Credentials Gafnit Amiga (@gafnitav) Amazon LFI - 04/11/2022
SVG SSRFs and saga of bypasses Preetham Bomma (@cyber01_) - SSRF, HTML injection - 04/11/2022
[1/3] Brute-Force Protection Bypass @ GitLab IP GitLab Bruteforce, Rate limiting bypass - 04/11/2022
The #100DaysOfHacking Challenge : A Game Changer for Me Najam Ul Saqib (@NjmUlSqb) - IDOR - 04/10/2022
Privacy Disclosure on Facebook Lite after Creating a Post Rhey Facebook Privacy issue $400 04/10/2022
XSS | HTML Injection and File Upload Bypass in HUAWEI Subdomain Ahmed Hassan Huawei XSS, HTML injection - 04/10/2022
MSRC – Joint security research write up – Azure AD Consent bypass disclosure with Kim Jamia – Q1/2022 Joosua Santasalo (@SantasaloJoosua) & Kim Jämiä (@KimJamia) Microsoft Authorization flaw - 04/09/2022
How a YouTube Video lead to pwning a web application via SQL Injection worth $4324 bounty Vishal Saini (@k4k4r07) - SQL injection $4,324 04/08/2022
Stripe checkout misconfiguration leads to an unlimited trial period Colin Winhall (@colinwinhall) Stripe Logic flaw, Payment bypass $0 (Informative) 04/08/2022
Meta’s SparkAR RCE Via ZIP Path Traversal Fady Othman (@Fady_Othman) Meta / Facebook RCE, Path traversal $2,500 04/07/2022
Multiple vulnerability leading to account takeover in TikTok SMB subdomain. Ahmad A Abdulla (@lu3ky13) TikTok IDOR $1,000 04/07/2022
How i got access to 1600k Users PII Data \(\) Gokul AP (@CodingGokul) - Information disclosure $1,500 04/06/2022
SSRF and Account Takeover via XSS in ERPNext (0-day) huli (@aszx87410) ERPNext SSRF, XSS, Account takeover $0 (No response) 04/06/2022
Watch out the links : Account takeover! Akash Hamal (@AkashHamal0x01) - Account takeover - 04/06/2022
CVE-2021-4119: [Bookstack] Email harvesting via SQL “LIKE” clause exploitation Haxatron (@Haxatron1) Bookstack Broken Access Control, SQL injection - 04/05/2022
New npm Flaws Let Attackers Better Target Packages for Account Takeover Team Nautilus (@AquaSecTeam) GitHub Information disclosure - 04/05/2022
HTTP Request Smuggling on business.apple.com and Others. Stealthy (@stealthybugs) Apple HTTP request smuggling $36,000 04/05/2022
Azure Active Directory Exposes Internal Information Secureworks (@Secureworks) Microsoft Information disclosure $0 (Won’t fix) 04/05/2022
How I hacked one of the biggest airlines group of the world Tarek Bouali (@iambouali) - IDOR, Account takeover N/A (VDP) 04/05/2022 Alternative link
CloudKit Share Records leak the title of private iCloud files David Schütz (@xdavidhu) Apple IDOR, Broken Access Control - 04/05/2022
CVE-2021-38159: MOVEit Transfer SQL Injection Analysis Tuan Anh Nguyen (@haxor31337) Palantir Public SQL injection $5,000 04/05/2022
Spoof as another Facebook user to report an impostor account Syd Ricafort (@devsyd11) Facebook Spoofing - 04/05/2022
NoSQL Injection in Plain Sight Kuldeep Pandya (@kuldeepdotexe) - NoSQL injection - 04/04/2022 Alternative link
MacOS SUHelper Root Privilege Escalation Vulnerability: A Deep Dive Into CVE-2022-22639 & PoC Mickey Jin (@patch1t) Apple Local Privilege Escalation - 04/04/2022
Hacked Nokia With Reflected Cross-site Scripting Vulnerability…. Amit Kumar (@Amitlt2) Nokia Reflected XSS N/A (VDP) 04/04/2022
Exploiting a double-edged SSRF for server and client-side impact Yassine Aboukir (@Yassineaboukir) & Surajjjj (@ninetyn1ne_) - SSRF - 04/03/2022
Hacked Instagram Handle Of Samsung…. Amit Kumar (@Amitlt2) Samsung Broken Link Hijacking - 04/03/2022
View Friends List of any users using “View as” | Facebook Bug bounty Ph.Hitachi Facebook Logic flaw, Broken Acces Control - 04/02/2022
Multiple Times I Hacked Duke University With RXSS Vulnerability!!! Amit Kumar (@Amitlt2) Duke University Reflected XSS N/A (VDP) 04/02/2022
Design Flaw : A Tale of Permanent DOS (Informative -> Triaged) Akash Hamal (@AkashHamal0x01) - DoS - 04/02/2022
Write Up – Finapi (Open Banking API) Oauth Credentials Exposed In Plain Text In Android App Omar Espino (@omespino) - Hardcoded credentials, Android bug - 04/01/2022
Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint Gijs Hollestelle Microsoft Endpoint spoofing - 04/01/2022
Small bugs are more dangerous than you think Liv (@terminatorLM) - Self XSS, Stored XSS, Open redirect, CSRF - 04/01/2022
Pwning a Cisco RV340 with a 4 bug chain exploit Liv (@terminatorLM) Cisco Local Privilege Escalation, OS command injection, RCE, Session management flaw - 04/01/2022
Critical SSRF on Evernote Neolex (@NeolexSecurity) Evernote SSRF $5,000 03/31/2022
Got Access To Dota 2 Admin Panel By Exploiting In-game Feature Abdillah Muhamad (@abdilahrf) Valve XSS $900 03/31/2022
CVE-2022-27643 - NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability Relyze (@relyze) Netgear Memory corruption bug, RCE - 03/31/2022
Unauthenticated Remote Code Execution in Cisco Nexus Dashboard Fabric Controller (formerly DCNM) Pedro Ribeiro (@pedrib1337) Cisco Insecure deserialization, Local Privilege escalation, RCE - 03/30/2022
How I bypassed 403 forbidden domain using a simple trick Jan Muhammad Zaidi (@hasanakajan) - 403 bypass - 03/29/2022
Ruby Deserialization - Gadget on Rails HTTPVoid (@httpvoid0x2f) Ruby on Rails Insecure deserialization, RCE - 03/28/2022
Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All Kasif Dekel (@kasifdekel) & Ronen Shustin (@ronenshh) Microsoft RCE, Memory corruption bug, SQL injection - 03/28/2022
Stealing cookies from subdomain leads to takeover user accounts at redacted.com Bijan Murmu (@0xBijan) - Account takeover, XSS - 03/27/2022
Deleting account via support ticket Bijan Murmu (@0xBijan) - IDOR, Broken Access Control - 03/26/2022
Bug Bounty Adventures: A NodeBB 0-day Marouane Mouhtadi (@Mar0_0uane) Opera CSRF, Account takeover, SSO bug, Authentication flaw - 03/25/2022
Clipboard hazard with Google Sheets Imre Rad (@ImreRad) Google Phishing $0 (Working as intended) 03/25/2022
Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router (PSV-2022–0044) stypr (@stereotype32) Netgear XSS, Arbitrary file read, Authentication bypass, OS command injection, RCE - 03/25/2022
Pwn2Own Austin 2021 : Defeating The Netgear R6700V3 Antide Petit (@xarkes_) & Mitsurugi Heishiro (@0xmitsurugi) Netgear RCE, Memory corruption bug - 03/25/2022
How Token Misconfiguration can lead to takeover account Cryptographer (@justluthra) - Account takeover, Logic flaw - 03/24/2022
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) Alex Plaskett (@alexjplaskett), Cedric Halbronn (@saidelike) & Aaron Adams (@fidgetingbits) Western Digital RCE - 03/23/2022
How I Was Able To TakeOver Any Account On One Of Europe’s Largest Media Companies Tobydavenn - IDOR, Account takeover N/A (VDP) 03/23/2022
When Equal is Not, Another WebView Takeover Story +Ch0pin (@Ch0pin) - Android bug - 03/22/2022
Authentication bypass using root array Eslam Akl (@eslam3kll) - Authentication bypass, Information disclosure - 03/22/2022
Basic recon to RCE II Joshua Martinelle (@J0_mart) - RCE - 03/22/2022
Story about more than 3.5 million PII leakage in Yahoo!!! dhakal_bibek (@dhakal__bibek) Yahoo IDOR, Information disclosure, iOS bug $9,500 03/22/2022
Targeting Visual Studio Code for macOS: File Discovery and a TCC bypass (kinda) & PoC Alfie Champion (@ajpc500) Apple, Microsoft Local Privilege Escalation, TCC bypass, MacoS bug $0 (Won’t fix) 03/21/2022
($$$) Broken Authentication and IDOR at [REDACTED] Rizaldi Wahaz (@wah_haz) - IDOR - 03/21/2022
Broken session control leads to access private videos using the shared link even after revoking the access for specific time!! — #GoogleVRP Naveenroy Google Broken Access Control $0 (Intended behaviour) 03/20/2022
Bug Bounty catches part -1 Bijan Murmu (@0xBijan) - Authentication bypass, Information disclosure, Broken Access Control - 03/20/2022
CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera Maciej Pulikowski (@pulik_io) Google, Microsoft, Opera Browser bug $10,000 03/19/2022
Airdrop: Symbolic Link Following Ron Masas (@RonMasas) Apple iOS bug - 03/19/2022
Adobe bug bounty using IDOR, Confidential data leaks Debprasad Banerjee Adobe IDOR - 03/19/2022
Insecure Direct Object Reference Exposes all users of Microsoft Azure Independent Software Vendors Meareg Microsoft IDOR - 03/18/2022
For the first Bounty, it takes a few challenging months, but only a few days for the second. Aneesha D (@interc3pt3r) - Old components with known vulnerabilities $250 03/18/2022
Bypass confirmation to add payment method. Yaj Desu - Email verification bypass, Logic flaw - 03/18/2022
Abusing Azure Hybrid Workers for Privilege Escalation – Part 1 Josh Magri (@passthehashbrwn) Microsoft Privilege escalation - 03/17/2022
My First Blind SQL Injection T VAMSHI - SQL injection - 03/17/2022
Parameter Pollution - Zero Day Jerry Shah (@Jerry) & ethicalbughunter (@ethicalbughuntr) Discourse HTTP Parameter Pollution - 03/17/2022
From XSS to RCE (dompdf 0day) Positive Security (@positive_sec) - XSS, RCE N/A (VDP) 03/16/2022
Git honours embedded bare repos, and exploitation via core.fsmonitor in a directory’s .git/config affects IDEs, shell prompts and Git pillagers Justin Steven (@justinsteven) GitHub, Microsoft, JetBrains RCE - 03/16/2022
How I was able to find 50+ Cross-site scripting (XSS) Security Vulnerabilities on Bugcrowd Public Program? & frequest akshal(tojojo) - XSS - 03/16/2022
SSD Advisory – Exchange Server GetWacInfo Information Disclosure Vulnerability Alex Birnberg (@alexbirnberg) Microsoft XXE, Information disclosure - 03/15/2022
Securing Developer Tools: Git Integrations Sonar (@SonarSource) Microsoft, JetBrains, GitHub Local Privilege Escalation - 03/15/2022
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582) Richard Warren (@buffaloverflow) Apple Arbitrary file write - 03/15/2022
How I managed to trigger XSS automatically to get critical account takeover c4rrilat0r (@c4rrilat0r) - Stored XSS $3,000 03/15/2022
CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years Mickey Jin (@patch1t) Apple Local Privilege Escalation, GateKeeper bypass - 03/15/2022
CVE-2020-24427: Adobe Reader CJK Codecs Memory Disclosure Vulnerability Haboob Research Team (@HaboobSa) Adobe Memory disclosure - 03/15/2022
My First Bug on VDP & BBP - Bug Bounty Aditya Singh / rook1337 (@imrook1337) - Stored XSS - 03/15/2022
From Recon via Censys and DNSdumpster, to Getting P1 by Login Using Weak Password – “password” YoKo Kho (@YokoAcc) - WAF bypass, Weak credentials $2,500 03/14/2022 Alternative link
Achieving Remote Code Execution via Unrestricted File Upload Haroon Hameed - Unrestricted file upload, RCE $3,000 03/14/2022
SQL Injection at Spotify Eslam Akl (@eslam3kll) Spotify SQL injection - 03/14/2022
How I access other domains in infinityfree.net using Directory Traversal Kurt Russelle Marmol InfinityFree Directory traversal - 03/14/2022
How I Made The BBC Hall Of Fame 3 Times Tobydavenn BBC Information disclosure N/A (VDP) 03/14/2022
How I bypassed disable_functions in php to get a remote shell Asem Eleraky (@melotover) - RCE - 03/13/2022
Open Redirect via Sendgrid Email Misconfiguration Rifqi Hilmy Zhafrant - Open redirect $250 03/13/2022
A Tale of Open Redirection to Stored XSS Tushar Sharma (@tusharSharma_0) - Stored XSS, Open redirect - 03/12/2022
XSS through base64 encoded JSON Aman Pareek (@aman_notsogreat) - XSS - 03/12/2022
I can see the dislikes count even though is hidden by YouTube | YouTube ($500) R ando (@Rando02355205) Google Broken Access Control, IDOR $500 03/12/2022
I have Found Microsoft Subdomain Website database list, database username, password Bot Ami (@Botami143) Microsoft Information disclosure - 03/11/2022
How Did I Leak 5.2k Customer Data From a Large Company? (via Broken Access Control) can1337 (@canmustdie) - Broken Access Control - 03/11/2022
CVE-2022-24696 – Glance By Mirametrix Privilege Escalation Oddvar Moe (@Oddvarmoe) Lenovo Local Privilege Escalation N/A (VDP) 03/11/2022
How I was able to takeover any users account on a major telecoms website Tobydavenn - XSS - 03/11/2022
Rate Limit Bypass at Readme.com Girishbo Readme.com Lack of rate limiting, Password reset flaw - 03/11/2022
How I was able to read any users confidential reports on a public level domain Tobydavenn - IDOR - 03/10/2022
Escalating from Logic App Contributor to Root Owner in Azure Josh Magri (@passthehashbrwn) Microsoft Privilege escalation - 03/09/2022
How I Was Able To Wipe Any Registered Account Tobydavenn - Logic flaw - 03/09/2022
Demographic Misconfiguration on Facebook live Prajwol Dhungana (@PrajwolDhunga14) Facebook Logic flaw, Authorization flaw - 03/09/2022
SSD Advisory – NETGEAR DGND3700v2 PreAuth Root Access - Netgear Authentication bypass, OS command injection, RCE - 03/09/2022
Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis) Jang (@testanull) & peterjson (@peterjson) Oracle RCE - 03/09/2022
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities Unit 42 (@Unit42_Intel) Google Privilege escalation, Container escape, Kubernetes bug - 03/08/2022
Log4shell in google $1337.00 amnotacat (@Amnotacat1) Google Log4shell, RCE $1,337 03/08/2022
How I managed to make a DDoS attack by exploiting a company’s service — Bug Bounty Mr Empy (@mr_empy) - DoS - 03/08/2022
Circumventing Browser Security Mechanisms For SSRF HTTPVoid (@httpvoid0x2f) - SSRF, XSS - 03/08/2022
AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service Yanir Tsarimi (@Yanir_) Microsoft Cross-tenant vulnerability, Account takeover $40,000 03/07/2022
The Bad Twin: a peculiar case of JWT exploitation scenario Sandh0t (@sandh0t) - Account takeover $3,000 03/07/2022
Some critical vulnerabilities found with passive analysis on bug bounty programs explained Daniel V (@d4niel_v) - Information disclosure, Logic flaw - 03/07/2022
WhatsApp Bug Bounty: Bypassing biometric authentication using voip Arvind (@ar_arv1nd) Meta / Facebook Authentication bypass - 03/05/2022
How I Hacked A Crypto Company And Could Steal 1 Million Dollars Worth of Bitcoin zoid (@z0idsec) - Path traversal $9,000 03/05/2022
More secure Facebook Canvas Part 2: More Account Takeovers Youssef Sammouda (@samm0uda) Meta / Facebook Account takeover $98,250 03/04/2022
CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED) Jacob Baines (@junior_baines) GitLab Username enumeration, GraphQL bug - 03/03/2022
4300$ Instagram IDOR Bug (2022) Nawaf Alkhaldi (@nvmeeet) Meta / Facebook IDOR $4,300 03/02/2022
Moodle 2nd Order Sqli mufinnnnnnn (@mufinnnnnnn) Moodle SQL injection - 03/02/2022
IDOR in support.mozilla.org through Code Review Brandon Roldan Mozilla IDOR $1,500 03/02/2022
CVE-2022-24948: Apache JSPWiki preauth Stored XSS to ATO Chamal Apache Stored XSS, Account takeover - 03/02/2022
webOS Revisited - Even More Mistaken Identities Andreas Lindh (@addelindh) LG Local Privilege escalation, Browser bug - 03/02/2022
[ Directory Traversal attack ] How did I find it using GitHub Fenrir (@leetibrahim) - Information disclosure, Path traversal - 03/02/2022
Skype extension: All functionality broken? Still exploitable! Wladimir Palant (@WPalant) Microsoft Information disclosure, Privacy issue - 03/01/2022
Password Reset to Admin Access Jesse Clark (@Hogarth45_) - Account takeover, Authentication bypass, Password reset flaw - 03/01/2022
BrokenPrint: A Netgear stack overflow Alex Plaskett (@alexjplaskett), Cedric Halbronn (@saidelike) & Aaron Adams (@fidgetingbits) Netgear Memory corruption bug, RCE - 02/28/2022
Hacking Subscription Plans for free service. Muhammad Khizer Javed (@khizer_javed47) - Payment bypass, OTP bypass - 02/27/2022
CVE-2022-22947: SpEL Casting And Evil Beans Wyatt Dahlenburg (@wdahlenb) - RCE - 02/26/2022
SSRF & LFI In Uploads Feature Raymond Lind - SSRF, LFI, HTML injection - 02/26/2022
Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager Egor Dimitrenko (@elk0kc) VMware Authentication bypass, RCE, SSRF, Path traversal - 02/25/2022
Path Traversal Paradise Kuldeep Pandya (@kuldeepdotexe) - Authentication bypass, RCE, SSRF, Path traversal - 02/25/2022
A Weird Price Tampering Vulnerability vFlexo (@vflexo) - Payment tampering, Logic flaw $200 02/25/2022
Bypassing default visibility for newly-added email in Facebook(Part I - Submitting I.D) & Part II - Trusted Contacts Kent Jarold Abulag (@wkemenhehehegsg) Meta / Facebook Logic flaw $1,500 02/25/2022
Piercing the Cloud Armor - The 8KB bypass in Google Cloud Platform WAF Kloudle (@Kloudleinc) Google WAF bypass - 02/24/2022
How I Hacked the Dutch Government with SQLi and Won the Famous T-Shirt? Göktuğ Kaya (@g0ktugkaya) Dutch Government SQL injection N/A (VDP) 02/24/2022
Stealing a few more GitHub Actions secrets Teddy Katz (@not_aardvark) GitHub Logic flaw $7,500 02/23/2022
Write Up – Android Application Screen Lock Bypass Via ADB Brute Forcing Omar Espino (@omespino) - Android bug, Bruteforce, Authentication bypass - 02/22/2022
Facebook android vulnerability: Launching internal/tighten deeplink onbehalf of user Rahul Kankrale (@RahulKankrale) - Android bug, Insecure deeplink $3,525 02/22/2022
OAuth and PostMessage - Chaining misconfigurations for your access token. Suraj Disoja (@ninetyn1ne_) - OAuth flaw, postMessage misconfiguration, Token theft - 02/21/2022
How I could’ve bypassed the 2FA security of Instagram once again? Samip Aryal Meta / Facebook 2FA bypass, Logic flaw $3,150 02/21/2022
Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql stypr (@stereotype32) Oracle (MySQL) SQL injection - 02/21/2022
What an injection into jQuery-selector can lead to Anton Subbotin (@ska_vans) - CSRF - 02/21/2022
XSS in hidden input field Faizan Elahi - XSS - 02/21/2022
Send a Email to me and get kicked out of Google Groups !! — #GoogleVRP — A Feature that almost broke Google Groups !! Sriram Kesavan (@sriramoffcl) Google Logic flaw, Authorization flaw $3,133.7 02/20/2022
A Case Study of API Vulnerabilities Monke (@pmofcats) - Information disclosure, Account takeover, Broken Access Control - 02/20/2022
Bypassing Cloudflare’s WAF! Friendly (@SkeletorKeys) - XSS, WAF bypass - 02/19/2022
CVE-2022-23835: A security analysis of Visual Voicemail Chris Talbot AT&T, T-Mobile Voicemail bug - 02/19/2022
My Experience of Hacking Dutch Government remonsec (@remonsec) Dutch Government - N/A (VDP) 02/24/2022
Passive Recon with Spyse (Part-II) & Part-I remonsec (@remonsec) - Subdomain takeover, AWS misconfiguration $2,100 02/19/2022
How I get my first SWAG from SIDN (Sensitive Data Exposer) remonsec (@remonsec) SIDN Directory listing, Information disclosure, 403 bypass N/A (VDP) 02/19/2022
RCE in GitHub Desktop < 2.9.4 Vladimir Metnew (@vladimir_metnew) GitHub RCE $2,000 02/18/2022
Stored XSS in message.alibaba.com ($2,000) R ando (@Rando02355205) Alibaba Stored XSS $1,000 02/18/2022
Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) Cedric Halbronn (@saidelike), Aaron Adams (@fidgetingbits) & Alex Plaskett (@alexjplaskett) Lexmark Arbitrary file write, Race condition, Printer bug - 02/18/2022
Recon and YouTube, is that a thing? Marcos IAF / Rohit (@marcos_iaf) - Subdomain takeover - 02/17/2022
403 forbidden bypass & Accessing config files using a header vishnurajr - 403 bypass, Authorization flaw - 02/17/2022
Advisory: Cisco RV340 Dual WAN Gigabit VPN Router (RCE over LAN) Quentin Kaiser (@QKaiser) Cisco RCE, Unrestricted file upload, OS command injection - 02/17/2022
How I earned $9000 with Privilege escalations Junaid Khan (@JunoonBro) - Privilege escalation $9,000 02/16/2022
My first report on HackerOne: A logic flaw in npm ElSec (@ElSec_) GitHub Logic flaw - 02/16/2022
My First Reflected XSS Bug Bounty — Google Dork — $xxx Proviesec (@proviesec) - Reflected XSS - 02/16/2022
Hacked Dutch Government Website. All I got was this l̶o̶u̶s̶y̶ cool T-Shirt. Romesh chander Dutch Government Information disclosure N/A (VDP) 02/16/2022
Bug Report; Bypassing Weekly Limits In Basic (Free) LinkedIn Account Ashok Acharya LinkedIn Logic flaw - 02/16/2022
Hunting for bugs in VMware: View Planner and vRealize Business for Cloud Mikhail Klyuchnikov (@__Mn1__) & Egor Dimitrenko (@elk0kc) VMware RCE - 02/15/2022
Trim private live videos and access them (Meta bug bounty) abdellah yaala (@yaalaab) Meta / Facebook IDOR $7,500 02/15/2022
Static Taint Analysis Using Binary Ninja: A Case Study Of MySQL Cluster Vulnerabilities Reno Robert (@renorobertr) Oracle (MySQL) Memory corruption bug - 02/15/2022
Advisory: Western Digital My Cloud Pro Series PR4100 RCE Quentin Kaiser (@QKaiser) Western Digital RCE, OS command injection - 02/15/2022
BigQuery SQL Injection Cheat Sheet Ozgur Alp (@ozgur_bbh) & Anil Yuksel (@anilyukk) - SQl injection - 02/14/2022
My First Bounty and How I Got It Aneesha D (@interc3pt3r) - Subdomain takeover INR 10,000 (~ $132) 02/14/2022
Hacking AWS Cognito Misconfiguration to Zero Click Account Takeover Preetham Bomma (@cyber01_) - AWS misconfiguration, Account takeover - 02/14/2022
How i made 15k$ from Remote Code Execution Vulnerability & Demo Abdulrahman Makki (@AMakki1337) - Code injection, RCE, Self XSS $15,000 02/13/2022
Broken Link Hijacking - Mr. User-Agent Jerry Shah (@Jerry) - Broken link hijacking - 02/13/2022
A tale of 0-Click Account Takeover and 2FA Bypass. Firas Fatnassi (@Fatnass1F1ras) - Account takeover, Password reset flaw, 2FA bypass - 02/12/2022
“Zero-Days” Without Incident - Compromising Angular via Expired npm Publisher Email Domains Matthew Bryant (@IAmMandatory) GitHub Supply chain attack $0 (OOS, Duplicate) 02/11/2022
QRCDR ZeroDay Path Traversal Vulnerability Farhad Karimi (@n0lsec) - Path traversal - 02/11/2022
flashback_connects (Cisco RV340 SSL VPN Unauthenticated Remote Code Execution as root) Pedro Ribeiro (@pedrib1337) & Radek Domanski (@RabbitPro) Cisco Memory corruption bug - 02/11/2022
Subdomain Takeover via Leadpages Services on Tiktok Mohamed Haron (@m7mdharon) Tiktok Subdomain takeover $0 02/11/2022
Mindshare: When Mysql Cluster Encounters Taint Analysis Lucas Leong (@wmliang) Oracle (MySQL) Memory corruption bug - 02/10/2022
Microsoft Team’s Unpatched URL Spoofing Vulnerability Priyank Raval Microsoft URL spoofing $0 (Won’t fix) 02/09/2022
How I hacked Google to read files from their servers for free! Harish SG (@CoderHarish) Google Arbitrary file read $0 (Informative) 02/09/2022
ICMAD SAP Vulnerabilities (CVE-2022-22536, CVE-2022-22532 & CVE-2022-22533) SAP Product Security Response team & Onapsis’Research Labs SAP HTTP request smuggling, Memory leak, DoS, Memory corruption bug - 02/08/2022
Oracle Server Side Request Forgery (SSRF) Metadata Lidor Ben Shitrit Oracle SSRF - 02/08/2022
Story of critical security flaws I found in Glints huli (@aszx87410) Glints IDOR, Information disclosure 1600 SGD (~ $1,200) 02/08/2022
WordPress < 5.8.3 - Object Injection Vulnerability Simon Scannell (@scannell_simon) & Karim El Ouerghemmi WordPress Object injection, RCE - 02/08/2022
SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-21999) Olivier Lyak (@ly4k_) Microsoft Local Privilege Escalation - 02/08/2022
How Docker Made Me More Capable and the Host Less Secure Alon Zahavi (@Alon_Z4) Microsoft Local Privilege Escalation - 02/08/2022
CVE-2022-21703: cross-origin request forgery against Grafana Julien Cretel (@jub0bs) & abrahack (@theabrahack) Grafana Labs CSRF, SSRF - 02/08/2022
SQL Injection, Reflected XSS and Information Disclosure in one subdomain in just 10 minutes Mahmoud Hamed (@7odamo_) - SQL injection, XSS, Information disclosure - 02/08/2022
Full Account takeover (ATO) — a tale of two bugs 🐛 Kwadwo Amoako - IDOR, Account takeover/td> <td markdown="span">- 02/08/2022
Google Security Misconfiguration Leads to Account Takeover ! Harsh Banshpal Google Logic flaw, Spoofing $0 (Won’t fix) 02/08/2022
What I Found on Sony Vulnerability Disclosure Program Aditya Singh / rook1337 (@imrook1337) Sony Information disclosure, Lack of rate limiting, Open redirect, IDOR, XSS N/A (VDP) 02/07/2022
How can I access the members-only video comment? | YouTube ($5,000) R ando (@Rando02355205) Google Broken Access Control $5,000 02/07/2022
Insecure Bootstrap Process in Oracle Cloud CLI Nightwatch Cybersecurity (@nightwatchcyber) Oracle Supply chain attack - 02/06/2022
Auth Bypass in Google Assistant David Schütz (@xdavidhu) Google Information disclosure, Authentication bypass $2,674 02/06/2022
Auth Bypass in com.google.android.googlequicksearchbox David Schütz (@xdavidhu) Google Authentication bypass $1,337 02/06/2022
How I found a critical P1 bug in 5 minutes using a cellphone — Bug Bounty Mr Empy (@mr_empy) - SQL injection - 02/06/2022
Facebook Oauth bypass abdellah yaala (@yaalaab) Meta / Facebook OAuth flaw $7,500 02/05/2022
What Bypassing Razer’s DOM-based XSS Patch Can Teach Us EdOverflow (@EdOverflow) Razer DOM XSS - 02/05/2022
How I bypassed PHP functions to read sensitive files on server Kailash (@corrupted_brain) - Components with known vulnerabilities, RCE - 02/04/2022
Bypassing the AWS WAF protection with an 8KB bullet Kloudle (@Kloudleinc) Amazon WAF bypass - 02/24/2022
Write Up – Private Bug Bounty: RCE In EC2 Instance Via SSH With Private Key Exposed On Public Github Repository – $xx,000 USD Omar Espino (@omespino) - Information disclosure - 02/03/2022
Solving DOM XSS Puzzles Eugene Lim (@spaceraccoonsec) - DOM XSS - 02/03/2022
HigherLogic Community RCE Vulnerability 0daystolive (@0daystolive) 8x8, IBM Insecure deserialization, RCE $1,250 02/03/2022
Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments Apiiro’s Security Research Argo CD Supply chain attack, CI/CD bug N/A (VDP) 02/03/2022
A technique to semi-automatically find vulnerabilities in WordPress plugins kazet (@kazet1234) - XSS, SQL injection, Open redirect, CSRF - 02/03/2022
How I Tracked You Around The Globe 🌎 0xdroopy (@NikhilK50866227) Google (Waze) Information disclosure, Privacy issue - 02/02/2022
Abusing Facebooks Call To Action To Launch Internal Deeplinks Ashley King (@AshleyKingUK) Meta / Facebook CSRF, Android bug, iOS bug $4,000 02/02/2022
My first bounty, IDOR + Self XSS [€3000] Ladecruze (@ladecruze) Intigriti Self XSS, IDOR $3,000 02/02/2022
A misconfigured Apache Airflow to AWS Account Compromise Avinash Jain (@logicbomb_1) - Outdated component with a known vulnerability, Privilege escalation, Information disclosure - 02/02/2022
My experience of Hacking The Dutch Government Phenomenal (@Chawla12111) Dutch Government XSS N/A (VDP) 02/02/2022
No Rate Limiting on OTP sending nOOb_mAsTeR - Bruteforce, Lack of rate limiting - 02/02/2022
CVE-2021-44142: Details On A Samba Code Execution Bug Demonstrated At Pwn2Own Austin Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) & Billy Jheng Bing-Jhong (@st424204) - Memory corruption bug, RCE $45,000 02/01/2022
A Peculiar Case of XSS and my first bug Aman Pareek (@aman_notsogreat) Bentley Systems XSS - 02/01/2022
A story of leaking uninitialized memory from Fastly Emil Lerner (@emil_lerner) Fastly HTTP/3 bug, Memory leak, Information disclosure N/A (VDP) 02/01/2022
How I approached Dependency Confusion! Aditya Soni (@hetroublemakr) - Dependency confusion - 02/01/2022
Hacking Google Drive Integrations Harsh Jaiswal (@rootxharsh) Dropbox SSRF $17,576 01/31/2022
Microsoft OneDrive For Macos Local Privilege Escalation Offensive Security (@offsectraining) Microsoft Local Privilege Escalation, MacOS bug - 01/31/2022
Missing rate-limiting. How I was able to add any unowned phone number to my Facebook account? (Bounty: 5000 USD) Shubham Bhamare (@theshubh77) Meta / Facebook OTP bypass, Bruteforce, Lack of rate limiting $5,000 01/31/2022
Remote Code Execution in .tgz File Upload Nick Berrie (@machevalia) - RCE, Unrestricted file upload $3,100 01/30/2022
Stored Cross-Site Scripting in MediaWiki Nick Berrie (@machevalia) - Stored XSS $1,090 01/30/2022
Access Control Violation – Wiki Page Creation Nick Berrie (@machevalia) - Authorization flaw $522.50 01/30/2022
XSS via X-Forwarded-Host header Abhijeet Biswas (@abhijeetbiswas_) Omise XSS, Host header injection $200 01/30/2022
2fa Bypass by changing Request method Arth Bajpai (@arth_bajpai) - 2FA bypass - 01/30/2022
How I hacked my way to the top of DARPA’s hardware bug bounty Malcolm Stagg (@malcolmst) DARPA FETT Hardware bug - 01/30/2022
How I Made $16,500 Hacking CDN Caching Servers — Part 1 & Part 2 & Part 3 Kevin (@bxmbn) - Web cache poisoning, Stored XSS, Web cache deception $16,500 01/29/2022
Paytm-Broken Link Hijacking Lohith Gowda M (@lohigowda_in) Paytm Broken link hijacking - 01/29/2022
Multiple HTTP Redirects to Bypass SSRF Protections ne555 - SSRF - 01/29/2022
Command Injection in Google Cloud Shell Ademar Nowasky Junior Google RCE, OS command injection $5,000 01/28/2022
The Story of a RCE on a Java Web Application LIL NIX (@Lil__Nix) - RCE, Insecure deserialization - 01/28/2022
Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite SirLeeroyJenkins (@SirLeeroyJenkin) Lark Technologies SSRF - 01/28/2022
The Story of an RCE on a Java Web Application LIL NIX (@Lil__Nix) - Insecure deserialization - 01/27/2022
Stealing administrative JWT’s through post auth SSRF (CVE-2021-22056) Christopher (@Kharosx0) VMware Windows Driver bug, Kernel DoS - 01/27/2022
CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability Reegun Jayapaul (@reegun21) Microsoft URL validation bypass - 01/27/2022
Technical Analysis of CVE-2022-22583: Bypassing macOS System Integrity Protection (SIP) Perception Point Apple MacOS bug, SIP bypass - 01/27/2022
Auth Bypass in ADOdb CVE-2021-3850 Emmet Leah - Authentication bypass - 01/26/2022
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google’s KCTF Containers Crusaders of Rust (@cor_ctf) Google Container escape, Kubernetes bug $31,337 01/25/2022
How I could have read your confidential bug reports by simple mail? Sudhakar Muthumani (@Sudhakarmuthu04) Microsoft Information disclosure, Logic flaw $0 (OOS) 01/25/2022
Hacking the Apple Webcam (again) Ryan Pickren Apple UXSS $100,500 01/25/2022
HOW I hacked thousand of subdomains MoSec (@moe1n1) - Subdomain takeover $5,000 01/25/2022
How I was able to take over accounts in websites deal with Github as an SSO provider Khaled Mohamed - Bruteforcing, Lack of rate limiting, SSO bug, Email validation bypass, Account takeover - 01/25/2022
First Valid BUG Finding At Microsoft And I Got the Acknowledgments Page Microsoft Aidil Arief Microsoft XSS - 01/25/2022
CVE-2021-44790: Code Execution On Apache Via An Integer Underflow Chamal Apache Memory corruption bug - 01/25/2022
How I got access to 25+ Tesla’s around the world. By accident. And curiosity. David Colombo (@david_colombo_) Tesla Default credentials - 01/23/2022 Alternative link
Solarwinds Web Help Desk: When the Helpdesk is too Helpful Assetnote Security Research Team SolarWinds Information disclosure, Hardcoded credentials - 01/23/2022
Path Traversal Paradise Kuldeep Pandya (@kuldeepdotexe) - Path traversal - 01/23/2022 Alternative link
How I was able to find multiple vulnerabilities of a Symfony Web Framework web application Abid Ahmad (@RootIntrud3r) - Debug mode enabled, Information disclosure - 01/23/2022
120 Days of Frequent Hacking Kuldeep Pandya (@kuldeepdotexe) & Sam Paredes (@caffeinevulns) - SSRF, LFI, Information disclosure, XSS, SQL injection - 01/21/2022
Facebook room deep linking vulnerability, allow malicious user to know the code for anyone’s meeting. Quel (@RootIntrud3r) - Insecure deep link, Android bug $0 (Informative) 01/21/2022
Hashing the Favicon.ico Ski Mask (@Ski_Mask0) - Information disclosure $100 01/21/2022
ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central Steven Seeley (@steventseeley) Zoho Authentication bypass - 01/20/2022
How I messed up my own profile data Himmat Singh - Authorization flaw - 01/20/2022
Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1 reversemode (@reversemode) Swiss Post Insecure deserialization, Crypto bugs - 01/18/2022
CVE-2022-21661: Exposing Database Info Via Wordpress SQL Injection ngocnb and khuyenn WordPress SQL injection - 01/18/2022
Zooming in on Zero-click Exploits Natalie Silvanovich (@natashenka) Zoom Memory corruption bug - 01/18/2022
Mixed Messages: Busting Box’s MFA Methods Tal Peleg Box OTP bypass, MFA bypass - 01/18/2022
Stealing administrative JWT’s through post auth SSRF (CVE-2021-22056) Shubham Shah (@infosec_au) & Keiran Sampson (@hpy_downunder) VMware SSRF, CSRF - 01/17/2022
Write Up – Private Bug Bounty: Firebase Database Exposed By Misconfiguration – $2,000 USD Omar Espino (@omespino) - Android bug, Insecure Firebase database $2,000 01/17/2022
Critical XSS in chrome extension p3rr0 (@Hperalta89) - XSS, postMessage bug $1,500 01/17/2022
How i found “Broken Access Control Through out-of-sync setup” and got $1000 Mr Robert | Ahmed M Hassan (@Mr_Robert20) - Broken Access Control, Authorization flaw $1,000 01/16/2022
XXE in SAML SSO Writeup - Bug Bounty Aditya Singh / rook1337 (@imrook1337) - XXE - 01/16/2022
Moodle: Blind SQL Injection (CVE-2021-36393) and Broken Access Control (CVE-2021-36397) Johannes Moritz & Robin Peraglie Moodle SQL Injection, Broken Access Control - 01/15/2022
120 Days of High Frequency Hunting Kuldeep Pandya (@kuldeepdotexe) & Sam Paredes (@caffeinevulns) - SSRF, LFI, Information disclosure, Broken Access Control, Authentication bypass, XSS, SQL injection - 01/15/2022
RCE In Adobe Acrobat Reader For Android(CVE-2021-40724) sunny‏‏‎ (@hulkvision) Google, Adobe RCE, Path traversal, Android bug $10,000 01/14/2022
FB Lite All Users Active Status Changed Neilmark Ochea (@nmochea) Meta / Facebook Logic flaw - 01/14/2022
XSS Filter Evasion + IDOR JM Sanchez / 0xEchidonut (@jmrcsnchz) - XSS, IDOR $800 01/13/2022
Xiaomi Execute Arbitrary JavaScript Neilmark Ochea (@nmochea) Xiaomi XSS, HTML injection, Android bug - 01/13/2022
Searching for Deserialization Protection Bypasses in Microsoft Exchange (CVE-2022–21969) frycos (@frycos) Microsoft Insecure deserialization - 01/13/2022
C.S.T.I Lead To Account Takeover $$$ M7.Arman (@ArmanSecurity) - CSTI, Account takeover - 01/13/2022
Pwning the portal: from database dump to session hijacking Bitcrack - SQL injection, XSS, CSRF - 01/12/2022
How I downed acronis.com in 2 minutes — Lucky bug write up Ugroon (@veletisleri) Acronis DoS $0 (OOS) 01/11/2022
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more Gabriel Sztejnworcel (@sztejnworcel) Microsoft RCE - 01/11/2022
Cross-Origin Resource Sharing (CORS) Misconfiguration leads to User’s PII leaks. Tarikul Islam (@sa1tama0) - CORS misconfiguration - 01/10/2022
Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle’s Shibboleth Johannes Moritz & Robin Peraglie Moodle Session hijacking, Session management flaw, Account takeover, RCE - 01/10/2022
New macOS vulnerability, “powerdir,” could lead to unauthorized user data access Microsoft 365 Defender Research Team Apple Privacy issue, MacOS bug - 01/10/2022
How did I find Log4j vulnerability via Static Code Analysis and receive €€€ bounty? Pranav Gajjar (@Pranav_Gajjar_) - Log4j, RCE - 01/10/2022
Host Header Injection Lead To Account Takeovers M7.Arman (@ArmanSecurity) - Host header injection, Password reset flaw, Account takeover - 01/09/2022
2FA bypass by reading the documentation tomorrowisnew (@tomorrowisnew_) - 2FA bypass $100 01/09/2022
A Tale Of 5250$: How I Accessed Millions Of User’s Data Including Their National ID’s Sam (@__Sam0_0) - AWS misconfiguration, Information disclosure $5,250 01/07/2022
A phishing document signed by Microsoft – part 2 Pieter Ceelen (@ptrpieter) & Dima van de Wouw (@_DaWouw) Microsoft Phishing, RCE - 01/07/2022
Exploiting Redash instances with CVE-2021-41192 Ian Carroll (@iangcarroll), Tuan Anh Nguyen (@haxor31337) & Gal Nagli (@naglinagli) - Privilege escalation, Session management flaw, SSRF $90,000+ 01/06/2022
How I was able to spoof any Instagram username on Instagram shop Nawaf Alkhaldi (@nvmeeet) Meta / Facebook IDOR $1,050+ 01/06/2022
Authorization bypass — Gmail 7𝖍3𝖍4𝖈kv157 (@7h3h4ckv157) Google Spoofing - 01/06/2022
Accessing GoDaddy internal instance through an email logic bug. Mostafa Mamdoh GoDaddy Logic flaw, Privilege escalation, Account takeover - 01/05/2022
Breaking Parser Logic: Gain Access To NGINX Plus API — Read/Write Upstreams. zoid (@z0idsec) - Path traversal - 01/05/2022
SQL Injection - The File Upload Playground Jerry Shah (@Jerry) - Unrestricted file upload, SQL injection - 01/04/2022
Facebook android webview vulnerability : Execute arbitrary javascript (xss) and load arbitrary website Rahul Kankrale (@RahulKankrale) Meta / Facebook XSS, Android bug $1,075 01/03/2022
NPM might be executing malicious code in your CI without your knowledge Rotem Bar (@rotembar) GitHub RCE - 01/03/2022
P5 to P1: Interesting Account Takeover Tushar Sharma (@tusharSharma_0) - Account takeover, Session expiration flaw, Password reset flaw $1,000 01/03/2022
IDOR leads to leak Private Details annonymous - IDOR - 01/03/2022
How i was able to bypass a Pin code Protection Kerolos sameh (@xko2xx) - Authorization flaw - 01/03/2022
Story of YouTube’s Unfixable Ads Bypass MrMax4o4 Google Logic flaw - 01/03/2022
The Story Of How I Bypass SSO Login zer0d - Authentication bypass - 01/02/2022
doorLock: Apple HomeKit Denial of Service Trevor Spiniolas Apple DoS - 01/01/2022
A tale of zero click account takeover Veshraj Ghimire (@GhimireVeshraj) - Account takeover, IDOR - 01/01/2022
Abusing Business Logic of an Application to create backdoor in a form APP Snap Sec (@snap_sec) - Logic flaw - 01/01/2022
One Click To Account Takeover M7.Arman (@ArmanSecurity) - Mass assignment - 01/01/2022

Bug bounty writeups published in 2021

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Fixing the Unfixable: Story of a Google Cloud SSRF David Schütz (@xdavidhu) Google SSRF $4,133.70 12/31/2021
Bug Hunting Journey of 2021 Sudhanshu Rajbhar (@sudhanshur705) - Stored XSS, Open redirect, Token theft, CSRF, Logic flaw, Information disclosure, IDOR, Account takeover $3,200+ 12/31/2021
My first Google HOF RV Sharma Google Broken Access Control $1,337 12/31/2021
Here’s How I Could Read Anyone’s Apple ID Metrics Remotely. Faizan Ahmad Wani Apple Information disclosure - 12/30/2021
Bypassing Identity-Aware Proxy - Google Cloud Vulnerability SebLu Google Authorization flaw, Token theft, OAuth flaw $5,000 12/30/2021
WhatsApp for Android Retains Deleted Contacts Locally Nightwatch Cybersecurity (@nightwatchcyber) Meta / Facebook Privacy issue $0 (Won’t fix) 12/30/2021
How I Am Able To Crash Anyone’s Mozilla Firefox Browser By Sending An Email Sam Mozilla DoS $0 12/30/2021
Google Cloud Shell XSS NDevTK (@ndevtk) Google XSS $5,000 12/30/2021
[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty Rahul Kankrale (@RahulKankrale) Meta / Facebook IDOR $863 01/03/2022
Story of a weird CSRF bug Sudhanshu Rajbhar (@sudhanshur705) - CSRF - 12/29/2021
Remote Code Execution in Google Cloud Dataflow Mike Brancato (@meatballninja) Google RCE $3,333.70 12/28/2021
Full account takeover vulnerability in Minecraft Abdulrahman Makki (@AMakki1337) Minecraft Account takeover $5,000 12/28/2021
Bounty Evaluation GitHub = $15,000 US Dollars | Rate Limit Taniya Agarwal GitHub Bruteforce, Email verification bypass, Account takeover $15,000 12/28/2021
Common Nginx Misconfiguration leads to Path Traversal MikeChan - Path traversal - 12/28/2021
Bi/ug Bounties and HyperV RCE Research Peter Hlavaty (@rezer0dai) Microsoft Hyper-V RCE $100,000+ 12/27/2021
XSS via file upload Jay Sharma - XSS, Unrestricted file upload - 12/27/2021
How I Bypassed Netflix Profile Lock? Krishnadev P Melevila (@Krishnadev_P_M) Netflix Logic flaw $0 (Won’t fix) 12/27/2021
Turning bad SSRF to good SSRF: Websphere Portal Shubham Shah (@infosec_au) HCL Technologies SSRF N/A (VDP) 12/26/2021
How I Saved Christmas for Google 🎄 0xdroopy (@NikhilK50866227) Google (Waze) Dependency confusion - 12/25/2021
Massive Users Account Takeovers(Chaining Vulnerabilities to IDOR)😲 Anurag__Verma - Authentication bypass, IDOR, Lack of rate limiting - 12/25/2021
Information Disclosure leads to sensitive credential($$$) khan mamun (@mamunwhh) - Information disclosure $150 12/25/2021
How I found (and fixed) a vulnerability in Python Adam Goldschmidt (@AdamGolds) Python Web cache poisoning - 12/24/2021
Cache Poisoning at Scale Youstin (@iustinBB) - Web cache poisoning $40,000 12/23/2021
MS Teams: 1 feature, 4 vulnerabilities Fabian Bräunlein Microsoft SSRF, Information disclosure, DoS, Spoofing $0 (Won’t fix) 12/22/2021
How I was able to bypass WAF and find the origin IP and a few sensitive files Jan Muhammad Zaidi (@hasanakajan) - WAF bypass - 12/22/2021
Sandbox escape + privilege escalation in StorePrivilegedTaskService Sector 7 (@sector7_nl) Apple Local Privilege Escalation, MacOS bug - 12/21/2021
NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories Wiz (@wiz_io) Microsoft Security misconfiguration, .git folder disclosure $7,500 12/21/2021
How I found (P2) Broken Authentication with Zero Skill of Hacking yoshi m lutfi (@yoshiahmadlutfi) - Authentication bypass, Account takeover - 12/21/2021
SSD Advisory – Rocket.Chat Client-side Remote Code Execution - RocketChat RCE, MacOS bug N/A (VDP) 12/21/2021
How I earned $$$ by bypassing 2FA/a> Mohamed Taha (@Mohamed12742780) - 2FA bypass, Forced browsing - 12/21/2021 Alternative link
Bring Your Own SSRF – The Gateway Actuator Wyatt Dahlenburg (@wdahlenb) - SSRF, DoS - 12/20/2021
Blackbox Cookie Testing — How I Cracked The Admin’s Cookie Saeed Balquizi - Authentication bypass - 12/20/2021
RCE in Visual Studio Code’s Remote WSL for Fun and Negative Profit Parsia Hackerman (@cryptogangsta) Microsoft RCE $0 (OOS) 12/20/2021
How I was able to reveal page admin of almost any page on Facebook Sudip Shah Meta / Facebook IDOR $4,500 12/20/2021
Stored XSS by bypassing signature Abdulrahman Makki (@AMakki1337) - XSS, Unrestricted file upload $3,500 12/20/2021
Flickr Account Takeover Lauritz (@lauritz) Flickr Account takeover, Authentication flaw $7,550 12/18/2021
Hacked Google-Meet…??! 7𝖍3𝖍4𝖈kv157 (@7h3h4ckv157) Google Authorization flaw - 12/18/2021
Exploitation Of CVE-2021-21220 – From Incorrect JIT Behavior To RCE Bruno Keith (@bkth_) & Niklas Baumstark(@_niklasb) Google, Microsoft Browser bug, Memory corruption, RCE $100,000 12/16/2021
Broken Access Control Meareg Microsoft IDOR - 12/16/2021
GHSL-2021-1053: Path traversal in Grafana REST API - CVE-2021-43813, CVE-2021-43815 Alvaro Muñoz (@pwntester) Grafana Labs Path traversal - 12/15/2021
Gumtree – leaking your data and not really listening Alan Monie (@AlanMonie) Gumtree IDOR - 12/15/2021
How I found the Authentication Bypass bug and Earn \(\) Thedarkwayg (@shadow_CLAY) - Session expiration issue $1,000 12/15/2021
Bypassing the macOS Gatekeeper Ron Masas (@RonMasas) Apple Local Privilege Escalation, Gatekeeper bypass - 12/15/2021
How I found XSS vulnerability in Amazon in 5 minutes using shodan Mohamed Taha (@Mohamed12742780) Amazon XSS - 12/15/2021 Alternative link
How I Bypassed Incapsula WAF By Imperva Dawood Ikhlaq - SQL injection - 12/14/2021
Zero Click To Account Takeover M7.Arman (@ArmanSecurity) - Account takeover, Password reset flaw - 12/14/2021
SVG based Stored XSS xaonan44 - Stored XSS - 12/12/2021
A story about a not-so-direct SSRF Preetham Bomma (@cyber01_) - SSRF - 12/12/2021
Open Redirection - QR Code Magic Jerry Shah (@Jerry) - Open redirect $0 (Duplicate) 12/11/2021
Remote Deserialization Bug in Microsoft’s RDP Client through Smart Card Extension (CVE-2021-38666) Valentino Ricotta Microsoft Memory corruption bug $5,000 12/10/2021
Remote ASLR Leak in Microsoft’s RDP Client through Printer Cache Registry (CVE-2021-38665) Valentino Ricotta Microsoft Memory corruption bug $1,000 12/10/2021
ProtoBuffer ReUtilization “New Way to Security Test GoogleCaptcha” ChooK Rapid7 Captcha bypass N/A (VDP) 12/10/2021
Don’t Reply: A Clever Phishing Method In Apple’s Mail App Jon Bottarini (@jon_bottarini) Apple Phishing $5,000 12/09/2021
A phishing document signed by Microsoft – part 1 Pieter Ceelen (@ptrpieter) & Dima van de Wouw Microsoft Phishing, RCE - 12/09/2021
File Upload to RCE Ahmed Magdy (@8Ahmed88Magdy8) - Unrestricted file upload - 12/09/2021
Exploiting S3 bucket with path folder to Access PII info of A BANK Santosh Kumar Sha (@killmongar1996) - AWS misconfiguration, Information disclosure - 12/09/2021
From Finding AWS S3 Bucket to Sensitive Data Exposure Demon (@R29k_) - AWS misconfiguration - 12/09/2021
Account Takeover via Stored XSS Demon (@R29k_) - Account takeover, Stored XSS $1,000 12/09/2021
CVE-2021-43798 - Path Traversal Vulnerability In Grafana & How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs Jordy Versmissen / J0VSEC (@j0v0x0) Grafana Labs Path traversal - 12/08/2021
Another Admin panel Rizwan_siddiqui (@Rizwan_SiDdiqu1) - HTTP response manipulation, Authentication bypass - 12/08/2021
Microsoft Vancouver leaking website credentials via overlooked DS_STORE file CyberNews Team Microsoft Information disclosure - 12/08/2021
Windows 10 RCE: The exploit is in the link Fabian Bräunlein & Lukas Euler Microsoft RCE $5,000 12/07/2021
How I was able to change Reddit acquired Dubsmash’s music library sound tracks’ titles Sandeep Hodkasia (@sandeephodkasia) Reddit IDOR $3,000 12/07/2021
Hacking into Admin Panel of U.S Federal government system C.A.R.S — without credentials. Hazem Brini (@ImJungsuu) U.S. General Services Administration Client-side enforcement of server-side security, Privilege escalation N/A (VDP) 12/07/2021
Microsoft Azure Portal – CSV Injection Christian Becker (@0xchrisb) Microsoft CSV injection - 12/06/2021
SSRF vulnerability in AppSheet - Google VRP David Nechuta (@david_nechuta) Google SSRF $6,267.4 12/05/2021
Accidental IDOR in eLearnSecurity to Knowing Your Address and Cert You Bought. Anugrah SR (@cyph3r_asr) INE IDOR N/A (VDP) 12/05/2021
This is how i was able to See and Delete your Private Facebook Portal photos Abhishek Pathak (@pathleax) Meta / Facebook IDOR - 12/04/2021
How I managed to hack User accounts of a billion-dollar sport platform Vishnuraj - OTP bypass, Bruteforce, Lack of rate limiting - 12/04/2021
My mindset while hunting on Yandex and my SSRF Momen Ali (Cyber Guy) (@theCyberGuy0) Yandex SSRF - 12/04/2021
How I accessed the Sensitive document which I had already deleted Pawan Chhabria (@heybenchmarkkk) - Privacy issue - 12/04/2021
Write Up – XSS Stored In files.slack.com Via XML/SVG File (iOS) – $1,000 USD Omar Espino (@omespino) Slack XSS $1,000 12/03/2021
Disclose Ad Accounts linked with Instagram Accounts Naveen (@NaveenHax) Meta / Facebook Information disclosure, Logic flaw, GraphQL bug $1,500 12/02/2021
Bypassing Box’s Time-based One-Time Password MFA Tal Peleg Box OTP bypass, MFA bypass - 12/02/2021
AWS SageMaker Jupyter Notebook Instance Takeover Gafnit Amiga (@gafnitav) Amazon Self XSS, CSRF, RCE - 12/02/2021
Exploring Container Security: A Storage Vulnerability Deep Dive Fabricio Voznika & Mark Wolters Kubernetes Race condition, Kubernetes bug - 12/02/2021
Easy SQLi in Amazon subsidiary using Sqlmap Mostafa Mamdoh Amazon SQL injection $1,500 12/01/2021
This shouldn’t have happened: A vulnerability postmortem Tavis Ormandy (@taviso) Mozilla Memory corruption bug - 12/01/2021
AUDI, partner! vict0ni (@vict0ni) Audi Subdomain takeover, Information disclosure N/A (VDP) 12/01/2021
How i was able to bypass Cloudflare WAF for SQLi payload Momen Ali (Cyber Guy) (@theCyberGuy0) - SQL injection, WAF bypass - 12/01/2021
P1 _Bug in Apple that phase “old is Gold” Saurabh Sankhwar (@mr_encryption) Apple Logic flaw $0 (Informative) 12/01/2021
Microsoft Teams – CSV Injection Christian Becker (@0xchrisb) Microsoft CSV injection - 12/01/2021
VMware vCenter earlier versions (7.0.2.00100) has unauthorized arbitrary file read + ssrf + xss vulnerability Khoa Dinh (@_l0gg) VMware LFI, SSRF, XSS, Arbitrary file read - 11/30/2021
My write-up in hacking IBM’s administration panel and getting SQLi on it Momen Ali (Cyber Guy) (@theCyberGuy0) IBM SQL injection, Broken Access Control - 11/30/2021
NodeBB 1.18.4 - Remote Code Execution With One Shot Sonar (@SonarSource) NodeBB RCE, XSS, Authentication bypass, Arbitrary file read $1,536 11/30/2021
This Microsoft Windows RCE Vulnerability Gives an Attacker Complete Control Malcolm Stagg (@malcolmst) Windows Memory corruption bug - 11/30/2021
Play The Opera Please Dhiraj (@RandomDhiraj) Opera Browser bug - 11/29/2021
Price Manipulation Bypass Using Integer Overflow Method Marx Chryz - Payment tampering, Memory corruption bug - 11/29/2021
How I got my first bounty on financial sector gateway site by using Previous GraphQL vulnerabilities. Night Hawk - Information disclosure, GraphQL bug $2,500 11/26/2021
SSD Advisory – Chrome Ad Heavy Bypass (via history.back()) Alesandro Ortiz (@AlesandroOrtizR) Chrome Browser bug - 11/26/2021
WordPress Plugin Confusion: How an update can get you pwned & Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack Kamil Vavra (@vavkamil) & Gal Nagli (@naglinagli) - Supply chain attack, WordPress plugin confusion, WordPress theme confusion - 11/25/2021
RocketChat - Monitor User Messages Rojan Rijal (@uraniumhacker) RocketChat Authorization flaw N/A (VDP) 11/25/2021
How I Found My First XSS Bug Thedarkwayg (@shadow_CLAY) Atlassian XSS $600 11/25/2021
Unauthenticated Sensitive Information Disclosure at [REDACTED] Rizaldi Wahaz (@wah_haz) - Old components with known vulnerabilities, Information disclosure - 11/25/2021
Account Takeover in $Million Company? 0xGodson (@0xGodson_) Fastmail Account takeover, Password reset flaw $0 (Informative) 11/24/2021
Finding XSS on .apple.com and building a proof of concept to leak your PII information Zseano (@zseano) Apple XSS - 11/23/2021 Alternative link
Moodle Blind SQL injection via MNet authentication rekter0 (@rekter0) Moodle SQL injection - 11/23/2021
A business logic error bug worth 600$ Deep Patidar (@itsdeepceh) - Payment tampering $600 11/23/2021
GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks Romain Carnus, Maxime Nadeau, Julien Pineault & Mathieu Novis Microsoft Local Privilege Escalation - 11/22/2021
[BugBounty] XSS with Markdown — Exploit & Fix on OpenSource Lê Thành Phúc - XSS - 11/22/2021
Peeping through a Web-Socket Aditya Verma (@0cirius0) - Cross-Site Websocket Hijacking (CSWH) - 11/21/2021
Hacking Apple Security Report System HackrzVijay (@hackrzvijay) Apple Logic flaw, Social engineering $0 (OOS) 11/20/2021
Exploiting OAuth: Journey to Account Takeover Aditya Dixit (@zombie007o) - Account takeover, OAuth flaw, XSS, Weak CSP, CSRF - 11/19/2021
How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud Valeriy Shevchenko (@Krevetk0Valeriy) Atlassian Information disclosure, Authentication flaw $15,000 11/19/2021
A Story of an Epic Blind Remote Code Execution(RCE) Akash Solanki (@MAALP1225) - RCE, OS command injection - 11/18/2021
A common defect in java system-Memory DoS (include CVE-2021-2344, CVE-2021-2371, CVE-2021-2376, CVE-2021-2378) threedr3am (@threedr3am1) Oracle DoS - 11/18/2021
URL whitelist bypass in https://cxl-services.appspot.com & Reacting to myself finding an SSRF vulnerability in Google Cloud David Schütz (@xdavidhu) Google Privilege escalation, URL validation bypass, SSRF $10,401.1 11/17/2021
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory Karl Fosaaen (@kfosaaen) Microsoft Information disclosure - 11/17/2021
Write Up – Apple N/A: PII Information, Full Contact List, Main Phone No. And Main Icloud Email Extracted; Bug Patched: Arbitrary Local File Read Via Zip File And Symlinks On Ios Files App. Omar Espino (@omespino) Apple Arbitrary file read $0 11/17/2021
The tale of CVE-2021–34479 (VSCode XSS) Daniel Santos (@bananabr) Microsoft XSS, CSP bypass - 11/17/2021
Keybase App Vulnerability: Incomplete Cleanup of Messages In Keybase for Android/iOS, CVE-2021-34421 Olivia O’Hara (@oliviaohara), Jackson Henry (@JacksonHHax), John Jackson (@johnjhacking) & Robert Willis (@rej_ex) Keybase Information disclosure - 11/17/2021
Diving into Open-source LMS Codebases Poh Jia Hao (@Chocologicall) Moodle, Chamilo LMS Insecure file upload, Insecure deserialization, RCE, CSRF, SQL injection, Reflected XSS - 11/16/2021
DOS attack in Yahoo, How i was able to deny new users from service? Mostafa Mamdoh Yahoo DoS, Logic flaw $1,000 11/16/2021
Full account takeover through referral code. Mostafa Mamdoh Shipt Authentication flaw, Account takeover $700 11/16/2021
DOS attack in Yahoo, How i was able to deny new users from service? Mostafa Mamdoh Yahoo DoS $1,000 11/15/2021
How I Found P1 bug Due to Sensitive data exposure And Earn \(\) Piyush shukla (@PiyushShukla__) - Information disclosure - 11/15/2021
Broken Link Hijacking — 404 Google Play Store— xxx$ Bounty Proviesec (@proviesec) - Broken link hijacking - 11/14/2021
Exploiting CSP in Webkit to Break Authentication & Authorization Sachin Thakuri (@sachinnthakuri) & Prakash (@1lastBr3ath) Apple Information disclosure, CSP leak, Account takeover $100,000+ 11/13/2021
Impact of an Insecure Deep Link Yashar Shahinzadeh (@YShahinzadeh) & Аli Dinifаr (@binb4sh) CafeBazaar Insecure deep link - 11/13/2021
Never leave this tip while you hunting Broken Access Control secureITmania (@secureitmania) - Broken Access Control - 11/13/2021
How I got $200 in 30 Seconds. Yash__ HackZ (@HackzYash) - Information disclosure $200 11/12/2021
chaining improper authentication to idor and no rate limit for mass account takeover mohit (@mohit29295572) - Account takeover, Lack of rate limiting, CSRF, IDOR - 11/12/2021
From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy Mostafa Mamdoh Udemy Broken access control, Information disclosure, IDOR, HTML injection $1,300 11/12/2021
Simple SSRF Allows Access To Internal Assets Sam Paredes (@caffeinevulns) - SSRF - 11/11/2021
Write Up – Google VRP Bug Bounty: /etc/environment Local Variables Exfiltrated On Linux Google Earth Pro Desktop App – $1,337 USD Omar Espino (@omespino) Google XSS $1,337 11/11/2021
Unrestricted File Upload Leads to SSRF and RCE Muhammad Adel (@ItsFadinG_) - ImageTragick, Unrestricted file upload, SSRF, RCE - 11/11/2021
Fuzzing Microsoft’s RDP Client using Virtual Channels: Overview & Methodology Valentino Ricotta Microsoft Memory corruption bug $6,000 11/10/2021
ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough Nir Ohfeld (@nirohfeld) & Sagi Tzadik (@sagitz_) Microsoft Cross-tenant vulnerability, Account takeover, Privilege escalation $40,000 11/10/2021
Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond Daniel Thatcher - HTTP Header Smuggling, HTTP Request Smuggling - 11/10/2021
400$ Bounty again using Google Dorks Haris M (@hrsm321) - Directory listing, Information disclosure $400 11/09/2021
Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over Cam (@secretlyhidden1) Google IDOR - 11/09/2021
Bypass Chrome Ad-Heavy detection mechanism 0x0021h (@0x0021h) Google Browser bug - 11/09/2021
How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes Mahmoud Youssef (@0xmahmoudjo0) - SQL injection - 11/07/2021
SONY Hunting I: Discovering Hidden Parameters (5x SWAG) can1337 (@canmustdie) Sony Open redirect N/A (VDP) 11/07/2021
Insufficient Redirect URI validation: The risk of allowing to dynamically add arbitrary query parameters and fragments to the redirect_uri Lauritz (@lauritz) GitHub, Microsoft, StackExchange OAuth flaw, Prototype pollution - 11/06/2021
4 Crits in 48 hours: Unicorn Programs Monke (@pmofcats) - Privilege escalation, Information disclosure, IDOR - 11/06/2021
Bypass video capture limit on Ray-Ban Stories Philippe Harewood (@phwd) Meta / Facebook Logic flaw, Android bug $1,500 11/05/2021
Unauthenticated Access To Cloud Portal — A 🚪 Without 🗝️ Yukesh Kumar (@3th1c_yuk1) - Authentication bypass - 11/05/2021
HacktoberFest2k21 vulnerability: How users metadata can be changed via Auth JWT tokens leaking from waybackurls Anurag__Verma DigitalOcean IDOR N/A (VDP) 11/04/2021
Fiverr email restriction bypassed | Bounty 100$ Maruf Hosan Fiverr Logic flaw $100 11/04/2021
A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions Perception Point (@PerceptionPo1nt) Apple Local Privilege Escalation, MacOS bug - 11/03/2021
How i made 500$ with XSS Nassim Chami (@nvccim) - XSS, Account takeover $500 11/01/2021
Never Give Up — Story of Hacking Dutch Government and Earning that Dutch Swag. BabaBounty (@Rohan96867358) Dutch Government IDOR N/A (VDP) 10/31/2021
This is how i was able to Permanently Crash all Mapillary users within minutes Abhishek Pathak (@pathleax) Meta / Facebook Application-level DoS - 10/31/2021
How I found Command Injection via Obsolete PHPThumb Sushant Kamble - OS command injection - 10/30/2021
How I was able to access a properly Configured S3 Bucket Pawan Chhabria (@heybenchmarkkk) - Leaked AWS keys, Information disclosure - 10/28/2021
Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection Microsoft Security Vulnerability Research (MSVR) Apple SIP bypass, Local Privilege Escalation - 10/28/2021
Write Up – XSS Stored In api.media.atlassian.com Via Doc File (iOS) Omar Espino (@omespino) Atlassian Stored XSS - 10/28/2021
A journey from XML External Entity (XXE) to NTLM hashes! Shubham Chaskar (@chaskar_shubham) - XXE - 10/28/2021
Apple XAR – Arbitrary File Write (CVE-2021-30833) Richard Warren (@buffaloverflow) Apple Arbitrary file write - 10/28/2021
Unauthenticated Cache Purge Priyansh Bansal (@PriyanshB25) Lenovo Unauthenticated cache purge N/A (VDP) 10/28/2021
Unauthorized access to any user’s account. vikram naidu (@ImVikram7msd) - IDOR, Authentication bypass, Account takeover - 10/28/2021
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD Sonar (@SonarSource) GoCD Broken authentication, Authentication flaw N/A (VDP) 10/27/2021
Easy SSRF from Wayback Machine Khaled Mohamed (@0xElkomy) - SSRF - 10/27/2021
Use-After-Free in Voice Control: CVE-2021-30902 Write-up 08Tc3wBB (@08Tc3wBB) Apple Memory corruption bug - 10/27/2021
An Effective 5 min recon leads to a Hall of Fame Renganathan (@IamRenganathan) - Information disclosure - 10/26/2021
A 7500$ Google sites IDOR Jalal (@r0ckin_) Google IDOR $7,500 10/24/2021
Account Takeover via improper input validation Gaurav Narwani (@gauravnarwani97) & Verneet (@err0rrrrr) - OAuth flaw, Token theft, Account takeover - 10/24/2021
How I was able to revoke your Instagram 2FA Dhiyaneshwaran (@DhiyaneshDK) Facebook (Instagram) Bruteforce, Rate-limiting bypass $5,000 10/23/2021
Google Chrome Vulnerability Worth for $6K: Use After Free (CVE-2021-30573) Security For Everyone / S4E Team (@secforeveryone) Google Memory corruption bug $6,000 10/23/2021
Discourse SNS webhook RCE joernchen (@joernchen) Discourse RCE - 10/23/2021
Tagged User Could Delete Facebook Story Mark Rhoy (@mrkrhy_xyz) Meta / Facebook Logic flaw, Android app bug, Authorization flaw - 10/23/2021
How i Got 3 SQL injection in just 10 minutes. Ahmed Fatouh (@XDev05) - SQL injection - 10/23/2021
A story of another awesome old school hacking that lead to a cool P1 bug Vuk Ivanovic - 403 bypass - 10/22/2021
Moodle - Stored XSS and blind SSRF possible via feedback answer text rekter0 (@rekter0) & Holme (@holme_sec) Moodle Stored XSS, SSRF - 10/22/2021
All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021-38646) Eugene Lim (@spaceraccoonsec) Apache OpenOffice RCE, Memory corruption bug - 10/22/2021
Unauthorized access to any Facebook user’s draft profile picture frames Sandeep Hodkasia (@sandeephodkasia) Meta / Facebook IDOR - 10/22/2021
CVE-2021-2471 MySQL JDBC XXE - Oracle (MySQL) XXE - 10/21/2021
From staging to 0 click account takeover mohamad mahmoudi (@dPhoeniixx) Pinterest Account takeover, Logic flaw - 10/19/2021
Exploiting Request forgery on Mobile Applications. Sayed Abdelhafiz (@dPhoeniixx) Pinterest CSRF, Account takeover, Android app bug, iOS app bug - 10/19/2021
A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection Marc Olivier Bergeron Amazon SQL injection, WAF bypass - 10/19/2021
Shells And SOAP: Websphere Deserialization To RCE Wyatt Dahlenburg (@wdahlenb) IBM RCE, Insecure deserialization - 10/18/2021
The Speckle Umbrella story — part 2 Imre Rad (@ImreRad) Google Information disclosure, Logic flaw - 10/18/2021
How I Escalated a Time-Based SQL Injection to RCE JM Sanchez / 0xEchidonut (@jmrcsnchz) Sony SQL injection, RCE - 10/17/2021
Business Logic Errors - A Logic Destruction Jerry Shah (@Jerry) - Logic flaw - 10/17/2021
Exploitation of file’s download parameters to create potential risk of malware delivery: $200 bug! Muhammad Aamir (@Muhammad__Aamir) - CSRF, RCE $200 10/17/2021
Remote code execution in Managed Anthos Service Mesh control plane Anthony Weems Google RCE $6,000 10/15/2021
Write Up – Google VRP N/A: Arbitrary Local File Read (Macos) Via <a> Tag And Null Byte (%00) In Google Earth Pro Desktop App Omar Espino (@omespino) Google Local File Read $0 (Won’t fix) 10/14/2021
500$ Bug: Sensitive Data Exposure to Broken Access Control leads, How I able to take over any account of India’s Biggest College Ever.👨‍💻 Gowtham_Naidu (@NaiduPonnana) - OTP bypass, Account takeover, Password reset flaw $500 10/13/2021
Abusing Slack’s file-sharing functionality to de-anonymise fellow workspace members Julien Cretel (@jub0bs) Slack XSLeaks $0 (Won’t fix) 10/12/2021
ESET Endpoint Security credentials theft Mehdi Alouache ESET Credentials sent over unencrypted channel $0 (Informative) 10/12/2021
Bypassing required reviews using GitHub Actions Omer Gil (@omer_gil) GitHub Privilege escalation, Logic flaw - 10/12/2021
Hacking YouTube With MP4 KeyboardWarrior (@Keyb0ardWarr10r) Google Logic flaw, DoS $0 (Informative) 10/11/2021
Exploiting HTML-to-PDF Converters through HTML Imports Mohammed Diaa (@mhmdiaa) - XSS, LFI - 10/10/2021
How I Hacked Billion Android Users Social And 3rd Party Account | A Story About 5000$ Bug Karthikeyan (@Karthithehacker) Google Android bug $5,000 10/10/2021
How I got $500 with Open redirect khan mamun (@mamunwhh) - Open redirect $500 10/10/2021
Stumbling across a DOM XSS on google.com tkiela (@svennergr) Google DOM XSS - 10/10/2021
Account Takeover — Story of 2 same issues in a single program but different sub-domains. Himanshu Pdy (@himanshu_pdy_01) - Account takeover - 10/10/2021
Auth Bypass in Google Assistant David Schütz (@xdavidhu) Google Insecure deeplink $8,133.70 07/10/2021
Power of Your Own Wordlist — Fuzz for Log File Leads to Information Leakage MikeChan - Information disclosure - 10/09/2021
Request Smuggling In Major Crypto Site — road to disappointment CeloIme Prezime - HTTP Request Smuggling $0 10/09/2021
Accessing Apple’s internal UAT Slackbot for fun and non-profit Shail Patel (@shail_official) & Ashish Kunwar (@D0rkerDevil) Apple Authorization flaw $0 10/07/2021
CVE-2021-26420: Remote Code Execution In Sharepoint Via Workflow Compilation - Microsoft RCE - 10/06/2021
Hacking Netflix Eureka! Maxim Tyukov (@maxtyukov) Netflix SSRF, XSS - 10/06/2021
CSRF to one tray Red-bull Mohammed Saneem Redbull CSRF N/A (VDP) 10/06/2021
[EN] Stored XSS in the administrator’s panel due to misuse of MarkupSafe Aethlios (@AethliosIK) pass Culture Stored XSS - 10/06/2021
How I got access to many PIIs through a source code leak Supras (@LdrTom) - Information disclosure - 10/05/2021
CVE-2021-26084 snowyyowl (@bennyyjacob) Atlassian RCE - 10/05/2021
Bypassing 403 Protection To Get Pagespeed Admin Access Prajit Sindhkar (@PrajitSindhkar) - 403 bypass $200 10/04/2021
$600 for IDOR (File or Folder Download) Inderjeet Singh - encodedguy (@3nc0d3dGuY) - IDOR $600 10/03/2021
A short story of Content Spoofing to HTML Injection in Apple using Dangling Markup Injection Rishu Ranjan (@tweetit_rrj) Apple HTML injection, Dangling Markup Injection - 10/03/2021
Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit) Vanshal Gaur (@VanshalG) - SSRF - 10/02/2021
The Discovery Of Gatekeeper Bypass CVE-2021-1810 & Analysis Of CVE-2021-1810 Gatekeeper Bypass Rasmus Sten (@pajp) Apple Logic flaw - 10/01/2021
Ping’ing XMLSec tint0 (@_tint0) Ping, Netflix, Paypal XSLT, XXE - 09/30/2021
Expect The Unexpected: Discovering fresh ZeroDay for Bounty SinSin (@sin_khe) - Logic flaw, Information disclosure - 09/30/2021
How I found bug on Google Cloud Anuragbhoir11 Google OTP bypass - 09/30/2021
Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts Youssef Sammouda (@samm0uda) Meta / Facebook Account takeover, Android app bug $10,000 09/29/2021
Force Browsing bug at Facebook business plan ($500 Bounty) Dewanand Vishal (@dewcode91) Meta / Facebook Authorization flaw, Forced browsing $500 09/29/2021
Telegram users’ privacy has been violated again. Messenger representatives demand not to disclose details ne555 Telegram Privacy issue - 09/29/2021
“A tale of making internet pollution free” - Exploiting Client-Side Prototype Pollution in the wild Sergey Bobrov (@black2fan), Mohan Sri Rama Krishna P (@s1r1u5_), Terjanq (@terjanq), Beomjin Lee (@po6ix), Masato Kinugawa (@kinugawamasato), Nikita Stupin (@_nikitastupin), Rahul Maini (@iamnoooob), Harsh Jaiswal (@rootxharsh), Mikhail Egorov (@0ang3el), Melar Dev (@melardev) Apple, Atlassian, Mozilla, HubSpot, Segment Analytics & others Prototype pollution, XSS $12,600+ 09/28/2021
Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS) Bobby Rauch / Bobbyr Apple Stored XSS - 09/28/2021
DeepSurface Security Advisory: LPE in Firefox on Windows Robert Chen Mozilla Local Privilege Escalation $0 (Won’t fix) 09/28/2021
Bypass of biometrics & password security functionality for Android Dheeraj Madhukar (@Dheerajmadhukar) CoinDCX Authentication bypass, Android app bug - 09/27/2021
CVE-2021-39246 – Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack excessive verbose logging – Windows, macOS, Linux sickcodes (@sickcodes) Tor Verbose logging $0 (Informative) 09/27/2021
Improper phone number validation to account takeover shesha sai_c (@Cyb3r_4ss4s1n) - Logic flaw, OTP bypass, Account takeover - 09/27/2021
Attack Surface Analysis - Part 3 - Resurrected Code Execution Parsia Hackerman (@cryptogangsta) - RCE - 09/26/2021
Telegram bug in terminated sessions Hackintosh5 Telegram Session expiration issue - 09/24/2021
Remote Command Execution in Visual Studio Code Remote Development Extension Abdel Adim smaury Oisfi (@smaury92) Microsoft RCE - 09/24/2021
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program Denis Tokarev / illusionofchaos Apple Information disclosure, Local Privilege Escalation, Privacy issue - 09/24/2021
$8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser Renwa (@RenwaX23) Opera XSS, RCE $8,000 09/24/2021
Bug-Bounty | FASTMAIL [pobox.com : account takeover] Mohammed ELdawody Fastmail Account takeover, Password reset flaw - 09/24/2021
Bug-Bounty | FASTMAIL [topicbox.com: Privileges Escalation > Organization Takeover] Mohammed ELdawody Fastmail Privilege escalation, Logic flaw - 09/24/2021
Facebook Messenger for MacOS contained valid hardcoded FB access token (employee’s token?) Dzmitry Lukyanenka (@vulnano) - Hardcoded token $625 09/23/2021
Pwn2Own 2021: Parallels Desktop Guest To Host Escape Benjamin McBride (@bdmcbri) Parallels VM escape - 09/23/2021
Super Admin panel without Credentials 😎 Rizwan_siddiqui (@Rizwan_SiDdiqu1) - Authentication bypass N/A (VDP) 09/22/2021
Autodiscovering the Great Leak Amit Serper (@0xAmit) Microsoft Domain name collision - 09/22/2021
mXSS in support.mozilla.org Guilherme Keerok (@k33r0k) & Luan Herrera (@lbherrera_) Mozilla XSS $0 (OOS) 09/22/2021
A fever Worth 750$- [Accessing Private Projects ] Shakti Mohanty (@3ncryptSaan) Mozilla IDOR, Information disclosure $750 09/22/2021
Cookie Stealing via Clickjacking using Burp collaborator Anurag__Verma - Clickjacking - 09/22/2021
RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through Markus Wulftange (@mwulftange) Citrix Systems RCE, Path traversal - 09/21/2021
Mama Always Told Me Not to Trust Strangers without Certificates Adam (@AdamOfDc949) Netgear MiTM, RCE - 09/21/2021
5 RCEs in npm for $15,000 Robert Chen (@NotDeGhost) & Philip - RCE $15,000 09/20/2021
Unlimited report user in Instagram (Facebook) leads to abuse risk. Mano Prasanth Meta / Facebook Lack of rate limiting $0 (Informative) 09/20/2021
Vertical Privilege escalation Saddam Hussain (@wisdomfreak1) - Privilege escalation - 09/19/2021
Chaining bugs for better bounties Manas Harsh (@ManasH4rsh) - SSRF, XSS, Information disclosure $600 09/19/2021
Admin access !! th3.d1p4k (@DipakPanchal05) - Privilege escalation, Broken Access Control - 09/19/2021
A small change, and things go in your hand : Story of a $250 bounty Fardeen Ahmed (@fardeenahmed411) - Information disclosure $250 09/18/2021
From phpinfo page to many P1 bugs and RCE. [Symfony] Abdelrahman Khaled - File disclosure, Information disclosure, RCE - 09/18/2021
From Google Dorking to Information Disclosure MikeChan - Information disclosure, Lack of authentication N/A (VDP) 09/18/2021
All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035) Eugene Lim (@spaceraccoonsec) Apache OpenOffice RCE, Memory corruption bug - 09/17/2021
How to have free Internet WIFI on United Airlines flights Philippe Delteil (@PhilippeDelteil) United Airlines Payment tampering, Logic flaw - 09/17/2021
A Small Tale of Account Takeover … Saugat Pokharel (@saugatpk5) - IDOR, Account takeover - 09/16/2021
Weaponizing Reflected XSS to Account Takeover Hassan Shahid (@pwnsauc3) - XSS, Account takeover - 09/16/2021
How I was able to find 100+ XSS in United nations Bug Bounty Programr mrpentestguy (@MR_iambatman) United Nations XSS N/A (VDP) 09/16/2021
This is why you shouldn’t trust your Federated Identity Provider Soufiane Habti (@wld_basha) - OAuth flaw, Account takeover, Authentication bypass $1,500 09/15/2021
A Facebook bug that exposes email/phone number to your friends Saugat Pokharel (@saugatpk5) Meta / Facebook Information disclosure, Logic flaw $19,250 09/15/2021
How I Was Able To Send SMS From Google To Anyone | $$$ Google Vulnerability: Raidh Ĥere (@asterfiest) Google Content spoofing - 09/15/2021
How I hacked worldwide Tiktok users s3c (@s3c_krd) TikTok IDOR $7,500 09/15/2021 Archived page
Microsoft Azure Portal – Persistent Cross-Site Scripting Christian Becker (@0xchrisb) & Sven Schlüter (@secsven) Microsoft Stored XSS - 09/15/2021
10 golden minutes for taking over a Chess.com account Seqrity (@seqrity9) Chess.com Lack of rate limiting, Bruteforce, Session expiration issue $400 09/14/2021
Hacking CloudKit - How I accidentally deleted your Apple Shortcuts Frans Rosén (@fransrosen) Apple Logic flaw(s) $64,000 09/13/2021
Escalating Azure Privileges with the Log Analytics Contributor Role Karl Fosaaen (@kfosaaen) Microsoft Logic flaw(s) - 09/13/2021
$3133.70 Google Dialogflow IDOR Vulnerability Raidh Ĥere (@asterfiest) Google IDOR $3,133.70 09/12/2021
$5000 Google IDOR Vulnerability Writeup Raidh Ĥere (@asterfiest) Google IDOR $5,000 09/11/2021
How I found my first AEM related bug. Vedant Tekale (@_justYnot) - LFR - 09/11/2021
Bypassing GCP Org Policy with Custom Metadata & GCP AI Notebooks Vulnerability - Remediation Kat Traxler (@NightmareJS) Google Authorization flaw $1,337 09/10/2021
How I Was Able to delete any facebook story where am I mentioned or tagged Sank Dahal (@sank68034756) Meta / Facebook Logic flaw $1,000 09/10/2021
Mistuned Part 1: Client-side XSS to Calculator and More, Mistuned Part 2: Butterfly Effect & Part 3 Sank Dahal (@sank68034756) Apple XSS, Memory corruption bug, iOS bug - 09/10/2021
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances Unit 42 (@Unit42_Intel) Microsoft Container takeover, Container escape, Privilege escalation - 09/09/2021
Change home directory and bypass TCC aka CVE-2020-27937 Wojciech Reguła (@_r3ggi) Apple Privacy issue, MacOS bug - 09/09/2021
GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink Justin Steven (@justinsteven) GitHub Logic flaw, Information disclosure - 09/08/2021
Spook.js: Attacking Google Chrome’s Strict Site Isolation via Speculative Execution and Type Confusion Ayush Agarwal, Sioli O’Connell, Jason Kim, Shaked Yehezke, Daniel Genkin, Eyal Ronen & Yuval Yarom Google Browser bug, Side-channel attack, Site Isolation bypass - 09/08/2021
Account Takeover via XSS in e-signature feature worth 2500$ Gökhan Güzelkokar (@gkhck_) - XSS, Account takeover $2,500 09/08/2021
Facebook email disclosure and account takeover Rikesh Baniya / NotRickyy (@rikeshbaniya) Meta / Facebook Information disclosure, Account takeover - 09/08/2021
Bug Bounty Guest Post: Local File Read via Stored XSS in The Opera Browser Renwa (@RenwaX23) Opera Stored XSS, Local File Read $4,000 09/08/2021
Accessing Grofers Grafana Instance Using Shodan Lohith Gowda M (@lohigowda_in) Grofers Weak credentials $25,000 09/08/2021
5 Different Vulnerabilities in Google’s Threadit Thomas Orlita (@ThomasOrlita) Google DOM XSS, Clickjacking, Privilege escalation, Information disclosure - 09/07/2021
SSRF in PDF export with PhantomJs أنس روبي (@xhzeem) - SSRF, XSS, LFI - 09/07/2021
Full structure takeover to many brands of company Abdelrahman Khaled - Directory listing, Information disclosure - 09/06/2021
SSD Advisory – NETGEAR D7000 Authentication Bypass - Netgear Authentication bypass - 09/06/2021
2 CSRF 1 IDOR on Google Marketing Platform apapedulimu / Nosa Shandy (@LocalHost31337) Google IDOR, CSRF $3,633.70 09/06/2021
How I can take over any user’s account with their mobile number Sushmitha Katikitala - Account takeover, OTP bypass, Authentication bypass - 09/06/2021
Burp Suite RCE Wfox PortSwigger RCE, Browser bug - 09/06/2021
Eye for an eye: Unusual single click JWT token takeover Yurii Sanin (@SaninYurii) JetBrains Open redirect, JWT bug, Account takeover - 09/05/2021
Business Logic Errors - Must Vote Jerry Shah (@Jerry) - Logic flaw $0 (Duplicate) 09/05/2021
Bypassed! and uploaded a sweet reverse shell Ajay Sharma (@security_donut) - Unrestricted file upload - 09/05/2021
How i hacked BBC mail servers Momen Ali (Cyber Guy) (@theCyberGuy0) BBC Information disclosure, Open mail relay N/A (VDP) 09/04/2021
More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers Youssef Sammouda (@samm0uda) Meta / Facebook Account takeover $126,000 09/03/2021
How @Mailru traeted my report on their program Aý Oùb (@Yukusawa18) Mail.ru AWS misconfiguration $150 09/03/2021
IDOR Vulnerability In GraphQL Api On Website Aidil Arief - IDOR, GraphQL bug - 09/03/2021
Google Cloud Build — under the hood Imre Rad (@ImreRad) Google - - 09/02/2021
Play the music and bypass TCC aka CVE-2020-29621 Wojciech Reguła (@_r3ggi) Apple Privacy issue, MacOS bug - 09/02/2021
RCE By Code Injection | Perl Reverse Shell Abdulrahman-Kamel - RCE, Code injection - 09/02/2021
ZDI-21-1053: Bypassing Windows Lock Screen Abdelhamid Naceri (@KLINIX5) Microsoft Authentication bypass - 09/02/2021
Your Vulnerability Is In Another OEM! Lucas Georges, Julient Boutet & Thomas Chauchefoin Western Digital Memory corruption bug, RCE - 09/02/2021
SQL injection in harvard subdomain Brandon Roldan (@tomorrowisnew_) Harvard University XSS, SQL injection - 09/02/2021
Breaking Application’s Logic to DOS Attack Abhijeet Singh (@abhiunix) - IDOR, DoS - 09/02/2021
chaining bugs from self XSS to account takeover Behnam Yazdanpanah (@abhiunix) - Self XSS, WAF bypass, CSRF, Account takeover - 09/02/2021
How I Found Multiple XSS in Hidden Legacy Pages Marx Chryz - XSS $1,000 09/02/2021
Hacking Dutch Government For a lousy T-shirt Veshraj Ghimire (@GhimireVeshraj) Dutch Government IDOR, Information disclosure $0, Swag 09/02/2021
CVE-2021-2429: A Heap-based Buffer Overflow Bug In The Mysql Innodb Memcached Plugin - Oracle (MySQL) Memory corruption bug - 09/02/2021
SQL injection in harvard subdomain Brandon Roldan (@tomorrowisnew_) Harvard University SQL injection - 09/01/2021
Now Patched Vulnerability in WhatsApp could have led to data exposure of users Dikla Barda & Gal Elbaz Facebook (WhatsApp) Memory corruption bug - 09/01/2021
Full PoC | Metasploit Pro Trial License Request Limit Bypass/a> ChooK Rapid7 Privilege escalation, Logic flaw N/A (VDP) 08/31/2021
Dropping root shell in a Crypto Exchange for Fun and Profitn’t Nirmal Thapa (@tnirmalz) ChangeNOW RCE $1,000 08/31/2021
Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD) Shubham Bhamare (@theshubh77) Meta / Facebook 2FA bypass $1,000 08/31/2021
Broken Access Control Leads To Change Of Admin Details V3D (@v3d_bug) - Privilege escalation, Client-side enforcement of server-side security - 08/31/2021
CVE-2021-39165: A Bug Bounty Journey from a Laravel SQL Injection Vulnerability Xuan Tuyen - SQL injection - 08/30/2021
Proxytoken: An Authentication Bypass In Microsoft Exchange Server Xuan Tuyen Microsoft Authentication bypass - 08/30/2021
I owe your Request | HTTP Request Smuggling leads to Full Accounts takeover Muhammad Adel (@ItsFadinG_) - HTTP Request Smuggling - 08/30/2021
Two account takeover bugs worth $4300 🎁 Usama Varikkottil (@usama_dev) - Account takeover, Privilege escalation, 403 bypass, IDOR $4,300 08/29/2021
How MarkMonitor left >60,000 domains for the taking Ian Carroll (@iangcarroll) - Subdomain takeover - 08/29/2021
Hunting for XSS with CodeQL Daniel Santos (@bananabr) GitLab XSS $500 08/29/2021
What would you do if Oracle’s mailing server sent you this? I am Broot Oracle HTML injection - 08/29/2021
ATO of WordPress Website “4 digits €€€€ Bounty in 5 Minute!” Ritesh Gohil (@RiteshG37659480) - Exposed registration page, Account takeover - 08/29/2021
Information disclosure via api misconfiguration Rizwan_siddiqui (@Rizwan_SiDdiqu1) - Information disclosure - 08/29/2021
Bug Bounty: “My Remote Code Execution” 0xJin (@0xJin) - Default credentials, RCE - 08/29/2021
Cache Poisoning via SelfXSS + Path Parameter ElMahdi Mrhassel (@ElMrhassel) - XSS, Web cache poisoning - 08/28/2021
SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection Caesar Evan Santoso - WAF bypass, SSRF, SQL injection - 08/28/2021
Exploiting Devops -Leak Source codes Shivbihari Pandey (@ninja_pandit_) - Information disclosure - 08/28/2021
How I Scored 2K Bounty via an IDOR Sicksec (@OriginalSicksec) Mail.ru IDOR $2,000 08/27/2021
How did I earned 6000$ from tokens and scopes in one day Corraldev (@javier_corralg) - Authorization flaw, Privilege escalation $6,000 08/27/2021
ChaosDB: Critical Vulnerability in Microsoft Azure Cosmos DB Nir Ohfeld (@nirohfeld) & Sagi Tzadik (@sagitz_) Microsoft Account takeover, Local Privilege escalation $40,000 08/26/2021
Oauth client secret leak and possible IDOR leading to PII Disclosure Monke & Bend Theory (@bendtheory) - IDOR, OAuth flaw, Information disclosure - 08/26/2021
Reflective XSS via search box [Bypassing Cloudflare WAF]. Friendly (@SkeletorKeys) - Reflected XSS - 08/26/2021
‘Websocket Hijacking’ to steal Session_ID of victim users Sunil Yedla (@sunilyedla2) - Cross-Site WebSocket Hijacking (CSWH) - 08/25/2021
Pwn2Own Vancouver 2021 :: Microsoft Exchange Server Remote Code Execution Steven Seeley (@steventseeley) Microsoft RCE, MiTM - 08/25/2021
Business Logic Ratings Bug Maxwell Dulin (@Dooflin5) - Logic flaw - 08/25/2021
Retrieve Archived Stories Of Any Public Instagram Account. Naveen Facebook (Instagram) IDOR, GraphQL bug $0 (Duplicate) 08/25/2021
Vulnerability in Bumble dating app reveals any user’s exact location Robert Heaton (@RobJHeaton) Bumble Information disclosure, Logic flaw $2,000 08/25/2021
The Nomulus rift Imre Rad (@ImreRad) Google Insecure deserialization - 08/25/2021
“How Companies Need to Widen There Scopes” amnotacat - RCE, Components with known vulnerabilities - 08/25/2021
How I found a primitive but critical broken access control vulnerability in YouTrack (CVE-2020–24618) Yurii Sanin (@SaninYurii) JetBrains Information disclosure - 08/25/2021
One Endpoint, Two Account Takeovers Yashar Shahinzadeh (@YShahinzadeh) - Account takeover - 08/24/2021
[$5K] Misconfigured Reset password that leads to Account Takeover (No user Interaction ATO) Aditya Sharma (@Assass1nmarcos) - Account takeover, Password reset flaw, Information disclosure $5,000 08/24/2021
How i was able to steal private files of any user on Larksuite Imran Nissar (@Imrannissar3) - IDOR - 08/24/2021
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions UpGuard Team (@upguard) Microsoft Information disclosure - 08/23/2021
Hey Google ! - Delete my Data Properly — #GoogleVRP Sriram Kesavan (@sriramoffcl) Google Logic flaw - 08/23/2021
Zoom RCE from Pwn2Own 2021 Thijs Alkemade & Daan Keuper Zoom RCE, Memory corruption bug $200,000 08/23/2021
Server Side Request Forgery with huge impact in production application Gökhan Güzelkokar (@gkhck_) - SSRF - 08/23/2021
Story Of Unexpected Bugs Neh Patel - IDOR, XSS - 08/22/2021
MonkeyType.com Stored Cross-Site Scripting Tyle Butler (@tbutler0x90) MonkeyType.com Stored XSS, Authentication bypass, IDOR $40 08/22/2021
How I was able to get 1000$ bounty from a ds-store file? Khaled Mohamed (@0xElkomy) - Information disclosure, Debugging enabled €1,000 08/21/2021
Playing With s3 Leaks Aswin Thambi Panikulangara (@r0074g3n7) - AWS misconfiguration - 08/21/2021
How I found my first Subdomain Takeover vulnerability Monish Basaniwal - Subdomain takeover, CSRF €375 08/20/2021
How I got RCE In The World Largest Russian Company Sicksec (@OriginalSicksec) Mail.ru RCE - 08/20/2021
Disclose WhatsApp Number of Instagram Accounts Despite Setting Set to be Hidden Naveen (@NaveenHax) Meta / Facebook Information disclosure, Logic flaw $1,000 08/19/2021
Account Takeover via Access Token Leakage Tuhin Bose (@tuhin1729_) - IDOR, Information disclosure, Account takeover - 08/19/2021
From Pwn2Own 2021: A New Attack Surface On Microsoft Exchange - Proxyshell! Orange Tsai (@orange_8361) Microsoft RCE, Privilege escalation $200,000 08/18/2021
How to Hack Apple ID Zemnmez (@zemnmez) Apple XSS, Account takeover $10,000 08/17/2021
Confirming any new Email Address bug in Facebook (Part-4) Lokesh Kumar (@lokeshdlk77) Meta / Facebook Rate-limiting bypass $3,449 11/04/2020
Dangling DNS: Announcekit Mohamed Elbadry (@_melbadry9) - Subdomain takeover - 08/16/2021
Two weeks of securing Samsung devices: Part 2 Oversecured (@OversecuredInc) Samsung Arbitrary file write, Arbitrary file read, Vulnerable Android content provider $18,040 08/16/2021
CVE-2021-22929 – Brave Browser 1.27 and below permanently logs the server connection time for all v2 tor domains to ~/.config/BraveSoftware /Brave-Browser/tor/data/tor.log sickcodes (@sickcodes) Brave Software Privacy issue, Information disclosure $400 08/16/2021
A Bug’s Life: CVE-2021-21225 & Exploiting CVE-2021-21225 and disabling W^X Brendon Tiszka (@btiszka) Google Browser bug $22,000 08/16/2021
Why u should use burp to test Path Traversal Vulnerability and also get RXSS Yasser Mohammed (@boomneroli) - Path traversal, XSS, CSRF, Account takeover $700 08/16/2021
Second Order Subdomain Takeovers – They DO Exist! Alun Jones (@ftp_alun) Microsoft Subdomain takeover, Broken link hijacking - 08/15/2021
1st Bug Bounty WriteUp: Open Redirect To XSS on Login Page Nassim Chami (@nvccim) - Open redirect, XSS - 08/15/2021
Simple HTML Injection to $250 Ahmad Halabi (@Ahmad_Halabi_) - Account takeover, Mass assignment $600 08/14/2021
Finding multiple SSRF with aws metadata access on A BANK system Santosh Kumar Sha (@killmongar1996) - SSRF - 08/14/2021
Bypass Google Captcha+Parameter Pollution Leads to send email to any user on behalf of “Organization” with any desired content viral bhatt (@viralbhatt100) - HTTP Parameter Pollution, Captcha bypass - 08/14/2021
Facebook Bug:Invite user to Like a Page even after they decline the Page Like Invite Circle Ninja (@circleninja) Meta / Facebook Logic flaw $0 (Informative) 08/14/2021
How we was able to takeover whole organization via Privilege Escalation Yasser Mohammed (@boomneroli) - Privilege escalation, Authorization flaw $500 08/13/2021
How I found read/write access to the personal data of 3 million users of an E-commerce website? Prashant Singh / SecGeek_one0one - IDOR - 08/13/2021
Blind SSRF in URL Validator Yash Kandekar (@Neutron__) - Blind SSRF - 08/12/2021
Taking Over Employee Accounts by Managers with Zero Employee Interaction Chaitanya Rajhans (@Chaitanya_024) - HTML injection $250 08/12/2021
How I Bought a £240.00 Annual Subscription for Bargain £0.01 Craig Hays (@craighays) - Payment tampering, Logic flaw - 08/11/2021
OVE-20210809-0001 Visual Studio Code .ipynb Jupyter Notebook XSS (Arbitrary File Read) Justin Steven (@justinsteven) Microsoft XSS $0 (OOS) 08/11/2021
Multiple Vulnerabilities In cPanel/WHM Adrian Tiron (@adrian__t) cPanel XXE, Stored XSS, Privilege escalation, CSRF, Cross-Site WebSocket Hijacking (CSWH) - 08/10/2021
Fuzzing + IDOR = Admin TakeOver Gonzalo Carrasco (@0xCGonzalo) - IDOR, Account takeover - 08/09/2021
What is BOLA? 3-digit bounty from Topcoder ($$$) can1337 (@canmustdie) Topcoder IDOR - 08/09/2021
CVE-2021-25738 Jordy Versmissen / J0VSEC (@j0v0x0) Kubernetes RCE $1,000 08/07/2021
CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation Of Privilege (EOP) bohops (@bohops) Intel Local Privilege Escalation - 08/07/2021
Size Matters — CVE-2021–0485 (High) +Ch0pin (@Ch0pin) Google (Android) Local Privilege Escalation - 08/07/2021
Access to CrowdTangle Deletion Framework API Philippe Harewood (@phwd) Meta / Facebook Authorization flaw, GraphQL bug - 08/07/2021
View the country of a private Instagram User Philippe Harewood (@phwd) Meta / Facebook Information disclosure $0 (Informative) 08/07/2021
Access to CrowdTangle Deletion Framework API Philippe Harewood (@phwd) Meta / Facebook Information disclosure, Logic flaw, GraphQL bug $0 (Informative) 08/07/2021
Do you like to read? I can take over your Kindle with an e-book Slava Makkaveev Amazon Memory corruption bug, RCE, Local Privilege Escalation - 08/06/2021
Account Takeover (User + Admin) Via Password Reset Hemant Patidar (@HemantSolo) - Account takeover, Password reset flaw, Logic flaw $200 08/05/2021
PostMessage Xss vulnerability on private program Youghourta Ghannei (@YoughartaG) - XSS, postMessage bug - 08/03/2021
How the use of hidden form fields lead to Email verification bypass Yash Swarup (@wazirsec) - Email verification bypass, Client-side enforcement of server-side security - 08/03/2021
Detecting Jackson deserialization vulnerabilities with CodeQL Artem Smotrakov (@artem_smotrakov) GitHub Insecure deserialization $4,500 08/02/2021
Facebook Messenger for android indirect thread deletion vulnerability. Rahul Kankrale (@RahulKankrale) Meta / Facebook Insecure deeplink - 08/02/2021
how to be popular yan (@bcrypt) OkCupid CSRF, Type confusion - 08/02/2021
CVE-2020–15823: Server-Side Request Forgery (SSRF) in JetBrains YouTrack Yurii Sanin (@SaninYurii) JetBrains SSRF - 08/02/2021
~/BugBounty/IDOR/”How I was able to exfiltrate any user’s credit coupons” Jai Sharma (@ja1sharma) - IDOR - 08/02/2021
Privilege Escalation | stealing user’s point | Bugcrowd Abhind Abhi - IDOR, Privilege escalation - 08/02/2021
Tale of XSS in Angular Sicksec (@OriginalSicksec) - Reflected XSS - 08/02/2021
Blind XXE Leads to Internal Port Scanning Through SSRF Sam Paredes (@caffeinevulns) - XXE, SSRF - 08/01/2021
Multi Domain DOM Cross Site Scripting Sam Paredes (@caffeinevulns) - DOM XSS - 08/01/2021
The journey from Google Honorable Mention to Hall of Fame. Akash basnet (@noneofyou007) Google Referer leakage, Information disclosure, Password reset flaw - 08/01/2021
Missing permission check for Facebook gaming community invites Philippe Harewood (@phwd) Meta / Facebook Information disclosure, Authorization flaw - 08/01/2021
Bug Bounty Stories #1: Tale of CSP bypass in an electron app! SecurityGOAT (@RuntimeSecurity) - CSP bypass - 07/31/2021
From Hobby to Hacking Muhammad Syahrul Haniawan (@b0x_in) - Unrestricted file upload, RCE, Lack of authentication - 07/31/2021
How I escalate my Self-Stored XSS to Account Takeover with the help of IDOR Jefferson Gonzales (@gonzxph) - Self-XSS, IDOR, Account takeover - 07/31/2021
How I bypassed website using Akamai waf Yusif Cəfərov (@yusifceferov_) - XSS - 07/31/2021
Facebook Vulnerability: Expose Group Member — $3000 Muhammad Sholikhin (@MuhammadLikhin) Meta / Facebook IDOR $3,000 07/30/2021
XXE in Public Transport Ticketing Mobile APP Nikhil (niks) (@niksthehacker) - XXE, RCE - 07/30/2021
Account takeover via stored xss vikram naidu (@ImVikram7msd) - Stored XSS $1,000 07/30/2021
Google Bug Bounty: $500 worth client-side DoS on Google Keep Tommaso De Ponti (@heytdep) Google Application-level DoS $500 07/30/2021
Gaining Access To GCP Of Google Stadia — 500$ Bounty Sebastien Kaul Google Information disclosure $500 07/29/2021
How I found my first IDOR in HackerOne N1GHTMAR3 (@n1ghtmar3_2421) - IDOR - 07/29/2021
How I could have hacked your medium account by phishing your FB, Twitter & Google credentials. Renganathan (@IamRenganathan) Medium Open redirect, OAuth flaw - 07/29/2021
Chaining Open Redirect with XSS to Account Takeover Radian ID - Open redirect, XSS, Account takeover - 07/29/2021
How I earned \(\) by Amazon S3 Bucket misconfigurations? Abdullah Mohamed (@3bodymo_) - AWS misconfiguration, Subdomain takeover - 07/29/2021
Information Disclosure to Account Takeover Sunil Yedla (@sunilyedla2) - Information disclosure, OAuth flaw, Account takeover, Authentication bypass - 07/28/2021
Pre-Auth RCE in Moodle Part I - PHP Object Injection in Shibboleth Johannes Moritz & Robin Peraglie Moodle RCE, PHP Object Injection - 07/27/2021
XSS-Special-Cases: XSS That Works only in mobile Devices 0xdln (@0xdln) - XSS - 07/27/2021
Abusing JSON Web Token to steal accounts — 3000$ Filipe Azevedo (@filipaze_) - IDOR $3,000 07/27/2021
Telegram Report: SSRF leads to DOS attack [Reports that didn’t make it] Philippe Delteil (@PhilippeDelteil) Telegram SSRF, DoS - 07/27/2021
XXE Case Studies cinzinga (@cinzinga_) - XXE - 07/26/2021
Apple Hall Of Fame for a Small Misconfiguration || Unauth Cache Purging Prajit Sindhkar (@PrajitSindhkar) Apple Unauthenticated cache purge $0, HoF 07/26/2021
Mattermost Server v5.32 > v5.36 Reflected XSS in OAuth flow zi0Black (@zi0Black) Mattermost Reflected XSS, OAuth flaw $900 07/26/2021
Bug Chain leads to Mass Account Takeover! Shubhayu Majumdar (@shubhayu64) - Information disclosure, Password reset flaw, Account takeover - 07/26/2021
Easy Bounty With Exposed Buckets & Blobs mr.d0x (@mrd0x) - Misconfigured cloud storage $1,450 07/26/2021
How I found a bug in Apple within just in 5min. Akash basnet (@noneofyou007) Apple XSS - 07/25/2021
Not valid bug that leads to us a multiple Valid Report in Facebook Kent Jarold Abulag (@wkemenhehehegsg) Meta / Facebook Information disclosure $1,000 07/25/2021
eBay XSS demo and guide to spear phishing MLT (@0dayWizard) Ebay XSS - 07/24/2021
How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools Orwa Atyat (@GodfatherOrwa) Meta / Facebook SSTI, SQL injection, Authentication bypass, Privilege escalation, Reflected XSS - 07/23/2021
Story OF MY 3RD Bounty From Facebook Aashish Jung Kunwar (@WhoisAasis) Meta / Facebook Irremovable users, Logic flaw $500 07/23/2021
FragAttacks Mathy Vanhoef (@vanhoefm) The Internet Wifi vulnerability $750 07/23/2021
Pre-Account Takeover by Reversing a Weak Email Verification Token Algorithm Craig Hays (@craighays) - Weak crypto - 07/22/2021
Unauthenticated Access To MongoDB Database of Oracle Corporation Pratikkhalane (@KhalanePratik) Oracle Lack of authentication, Exposed administrative interface - 07/22/2021
Escalating Self-XSS To Stored XSS via Image injection + IDOR Demon (@R29k_) - Self XSS, Stored XSS, IDOR - 07/21/2021
Guest Blog Post - Attacking the DevTools David Erceg (@david_erceg) Microsoft Browser bug $36,000 07/21/2021
XSS-Through-Fuzzing-Default-IIS 0xdln (@0xdln) - Reflected XSS - 07/20/2021
How I was able Find mass leaked AWS s3 bucket from js File Santosh Kumar Sha (@killmongar1996) - AWS misconfiguration - 07/20/2021
Hacking Xiaomi’S Android Apps - Part 1 Ameya (@iamTakeMyHand) Xiaomi Android app bug, Information disclosure, Open redirect, Privacy issue - 07/19/2021
How I Bypassed a tough WAF to steal user cookies using XSS! Asem Eleraky (@melotover) - XSS, WAF bypass - 07/19/2021
Facebook Vulnerability: $1500 for Removing Document Cover Muhammad Sholikhin (@MuhammadLikhin) Meta / Facebook Authorization flaw, IDOR $1,500 07/18/2021
Account Takeover + A Bonus Vulnerability Vikash Maurya - Account takeover, Session fixation - 07/18/2021
RCE via WebDav - Power Of PUT Jerry Shah (@Jerry) - Default credentials, RCE - 07/18/2021
IIS-Default-Page-to-Information-Disclosure 0xdln (@0xdln) - Information disclosure - 07/17/2021
Remote code execution in cdnjs of Cloudflare RyotaK (@ryotkak) Cloudflare RCE, Path traversal - 07/16/2021
Logical Flaw Resulting Path Hijacking Veshraj Ghimire (@GhimireVeshraj) - Namespace attack - 07/16/2021
How i was able to bypass Cloudflare for XSS! hosein vita (@HoseinVita) - XSS - 06/16/2021
RFD Vulnerability And Content-Disposition Header Bypass Story! Kabilan S (@kabilan1290) - Reflected File Download - 07/14/2021
Stored XSS in Google Doubleclick Studio [Google Research Grant] Jasminder Pal Singh (@Singh_Jasminder) Google Stored XSS $0 07/14/2021
How I found Blind SQL Injection just by browsing and getting a unique URL Jawad Mahdi (@hunter0x1) - SQL injection - 07/14/2021
Credential stuffing in Bug bounty hunting Valeriy Shevchenko (@Krevetk0Valeriy) - Credential stuffing $8,300 07/14/2021
($380) XSS STORED in Bigo Bug Bounty Program Aidil Arief Bigo XSS $380 07/14/2021
Forced Browsing to Access Admin Panel the_unluck_guy (@7he_unlucky_guy) - Forced browsing - 07/13/2021
Unencrypted HTTP Links to Google Scholar in Search David Schütz (@xdavidhu) Google MiTM - 07/13/2021
Part 2: Dive into Zoom Applications Rakesh Thodupunoori (@rakesh_3895) Zoom CSRF, Account takeover, Information disclosure, Session expiration issue, Authorization bug, Logic flaw - 07/13/2021
Apple Security Bounty: A personal experience Nicolas Brunner Apple Permission issue, iOS bug $0 07/13/2021
Broken Access control bug : Bypassing 403’s by finding another endpoint that do the same thing. tomorrowisnew (@tomorrowisnew_) - Broken Access Control, 403 bypass - 07/12/2021
Trick to bypass rate limit of password reset functionality Abdulrahman-Kamel - Rate limiting bypass - 07/12/2021
Pre-Denial Of Service (set-up 2FA on unverified account) Vikash Maurya - Application-Level DoS - 07/11/2021
Critical Bug Bounty Reports: Part 1 Greg Gibson - Account takeover, Password reset flaw, RCE, Information disclosure - 07/11/2021
Reflected XSS Through Insecure Dynamic Loading Greg Gibson - XSS - 07/11/2021
Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer Sam Curry (@samwcyo) Chess.com Broken link hijacking - 07/10/2021
Account Takeovers — Believe the Unbelievable Nikhil (niks) (@niksthehacker) - Account takeover, Session management flaw, Weak credentials, Components with known vulnerabilities, Password reset flaw $5,751 07/09/2021
Facebook Email/phone disclosure using Binary search Rikesh Baniya / NotRickyy (@rikeshbaniya) Meta / Facebook Password reset flaw, Information disclosure, Bruteforce - 07/09/2021
Discovering Zero-Day Vulnerabilities in McAfee Products mr.d0x (@mrd0x) McAfee Local Privilege Escalation - 07/09/2021
IDOR on clientauthconfig.googleapis.com David Schütz (@xdavidhu) Google IDOR $0 (Won’t fix) 07/08/2021
CVE-2021-22555: Turning \x00\x00 into 10000$ Andy Nguyen (@theflow0) Google Memory corruption bug, Local Privilege Escalation $10,000 07/07/2021
Mass Assignment exploitation in the wild – Escalating privileges in style Gal Nagli (@naglinagli) - Mass assignment, Privilege escalation - 07/07/2021
Let’s cancel the subscription (informative) Adnan Malik (@adnanmalikinfo) - Logic flaw, Payment tampering $0 (Informative) 07/07/2021
Kaspersky Password Manager: All your passwords are belong to us Jean-Baptiste Bédrune Kaspersky Weak crypto - 07/06/2021
Exploiting Auto-save Functionality To Steal Login Credentials Saad Ahmed (@XSaadAhmedX) - HTML injection - 07/06/2021
Blind XSS in Apple School- Enrollment Data Disclosure hackrzvijay (@hackrzvijay) Apple Blind XSS $5,000 07/05/2021
View Other User Private Livestream Data Geva (@Geva_7) Meta / Facebook IDOR - 07/03/2021
Bulletin.com email address leak Philippe Harewood (@phwd) Meta / Facebook Information disclosure, GraphQL bug $3,750 07/02/2021
How We Are Able To Hack Any Company By Sending Message – $20,000 Bounty [CVE-2021–34506] Vansh Devgan (@Th3Pr0xyB0y) & Shivam Kumar Singh (@MrRajputHacker) Microsoft UXSS $20,000 06/30/2021
Testing Cookies worth $500 Sankalpa Acharya (@sankalpa_02) - Account takeover, IDOR $500 06/30/2021
Finding DOM Polyglot XSS in PayPal the Easy Way Gareth Heyes (@garethheyes) Paypal DOM XSS, CSP bypass - 06/30/2021
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) Michael Stepankin (@artsploit) - RCE, Insecure deserialization - 06/29/2021
gcp-dhcp-takeover-code-exec Imre Rad (@ImreRad) Google DHCP flood, VM takeover - 06/28/2021
How I found my first Chrome bug (CVE-2021–21210) Daniel Santos Google (Chrome) NAT Slipstreaming - 06/28/2021
Diving into Dependabot along with a bug in npm tyage (@tyage) GitHub SSRF, RCE $8,117 06/27/2021
Taking over Uber accounts through voicemail Shubham Shah (@infosec_au) Uber Account takeover $0 (Informative) 06/27/2021
Misconfigured $3 Bucket - A Semi Opened Environment Yukesh Kumar (@3th1c_yuk1) Redbull AWS misconfiguration N/A (VDP) 06/27/2021
Escalating XSS to Arbitrary File Read Pethuraj (@Pethuraj) - XSS, LFI - 06/27/2021
Oversightboard.com site-wide CSRF due to missing checking Youssef Sammouda (@samm0uda) Meta / Facebook CSRF $500 06/27/2021
Disclose unconfirmed email/phone of a Facebook user Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure $500 06/27/2021
Some ways to find more IDOR Thái Vũ (@thaivd98) - IDOR - 06/26/2021
Gaining access to protected components DavMehtab Zafar (@0xmzfr) - Vulnerable Android content provider - 06/25/2021
From Information Disclosure to interesting Privilege Escalation David Shaul (@dudy2kk) - Information disclosure, Account takeover, Privilege escalation - 06/25/2021
PII Leakage - Revealing Secrets Jerry Shah (@Jerry) - Information disclosure - 06/25/2021
A supply-chain breach: Taking over an Atlassian account Dikla Barda, Yaara Shriki, Roman Zaikin (@R0m4nZ41k1n) & Oded Vanunu (@Od3dV) Atlassian XSS, CSRF - 06/24/2021
Flywheel Subdomain Takeover Smaran Chand (@smaranchand) - Subdomain takeover - 06/24/2021
MSRC is confused! 😕 Ricardo Iramar dos Santos (@ricardo_iramar) Microsoft Dependency confusion $0 06/24/2021
Microsoft Store free purschase vulnerabilites Marlon Fabiano (@astrounder) Microsoft Payment tampering, Logic flaw - 06/24/2021
Three Microsoft Store vulnerabilites Marlon Fabiano (@astrounder) Microsoft Payment tampering, Logic flaw - 06/24/2021
How i was able to get Appreciation from the organization of a website just by changing a sign..!!! Fardeen Ahmed (@fardeenahmed411) - Information disclosure, Source code disclosure - 06/23/2021
Generate online votes using Race Condition Vulnerability in Woobox Web Application (Write Up) Evan Ricafort (@evanricafort) Woobox Race condition - 06/23/2021
Cracking Encrypted Credit Card Numbers Exposed By API Craig Hays (@craighays) - Information disclosure, Weak crypto - 06/22/2021
Stored XSS via Invite leading to Mass Account Takeover at Opera. Samrat Gupta (@Sm4rty_) Opera Stored XSS - 06/20/2021
Unprivileged User with Read/Write permission to User Access can escalate their role to ADMIN — Privilege Escalation Ertugrul Ozdemir (@ertugrulphp) - Privilege escalation - 06/20/2021
How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It Laxman Muthiyah (@laxmanmuthiyah) Apple Account takeover, 2FA bypass, Rate-limiting bypass, Race condition $18,000 06/19/2021
Full Local File Read via Error Based XXE using XLIFF File pwn.vg / Tomi (@mastomii) - XXE - 06/19/2021
Zero Click account Takeover Zahir Tariq (@ZahirTariq3) - Account takeover, Password reset flaw - 06/19/2021
Exploiting File Upload Functionality in Unique Way. Rohit Soni - Unrestricted file upload - 06/19/2021
Accessing Restricted Documents With Extra JSON Body Content Imran Huda (@imranHudaA) - Mass-assignment, Authorization flaw $500 06/18/2021
Account takeover via stored XSS with arbitrary file upload 0xbadb00da (@0xbadb00da) - Insecure file upload, XSS, Account takeover - 06/18/2021
M1 Macs GateKeeper bypass aka CVE-2021-30658 Wojciech Reguła (@_r3ggi) Apple Local Privilege Escalation - 06/18/2021
How We Are Able To Hack Any Company By Sending Message - $20,000 Bounty [CVE-2021–34506] & Video PoC Th3Pr0xyB0y (@Th3Pr0xyB0y) & Shivam Kumar Singh (@MrRajputHacker) Microsoft Universal XSS $20,000 06/17/2021 Archived page
HTML Injection and a dream in Google Chrome for Linux (Write Up) Evan Ricafort (@evanricafort) Google HTML injection $0 (Informative) 06/17/2021
Crashing your LinkedIn app with a connection request. Renganathan (@IamRenganathan) LinkedIn Application-Level DoS - 06/17/2021
Why dynamic code loading could be dangerous for your apps: a Google example Oversecured (@OversecuredInc) Google Arbitrary file write, Insecure intents - 06/17/2021
Part-1 Dive into Zoom Applications Rakesh Thodupunoori (@rakesh_3895) Zoom CSRF, Payment bypass, Logic flaw, Account takeover, Privilege escalation $22,000 06/16/2021
Story of Google Hall of Fame and Private program bounty worth \(\) Basavaraj Banakar (@basu_banakar) Google Exposed registration page - 06/16/2021
One-click DOS via Response Manipulation Akhil - Logic flaw - 01/16/2021
Authentication Bypass | Easy P1 in 10 minutes Anirudh Makkar (@anirudhmakkar) - Authentication bypass, Forced browsing - 06/16/2021
This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them Mayur Fartade (@mayurfartade) - IDOR, GraphQL bug $30,000 06/15/2021
Importance of burp history analysis to bypass 403 Vuk Ivanovic - 403 bypass - 06/15/2021
Exploiting outdated Apache Airflow instances & Blast Radius: Apache Airflow Vulnerabilities Ian Carroll (@iangcarroll) - Session management flaw $13,000 06/14/2021
Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs Evan Grant (@stargravy) Microsoft postMessage bug, Token theft - 06/14/2021
Blind Command Injection - It hurts Jerry Shah (@Jerry) - Command injection, RCE - 06/14/2021
An exciting journey to find SSRF , Bypass Cloudflare , and extract AWS metadata ! hosein vita (@HoseinVita) - SSRF - 06/13/2021
User’s location diclosure in the “Nearby Friends” feature. $15,500 Bounty Yavor Rusev / Явор Русев Meta / Facebook Information disclosure $15,500 06/13/2021
[Google VRP] Privilege escalation on https://dialogflow.cloud.google.com lalka (@0x01alka) Google Authorization flaw, Logic flaw $3,133.70 06/13/2021
Story of Account Takeover : Using Social Login with Mass Assignment Vulnerability to hack accounts ! Mohammad Kaif - Mass assignment, Account takeover - 06/13/2021
How I found the silliest logical vulnerability for $750 that no one found for 3 years Sina Kheirkhah (@Sin_Khe) - Logic flaw $750 06/12/2021
How I was able to bypass the admin panel without the credentials. Pratikkhalane (@KhalanePratik) - Information disclosure $500 06/12/2021
Bypassing 2FA using OpenID Misconfiguration Youstin (@iustinBB) - 2FA bypass, Authentication flaw - 06/11/2021
Two weeks of securing Samsung devices: Part 1 Oversecured (@OversecuredInc) Samsung Arbitrary file write, Insecure intents $20,690 06/10/2021
Second Order Race Condition Prasoon Gupta (@0xdekster) - Race condition $1,000 06/10/2021
Unexpected IDOR Vulnerability in [REDACTED] - [redacted].net (Write Up) Evan Ricafort (@evanricafort) - IDOR $2 06/10/2021
Author spoofing in Google Colaboratory Zohar Shachar Google Logic flaw $500 06/09/2021
How i was able to bypass parental pin of showmax abdoul gadiri balde (@moodiAbdoul) Showmax Authorization flaw - 06/09/2021
Story of my first cash bounty on hackerone. Vedant Tekale (@_justYnot) - SSRF, XSS - 06/07/2021
How I could have accessed all your private videos/photos saved inside your device without even unlocking it? Samip Aryal Meta / Facebook Authorization flaw, Logic flaw $3,150 06/06/2021
How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access Santosh Kumar Sha (@killmongar1996) - SSRF - 06/06/2021
Shopify Multipass Misconfiguration Ahmed A. Sherif - Authentication flaw, Logic flaw - 06/05/2021
Pop-Ups in a good-world Guilherme Keerok (@k33r0k) Imgur XSS - 06/04/2021
Executing CSRF With Phone Validation Greg Gibson - CSRF - 06/04/2021
403 Forbidden Bypass th3.d1p4k (@DipakPanchal05) - OTP bypass, Exposed registration page, XSS - 06/04/2021
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #3 R ando (@Rando02355205) Google Broken Acces Control - 06/04/2021
Android: Exploring vulnerabilities in WebResourceResponse Oversecured (@OversecuredInc) Amazon Arbitrary file read - 06/03/2021
Server Side Request Forgery - A Forged Document Jerry Shah (@Jerry) - SSRF, File upload bug $500 06/03/2021
Bypassing LFI (Local File Inclusion) Abhishek (@abhishake21) - LFI - 06/03/2021
XSS in the AWS Console Nick Frichette (@frichette_n) Amazon XSS, CSP bypass, CSTI - 06/02/2021
Exploiting Open Redirect - Whitelist Bypass Using Salesforce Environment Gaurav Nayak (@4auvar) - Open redirect, Token theft - 06/02/2021
Escalating SSRF to Accessing all user PII information by aws metadata Santosh Kumar Sha (@killmongar1996) - SSRF - 06/01/2021
CVE-2021-29084: Exploiting CRLF Header Injection in Synology NAS for Unauthenticated File Downloads Justin Taft Synology CRLF injection - 06/01/2021
Facebook Page Admin Disclosure Kunjan Nayak (@kunjannayak5) Meta / Facebook Information disclosure $500 05/31/2021
AppCache’s forgotten tales Luan Herrera (@lbherrera_) Google (Chrome) Browser bug $10,000 05/31/2021
Escalating SSRF to Accessing all user PII information by aws metadata Santosh Kumar Sha (@killmongar1996) - SSRF - 05/31/2021
runc mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs (CVE-2021-30465) Etienne Champetier / champtar Google Kubernetes bug, Container breakout - 05/30/2021
Metadata service MITM allows root privilege escalation (EKS / GKE) Etienne Champetier / champtar Google Kubernetes bug, Privilege escalation, MiTM - 05/30/2021
Account Takeover via iFrame Injection xbforce (@xbforce) - Iframe injection, Account takeover - 05/29/2021
The beauty of chaining client-side bugs Master SEC (@MasterSEC_AR) - CRLF, XSS, CSP bypass, DoS, CSTI - 05/29/2021
CafeBazaar and Subdomain Takeover Sina Kheirkhah (@Sin_Khe) CafeBazaar Subdomain takeover - 05/29/2021
Github, The Goldmine for P1s and P2s - Sensitive Information Exposure via Github by a Company Employee Savir Suda (@savxiety) - Information disclosure - 05/28/2021
Hey WAF! Better Luck Next Time! 👽 Akash Rox Starz - SQL injection - 05/28/2021
How I hacked a Target again and again… Aditya Verma (@0cirius0) - OAuth bug, Account takeover, XSS, Broken Access Control - 05/27/2021
Bypassing restricted port protection in WebKit David Schütz (@xdavidhu) Apple Browser bug - 05/26/2021
GitLab Arbitrary File Read & Write through Kroki - CVE-2021-22203 Anh Duc Nguyen (@ledz1996) - Arbitrary file read $5,600 05/25/2021
Stored XSS with two different parameters Joel Cantu (@InfosecRintox) - Reflected XSS - 05/25/2021
Patch Gapping a Safari Type Confusion Theori (@theori_io) Apple Memory corruption bug - 05/25/2021
Chaining XSS with authentication issues to turn it into full account takeover N1GHTMAR3 (@n1ghtmar3_2421) - XSS, Account takeover - 05/24/2021
Disclose leads form details of any Facebook Business Account or Facebook Page (Bug Bounty) Amine Aboud (@amineaboud) Meta / Facebook IDOR, GraphQL bug - 05/23/2021
CORS misconfig that worths USD200 MikeChan - CORS misconfiguration $200 05/23/2021
Finding and Exploiting Unintended Functionality in Main Web App APIs Bend Theory (@bendtheory) - IDOR, Information disclosure, Privilege escalation $4,000 05/21/2021
Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$) Rohit kumar (@rohitcoder) Meta / Facebook Information disclosure $500 05/21/2021
CSRF from which we can create a support ticket in Victim’s Account (500$) Rohit kumar (@rohitcoder) Meta / Facebook CSRF $500 05/21/2021
How I turned 0000 into $600: Phone Verification Bypass Shrirang Diwakar - OTP bypass $600 05/21/2021
403 Forbidden Bypass th3.d1p4k (@DipakPanchal05) - 403 bypass, Forced browsing - 05/21/2021
Oculus SSO “Account Linking” bug leads to account takeover on third party websites and inside VR Games/Apps Youssef Sammouda (@samm0uda) Meta / Facebook SSO bug, Authentication flaw, Account takeover $12,000 05/20/2021
XSS via postMessage in chat.mozilla.org Guilherme Keerok (@k33r0k) Mozilla XSS, postMessage bug $500 05/20/2021
Third-Party Apps were still getting your private Facebook data even after their access expiry. Samip Aryal Meta / Facebook Logic flaw $1,000 05/20/2021
Writeups: Facebook Whitehat program(2021): Instagram Live setting bug Takashi Suzuki Meta / Facebook Logic flaw $537 05/20/2021
SSRF in PDF Renderer using SVG pwn.vg / Tomi (@mastomii) - SSRF $2,150 05/19/2021
Time-Based SQL Injection to Dumping the Database Naveen J (@thevillagehackr) - SQL injection, Android app bug - 05/19/2021
Finding my First Critical Web Cache Poisoning Yasser Khan (@N3T_hunt3r) - Web cache poisoning - 05/18/2021
Path Traversal in MobileSafari David Schütz (@xdavidhu) Apple Path traversal - 05/18/2021
Drupal Insecure Default Leads To Password Reset Poisoning Bogdan Tiron (@Bogdan___T) Drupal Password reset flaw, Host header injection N/A (VDP) 05/17/2021
Just Gopher It: Escalating a Blind SSRF to RCE for $15k SirLeeroyJenkins (@SirLeeroyJenkin) - SSRF, RCE $15,000 05/17/2021
Clickjacking in Nearby Devices Dashboard David Schütz (@xdavidhu) Google Clickjacking - 05/17/2021
My Fourth Account takeover through password reset Omar Hamdy (@seaman00o) - Account takeover, Password reset flaw - 05/17/2021
How i hijacked 12 Subdomains in one Program Naveen kumawat (@nvk0x) - Subdomain takeover - 05/17/2021
Auth Bypass in https://nearbydevices-pa.googleapis.com David Schütz (@xdavidhu) Google Broken Access Control $5,000 05/16/2021
MSSQL Injection In JSON Request Kailash (@Corrupted_brain) - SQL injection - 05/16/2021
Edmodo Bug Bounty Writeup Pethuraj (@Pethuraj) Edmodo XSS $0 (Duplicate) 05/16/2021
2FA Bypass via Forced Browsing Akhil - 2FA bypass - 05/15/2021
Mass Assignment exploitation in the wild - Escalating privileges in style Gal Nagli (@naglinagli) - Mass assignment, Privilege escalation - 05/14/2021
One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover Youssef Sammouda (@samm0uda) Meta / Facebook Reflected XSS, Account takeover $9,600 05/13/2021
Blind XSS on Google Internal System Kailash (@Corrupted_brain) Google Blind XSS $5,000 05/13/2021
Counter-Strike Global Offsets: reliable remote code execution brymko (@brymko), dezk (@cffsmith) & Simon Scannell (@scannell_simon) Valve RCE - 05/13/2021
How I find my first Stored XSS Filipe Azevedo (@filipaze_) - Stored XSS - 05/13/2021
My story of hacking Dutch Government Tuhin Bose (@tuhin1729_) Dutch Government XSS - 05/12/2021
CVE-2020-35580 hateshape (@hateshaped) - LFI - 05/11/2021
CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data Intezer Microsoft Privilege escalation - 05/11/2021
2FA Verification Bypass in Shapeshift [shapeshift.com] (Write Up) Evan Ricafort (@evanricafort) Shapeshift 2FA bypass - 05/10/2021
Stored XSS to Organisation Takeover Zaid Bhat (@zaidozaid) - Stored XSS - 05/10/2021
Simple logical Bug turned into a bounty Sndp Giri Meta / Facebook Logic flaw $500 05/10/2021
Exploiting Activity in medium android app Raju kumar (@MrCyberwarrior) Medium Insecure intents - 05/10/2021
Unauthorized access to Django Admin Dashboard by endpoint leaked on GitHub Santosh Kumar Sha (@killmongar1996) - Lack of authentication, Forced browsing - 05/10/2021
Microsoft bug bounty writeup th3.d1p4k (@DipakPanchal05) Microsoft Information disclosure - 05/08/2021
Workplace by Facebook | Unauthorized access to companies environment — $27,5k Marcos Ferreira (@mvinni_) Meta / Facebook Authorization flaw, Logic flaw, IDOR $27,500 05/07/2021
Apple Bug bounty writeups XSS(2021) Takashi Suzuki Apple XSS - 05/07/2021
Identify a Facebook user by his phone number despite privacy settings set Youssef Sammouda (@samm0uda) Meta / Facebook Privacy issue, Information disclosure $9,000 05/06/2021
CVE-2021-1815 – MacOS Local Privilege Escalation Via Preferences Offensive Security (@offsectraining) Apple Local Privilege Escalation - 05/06/2021
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit - Google RCE - 05/05/2021
Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens Youssef Sammouda (@samm0uda) Meta / Facebook OAuth flaw, Authorization flaw, Account takeover $18,000 05/05/2021
How I Found Sql Injection on intensedebate.com (h1) in 5 minute $350 Ahmad A Abdulla (@lu3ky13) Automattic SQL injection $350 05/05/2021
XSS Through Parameter Pollution Saajan Bhujel (@saajanbhujel11) - Open redirect, XSS, HTTP Parameter Pollution - 05/05/2021
Injecting Punycode URL Within the Arbitrary Text via Comment Box In Google Photo Sharing Option Divyanshu Shukla (@justm0rph3u5) Google HTML injection $0 (OOS) 05/05/2021
ExifTool CVE-2021-22204 - Arbitrary Code Execution William Bowling / vakzz (@wcbowling) GitLab RCE $20,000 05/04/2021
Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida & Exploiting the Source Engine (Part 1) Geebz (@Gbps111) Valve RCE $7,500 05/04/2021
Deep Dive into Open Source Bug Bounty Ritik Sahni (@ritiksahni22) - CSRF - 05/03/2021
Finding known exploits for bugbounties. ipanda (@ipanda915) - RCE $0 (Duplicate) 05/03/2021
IDOR Leads To Leak Any Uber Eats Restaurant Analytics Prial Islam Khan (@prial261) Uber IDOR $2,000 05/02/2021
Basic recon to RCE Joshua Martinelle (@J0_mart) - Insecure deserialization, RCE - 05/02/2021
Chaining CSRF with XSS to deactivate Mass user accounts by single click Santosh Kumar Sha (@killmongar1996) - CSRF, XSS - 05/02/2021
SSRF Through PDF Generation Joshua Martinelle (@J0_mart) - SSRF - 05/01/2021
How I found my first RCE? ipanda (@ipanda915) - RCE - 05/01/2021
How I got $400 for my first SSRF bug? Usama Varikkottil (@usama_dev) - SSRF $400 05/01/2021
Password reset code brute-force vulnerability in AWS Cognito Pentagrid (@pentagridsec) Amazon Password reset flaw, Brute force, Rate limiting bypass, Account takeover - 04/30/2021
Facebook account takeover due to unsafe redirects after the OAuth flow Youssef Sammouda (@samm0uda) Meta / Facebook OAuth flaw, Open redirect, Account takeover $28,800 04/30/2021
My first OOB XXE exploitation Joshua Martinelle (@J0_mart) - XXE - 04/30/2021
How I was able to Retrieve your Personal Documents using the Wayback Machine! Savir Suda (@savxiety) - Privacy issue, Information disclosure - 04/30/2021
Exploiting memory corruption vulnerabilities on Android Oversecured (@OversecuredInc) Paypal Memory corruption bug $1,100 04/30/2021
A tale of Html to Pdf converter ssrf and various bypasses Jatin Aesthetic (@techyfreakk) - SSRF - 04/29/2021
De-anonymising Anonymous Animals in Google Workspace David Schütz (@xdavidhu) Google Privacy issue, Information disclosure - 04/29/2021
The False Oracle — Azure Functions Padding Oracle Issue polarply (@polarply) Microsoft Padding Oracle, Privilege escalation - 04/28/2021
How did I earn €€€€ by breaking the back-end logic of the server Dewanand Vishal (@dewcode91) - Logic flaw, Information disclosure - 04/28/2021
Reflected DOM-based XSS on DomaiNesia N45HT DomaiNesia XSS - 04/27/2021
Exploiting XSS via Markdown on Xiaomi N45HT Xiaomi XSS - 04/27/2021
WordPress 5.7 XXE Vulnerability Sonar (@SonarSource) WordPress XXE $600 04/27/2021
Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol Antonio Cocomazzi (@splinter_code) & Andrea Pierini (@decoder_it) Microsoft Local Privilege Escalation - 04/26/2021
Reflected XSS on Microsoft N45HT Microsoft Reflected XSS - 04/25/2021
From Wayback Machine To Account Takeover Demon (@R29k_) - Open redirect, Account takeover $800 04/25/2021
Supply Chain Attacks via GitHub.com Releases Nightwatch Cybersecurity (@nightwatchcyber) GitHub Logic flaw $0 04/25/2021
How I found Cross-Site-Scripting (Reflected) on more than 300 systems! MR SINISTER (@KabirSuda) - Reflected XSS - 04/25/2021
From Wayback Machine To Account Takeover Demon (@R29k_) - Account takeover, Password reset flaw, Open redirect - 04/25/2021
RCE via Internal Access to Adminer Database Management (Critical) Ahmad Halabi (@Ahmad_Halabi_) - RCE - 04/24/2021
AWS internal metadata accessed through SSRF by Chaining an Open Redirect bug Santosh Kumar Sha (@killmongar1996) - SSRF, Open redirect - 04/24/2021
Page Owners Can’t remove or change page roles of deactivated users (or if Attacker blocks the page owner) in Facebook Lite, Facebook for Android and touch.facebook.com Baibhav Anand (@SpongeBhav) Meta / Facebook Logic flaw $525 04/22/2021
Brave — Stealing your cookies remotely Pedro Oliveira (@kanytu) Brave Arbitrary file read $500 04/22/2021
Telegram bug bounties: XSS, privacy issues, official bot exploitation and more… Davide, Andrea & Giuseppe Telegram XSS, Authorization flaw, DoS - 04/22/2021
PrivateDrop: Breaking and Fixing Apple AirDrop Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute & Christian Weinert Apple Privacy issue, Information disclosure - 04/21/2021
New Clubhouse Security Vulnerabilities Could Happen to Any Growing Unicorn Katie Moussouris (@k8em0) Clubhouse Logic flaw - 04/21/2021
Remote code execution in Homebrew by compromising the official Cask repository RyotaK (@ryotkak) Homebrew RCE - 04/21/2021
Got Nice catch by Google Parth Desani (@DesaniParth) Google OAuth flaw, Open redirect, CSRF $0 (Early acquisition) 04/22/2021
How I was able to inject XSS payload into any user’s mailbox Gaurav Popalghat (@N008x) - XSS - 04/21/2021
CVE-2021-30481: Source engine remote code execution via game invites floesen (@floesen_) Valve RCE, Integer underflow $8,000 04/2O/2021
Playing With iframes: Bypassing Content-Security-Policy JM Sanchez / 0xEchidonut (@jmrcsnchz) - CSP bypass, Open redirect, HTML injection - 04/2O/2021
Auth Bypass in Google Workspace Real Time Collaboration David Schütz (@xdavidhu) Google Authentication bypass, Information disclosure - 04/2O/2021
IDOR leads to leaked the likes count even though is hidden by victim | YouTube ($XXXX) R ando (@Rando02355205) Google IDOR, Logic flaw - 04/2O/2021
Blind SSRF to Port Scanning through response time Harish - SSRF - 04/19/2021
Unauthorized access to admin setpassword page BY bypassing 403 Forbidden Santosh Kumar Sha (@killmongar1996) - Authorization flaw - 04/18/2021
(POC) Untrim any live video on Facebook Ahmad Talahmeh Meta / Facebook Authorization flaw $2,875 04/18/2021
Exploiting Unrestricted File Upload to achieve Remote Code Execution on a bug bounty program Jadek Mark (@mase289) - Unrestricted file upload, RCE - 04/18/2021
Pwning your assignments: Stored XSS via GraphQL endpoint Kartik Sharma (@dominat0r98) - Stored XSS, GraphQL bug $2,881 04/18/2021
Misconfiguration in Change-password Functionality Leads to Account Takeover Mahmoud Radwan (@0x___2m) & Mahmoud samaha (@0x__2m) - IDOR, Logic flaw, Password reset flaw, Account takeover - 04/18/2021
XSS via Exif Data - The P2 Elevator Jerry Shah (@Jerry) - Stored XSS - 04/18/2021
Discoure themes OS Command Injection joernchen (@joernchen) Discourse RCE, OS command injection - 04/18/2021
(POC) Remove any Facebook’s live video ($14,000 bounty) Ahmad Talahmeh Meta / Facebook Logic flaw $14,000 04/17/2021
Lets Learn English - Hacking 10M+ Users Aseem Shrey (@AseemShrey) - AWS misconfugation, Insecure Firebase database, OTP bypass, Account takeover, Logic flaw - 04/17/2021
(POC) Update business fyi message as Facebook page analyst Ahmad Talahmeh Meta / Facebook IDOR, GraphQL bug $750 04/17/2021
How I earned \(\) through Stored XSS Harish - Stored XSS, CSTI $3,205 04/16/2021
Fun sql injection — mod_security bypass Y000 (@Y000) - SQL injection - 04/16/2021
Allow arbitrary URLs, expect arbitrary code execution Fabian Bräunlein & Lukas Euler Nextcloud, Telegram, VLC RCE - 04/15/2021
How I got 9000 USD by hacking into iCloud Alexandre Fernandes (@fernale) Apple XSS $9,000 04/15/2021
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) CENSUS Facebook (WhatsApp) Man-in-the-Disk - 04/14/2021
Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere Cisco Talos Microsoft RCE - 04/14/2021
Google Photos : Theft of Database & Arbitrary Files Android Vulnerability Rahul Kankrale (@RahulKankrale) Google Improper Export of Android Application Components $1,337 04/13/2021
You Talking To Me? Li JianTao (@cursered) Google RCE, Browser bug $0 (Duplicate) 04/12/2021
ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3 Chris Williams (@HawaiiFive0day) Tesla, Google RCE, Browser bug - 04/12/2021
Unauthenticated Account Takeover Through Forget Password Nikhil (niks) (@niksthehacker) - Password reset flaw, Account takeover, Information disclosure - 04/12/2021
Stored XSS on the DuckDuckGo search results page PMOC (@pmofcats) DuckDuckGo Stored XSS - 04/10/2021
Cookie poisoning leads to DoS and Privacy Violation Benjamin Walter CS Money DoS, SSRF $700 04/09/2021
Auth Issues Uranium238 (@uraniumhacker) Google Authentication flaw, Logic flaw - 04/09/2021
(CRITICAL) Blind Storage XSS — My first Bug Bounty 💰 Benjamin Walter CS Money Blind XSS $1,000 04/8/2021
What if you could deposit money into your Betting account for free? Oh wait where has this 25k came from… Mikey (@mikey96_bh) - Logic flaw $10,000 04/07/2021
Chaining an Blind SSRF bug to Get an RCE Santosh Kumar Sha (@killmongar1996) - Blind SSRF, RCE - 04/7/2021
I Built a TV That Plays All of Your Private YouTube Videos David Schütz (@xdavidhu) Google CSRF $6,000 04/05/2021
Apple TV for Fire OS code execution Razvan Sima (@0xraaz) Apple RCE, Insecure storage, Man-in-the-Disk attack - 04/05/2021
Cloud Based Storage Misconfigurations -> Critical Bounties Mikey (@mikey96_bh) - Cloud storage misconfiguration $7,500 04/05/2021
Weird and very easy authentication bypass found with Google dorking GrumpinouT (@RVerwilghen) - Authentication bypass - 04/05/2021
Intro to Open-source Bug Bounty Arjun Shibu (@0xsegf) Mailtrain Directory traversal - 04/05/2021
CSRF in YouTube Leanback API David Schütz (@xdavidhu) Google CSRF - 04/05/2021
Breaking GitHub Private Pages for $35k Robert Chen (@NotDeGhost) & Philip Github XSS, CRLF, Web cache poisoning $35,000 04/04/2021
Remote code execution through unsafe unserialize in PHP Sjoerd Langkemper - Insecure deserialization, RCE - 04/04/2021
Journeys in Quoteless and Multi Reflection XSS Bend Theory (@bendtheory) - XSS $250 04/04/2021
RCE on Starbucks Singapore and more for $5600 Kamil Onur Özkaleli (@ko2sec) Starbucks RCE, Unrestricted file upload $5,600 04/03/2021
Code execution as root via AT commands on the Quectel EG25-G modem nns Quectel OS command injection, RCE $2,000 04/03/2021
Gain write permission of repositories with a bug in GitHub Actions tyage (@tyage) GitHub Broken Access Control, Logic flaw $25,000 04/02/2021
Automate Cache Poisoning Vulnerability - Nuclei Mohamed Elbadry (@_melbadry9) - Web cache poisoning, Stored XSS $1,500 04/02/2021
This Man Thought Opening A TXT File Is Fine, He Thought Wrong. MacOS CVE-2019-8761 Paulos Yibelo (@PaulosYibelo) Apple MacOS bug, HTML injection - 04/02/2021
Bragging Rights: Let’s head back to bug bucket Manas Harsh (@ManasH4rsh) - XSS, IDOR, 2FA bypass $951 04/02/2021
XSS in Large Messenger and Payment App - a Shout Out to Parameter Guessing Lauritz (@lauritz) - XSS, HTLML injection - 04/02/2021
Play a game, get Subscribed to my channel - YouTube Clickjacking Bug | #GoogleVRP GoogleSriram Kesavan (@sriramoffcl) - Clickjacking $100 04/02/2021
Who Contains the Containers? James Forshaw (@tiraniddo) Microsoft Local privilege escalation - 04/01/2021
Facebook account takeover due to a wide platform bug in ajaxpipe responses Youssef Sammouda (@samm0uda) Meta / Facebook Account takeover $30,000 04/01/2021
Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow Youssef Sammouda (@samm0uda) Meta / Facebook Account takeover, OAuth flaw, Open redirect $12,000 04/01/2021
Zero click vulnerability in Apple’s macOS Mail Mikko Kenttälä (@Turmio_) Apple Account takeover, Information disclosure, RCE - 04/01/2021
GKE Autopilot Node Compromise via Race Condition Anthony Weems Google Container escape $1,337 04/01/2021
Download Facebook internal mobile builds Philippe Harewood (@phwd) Meta / Facebook Information disclosure $6,000 03/31/2021
My first Bug report at Facebook 2021 Kent Jarold Abulag (@wkemenhehehegsg) Meta / Facebook Logic flaw, Authorization flaw - 03/31/2021
Missing CORS leads to Complete Account Takeover Niraj Modi (@nirajmodi51) - Missing CORS, CSRF, Account takeover - 03/30/2021
I felt like there were no more bugs left after winning € 2000 … But an email worth €750 changed my mind Thexssrat (@theXSSrat) - Broken Access Control, IDOR €2750 03/30/2021
A weird XSS gato the wizard - Reflected XSS - 03/30/2021
CSRF to Full Account Takeover Ashraf Harb (@ashrafharb97) - CSRF, Account takeover - 03/29/2021
PHP fopen() function to local file inclusion أنس روبي (@xhzeem) - LFI - 03/28/2021
How I made to Paypal Bug Bounty $750 Pethuraj (@Pethuraj) Paypal Open Redirect $750 03/28/2021
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #1 R ando (@Rando02355205) Google Broken Access Control, IDOR - 03/28/2021
How to bypass CloudFlare bot protection ? jychp (@jychp_fr) CloudFlare Logic flaw $0 03/27/2021
Increasing impact of Information Disclosure — Full Account Takeover ! Abhisek R (@abh1sek_r) - Information disclosure, Password reset flaw $0 (OOS) 03/26/2021
How I was able to see likes and dislikes count even though is hidden by victim | YouTube #2 R ando (@Rando02355205) Google Broken Access Control, IDOR - 03/26/2021
Encrypted Payload -> Decrypted Execution ($600) : Stored XSS Shrirang Diwakar - Stored XSS $600 03/25/2021
PoC: The easiest 125 Euro’s I Ever made Thexssrat (@theXSSrat) - Logic flaw €125 03/25/2021
Exif meta data worth $XXXX Saddam Hussain (@wisdomfreak1) - Information disclosure - 03/25/2021
How I leveraged XSS to make Privilege Escalation to be Super Admin! Asem Eleraky (@melotover) - XSS, Privilege escalation - 03/25/2021
Multiple Authorization bypass issues in Google’s Richmedia Studio Zohar Shachar Google Authorization flaw $6,000 03/24/2021
Bypass rate limit to enumeration users through Google Drive Abdullah Mohamed (@3bodymo_) Google Rate limiting bypass $0 (Won’t fix) 03/24/2021
Finding and exploiting race condition vulnerability on facebook server Dewanand Vishal (@dewcode91) Meta / Facebook Race condition $2,000 03/24/2021
Ad portals and the half blood vulnerability Adam (@whitechaitai) - Logic flaw $600+ 03/23/2021
How I made it to Google HOF? Sudhanshu Rajbhar (@sudhanshur705) Google IDOR $1,000 03/21/2021
Finding My First Critical Vulnerability Thexssrat (@theXSSrat) - Information disclosure $250 03/21/2021
OTP brute-force via rate limit bypass Bilal Muqeet (@blmqt) - Bruteforce, Lack of rate limiting, OTP bypass - 03/21/2021
Cross Site Port Attack - A Stranger’s Call Jerry Shah (@Jerry) - XSPA - 03/21/2021
OAuth Misconfiguration found in small time-window of attack Muhammad Aamir (@Muhammad__Aamir) - OAuth misconfiguration $300 03/20/2021
A short story about an XSS in chat.mozilla.org (CVE-2021-21320) Guilherme Keerok (@k33r0k) Mozilla XSS $500 03/19/2021
How to Harpon Big Blue! Clark Voss (@clark_voss) IBM Logic flaw, Exposed registration page - 03/19/2021
H2C Smuggling in the Wild Sean Yeoh (@seanyeoh) - HTTP request smuggling - 03/18/2021
TikTok for Android 1-Click RCE Sayed Abdelhafiz (@dPhoeniixx) TikTok RCE, XSS, Insecure intents - 03/18/2021
How I hacked Facebook: Part Two Alaa Abdulridha (@alaa0x2) Meta / Facebook SSRF, Account takeover, Cookie manipulation $54,580 03/18/2021
Stealing arbitrary GitHub Actions secrets Teddy Katz (@not_aardvark) GitHub Logic flaw $25,000 03/17/2021
Dangling DNS: Worksites.net Mohamed Elbadry (@_melbadry9) - Dangling DNS records, Subdomain takeover - 03/17/2021
Abusing Data Protection Laws For D0xing & Account Takeovers Hx01 (@Hxzeroone) - SSTI, Account takeover - 03/17/2021
CVE-2021-27076: A Replay-style Deserialization Attack Against Sharepoint Simon Zuckerbraun (@HexKitchen) Microsoft Insecure deserialization, RCE - 03/17/2021
An unknown Linux secret that turned SSRF to OS Command injection secureITmania (@secureitmania) - SSRF, Command injection - 03/17/2021
An Interesting Account Takeover!! Mayank Pandey (@mayank_pandey01) - IDOR, Account takeover, Weak encryption, Password reset flaw - 03/17/2021
Voice Confusion When Commenting On Watch Party Prakash Panta (@prakashpanta268) Meta / Facebook Information disclosure $1,000 03/16/2021
API Misconfiguration which leads to unauthorized access to servicedesk tickets Gaurav Popalghat (@N008x) - Information disclosure - 03/16/2021
De-anonymize the members of a private Facebook Group as a non-member. Baibhav Anand (@SpongeBhav) Meta / Facebook GraphQL bug, Information disclosure $4,500 03/15/2021
Facebook Group Members Disclosure. Baibhav Anand (@SpongeBhav) Meta / Facebook Information disclosure $9,000 03/15/2021
IDOR Vulenebility with empty response still exposing sensitive details of customers! Rahul Varale - IDOR - 03/14/2021
How I Found Sql Injection on 8x8 , Cengage,Comodo,Automattic,20 company Ahmad A Abdulla (@lu3ky13) Automattic, IBM, 8x8 SQL injection - 03/12/2021
Finding keys under the door Naveen Prakaasham K S V Paytm Stored XSS, Unrestricted file upload - 03/12/2021
Account Takeover Via Reset Password Worth 2000$ Ashutosh mishra (@ashutoshmish_ra) - Password reset flaw, Account takeover $2,000 03/12/2021
[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF ) Rio Mulyadi (@riomulyadi_) Google Blind XSS $3,133.70 03/11/2021
Messing with GitHub’s fork collaboration for fun and profit Teddy Katz (@not_aardvark) GitHub Broken Access Control $30,000 03/10/2021
Business Logic Error on Registration Leads to SMS Validation Bypass pleorqy (@pleorqy) - 2FA bypass - 03/10/2021
Chain of Low Level Bugs and Misconfigurations Leads to Account Takeover pleorqy (@pleorqy) - Reflected XSS, Clickjacking, Account takeover - 03/10/2021
Finding Basic Authtoken in JAVASCRIPT file BY Full Automation Santosh Kumar Sha (@killmongar1996) - Information disclosure - 03/10/2021
Exploiting HTTP Request Smuggling (TE.CL)— XSS to website takeover Kleiton Kurti (@kleiton0x7e) - HTTP request smuggling, XSS - 03/09/2021 Alternative link
Write Up – Google VRP N/A: SSRF Bypass With Quadzero In Google Cloud Monitoring Omar Espino (@omespino) Google SSRF $0 (N/A) 03/08/2021
Dangling DNS: Amazon EC2 IPs (Current State) Mohamed Elbadry (@_melbadry9) 8x8 Dangling DNS records, Subdomain takeover - 03/08/2021
Stored XSS in Google Ads Android Application— $3133.70 Ashish Dhone (@ashketchum_16) Google Stored XSS, HTML injection $3,133.70 03/07/2021
Finding Hidden Login Endpoint Exposing Secret Client ID Ahmad Halabi (@Ahmad_Halabi_) - Information disclosure $700 03/07/2021
Exploiting a hidden and forgotten Bug Aditya Verma (@0cirius0) - SSRF - 03/07/2021
The easiest $2500 I got it from bug bounty program Abdullah Mohamed (@3bodymo_) Uber Information disclosure $2,500 03/06/2021
GKE Autopilot Node Compromise via SSH Metadata Anthony Weems Google Container escape $1,337 03/05/2021
GKE Autopilot Node Compromise via startup-script Anthony Weems Google Container escape $1,337 03/05/2021
Leveraging Template injection to takeover an account. Akash Methani (@0xAkash) - CSTI, XSS - 03/04/2021
Low hanging fruits on Facebook Group Room. Unable to remove post on group when post room add with event ($500) Randy Arios Meta / Facebook Logic flaw $500 03/04/2021
Stored XSS at Trello.com Maor Dayan (@mord1234) Trello Stored XSS - 03/04/2021
Content Injection (RCE) in Yandex Browser for Android [2018] Nightwatch Cybersecurity (@nightwatchcyber) Yandex MiTM $0 03/03/2021
The Invincible Kid Samip Aryal Meta / Facebook Logic flaw $500 03/03/2021
How I Might Have Hacked Any Microsoft Account Laxman Muthiyah (@laxmanmuthiyah) Microsoft Account takeover, Password reset flaw, Bruteforce, 2FA bypass $50,000 03/02/2021
Microsoft Edge Browser For IOS - Address Bar Spoofing Vulnerability Rafay Baloch (@rafaybaloch) Microsoft Address Bar Spoofing - 03/02/2021
GKE Autopilot Node Compromise via local-storage PersistentVolume Anthony Weems Google Container escape $1,337 03/01/2021
Exploiting CORS to perform an IDOR Attack leading to PII Information Disclosure Harsh Parekh (@notmarshmllow) - CORS misconfiguration, Information disclosure - 03/01/2021
Secret Key Exposure in API Config Directory Ahmad Halabi (@Ahmad_Halabi_) - Information disclosure $800 03/01/2021
Join Facebook Group With Unpublish Page gevakun Meta / Facebook Authorization flaw - 03/01/2021
RocketChat - Unauthenticated access to messages Rojan Rijal (@uraniumhacker) RocketChat Authorization flaw N/A (VDP) 03/01/2021
SSRF to fetch AWS credentials with full access to multiple services Zonduhackerone (@zonduu1) - SSRF - 02/28/2021
Big Bugs: Bitbucket Pipelines Kata Containers Build Container Escape Alex Chapman (@ajxchapman) - RCE - 02/28/2021
Admin Panel Accessed Via SQL Injection… (Ezy Boooom…😅) Ratnadip Gajbhiye (@scspcommunity) - SQL injection - 02/28/2021
Bragging Rights: Killing File Uploads softly Manas Harsh (@ManasH4rsh) - Unrestricted file upload, Stored XSS - 02/28/2021
Jira Auth Bypass bug in Google Acquisition (Apigee) Jayateertha Guruprasad (@JayateerthaG) Google Authentication bypass - 02/28/2021
Somebody Call The Plumber, GraphQL is Leaking Again… N0ur5 - Information disclosure, GraphQL bug - 02/28/2021
Any Account Takeover Through Privilege Escalation Shubham Chaskar (@chaskar_shubham) - Privilege escalation, Account takeover - 02/28/2021
Kubernetes man in the middle using LoadBalancer or ExternalIPs (CVE-2020-8554) champtar Kubernetes MiTM $1,000 02/28/2021
Host MITM attack via IPv6 rogue router advertisements (K8S CVE-2020-10749 / Docker CVE-2020-13401 / LXD / WSL2 / …) champtar Kubernetes MiTM $1,000 02/28/2021
Story About Stop 10000+ users to get Their job notification PJBorah - Logic flaw - 02/27/2021
Somebody Call The Plumber, GraphQL is Leaking Again… N0ur5 - Information disclosure, GraphQL bug $2,000 02/27/2021
IDOR which allowed me to view Personal Email Addresses of More than 50K Users! Savir Suda (@savxiety) - IDOR, Password reset flaw - 02/26/2021
SSRF: Bypassing hostname restrictions with fuzzing Dominic (@dee__see) Elastic SSRF - 02/26/2021
Account Takeover - Smoking with ‘null’ Jerry Shah (@Jerry) - Account takeover, Authentication flaw - 02/26/2021
Stealing user passwords through a VPN’s SSO Alain Mowat (@plopz0r) - Open redirect, SSTI - 02/25/2021
Poisoning your Cache for 1000$ - Approach to Exploitation Walkthrough Gal Nagli (@naglinagli) - Web cache poisoning, Stored XSS $1,000 02/25/2021
Hijacking Reset Password Link in https://www.niteflirt.com/ via Host Header Poising (Write Up) Evan Ricafort (@evanricafort) Niteflirt Host header injection, Account takeover, Password reset flaw $50 02/25/2021
CSRF through URL with # tag parameter Tommysuriel - CSRF $100 02/25/2021
CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux John Jackson (@johnjhacking) Keybase Unencrypted storage $1,000 02/22/2021
Grafana Admin Panel bypass in Google Acquisition(VirusTotal) Jayateertha Guruprasad (@JayateerthaG) Google Default credentials - 02/22/2021
Let’s know How I have explored the buried secrets in Xamarin application secureITmania (@secureitmania) - Hardcoded API keys, Information disclosure - 02/21/2021
RCE On A Laravel Private Program Yasho (@YShahinzadeh) - RCE - 02/20/2021
Is Math.random() Safe? from missing rate limit to bypass 2fa and possible sqli Yasser Mohammed (@boomneroli) - Race condition, Lack of rate-limiting, OTP bypass, SQL injection - 02/20/2021
Account Takeover via Response Manipulation worth 1800$.. Ashutosh mishra (@ashutoshmish_ra) - Authentication bypass, OTP bypass, Account takeover $1,800 02/20/2021
Build Pipeline Security xssfox (@xssfox) Amazon RCE - 02/18/2021
Account Take Over by Response Manipulation Naveen J (@thevillagehackr) - Authentication bypass, Account takeover - 02/17/2021
Expose information about Partner accounts in Partner portal Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, GraphQL bug $3,600 02/17/2021
Expose Facebook object type (including private objects) Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, Logic flaw $500 02/17/2021
Ability to find Facebook employee’s test accounts which lead to the disclosure of internal information. Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, GraphQL bug $500 02/17/2021
Disclose internal CMS objects content Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, Authorization flaw $500 02/17/2021
Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, GraphQL bug $500 02/17/2021
XSS in Facebook CDN due to improper filtering of uploaded files extensions Youssef Sammouda (@samm0uda) Meta / Facebook XSS $500 02/17/2021
Enumerate internal cached URLs which lead to data exposure Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, Caching issue $4,800 02/17/2021
Make recruiting referrals on behalf of employees Youssef Sammouda (@samm0uda) Meta / Facebook Authorization flaw, GraphQL bug $3,000 02/17/2021
Leaking Facebook user information to external websites / Setting some cookies values Youssef Sammouda (@samm0uda) Meta / Facebook GraphQL bug, Logic flaw, Information disclosure $2,000 02/17/2021
Access private information about SparkAR effect owners who has a publicly viewable portfolio Youssef Sammouda (@samm0uda) Meta / Facebook Authorization flaw, Information disclosure, GraphQL bug $1,500 02/17/2021
Open redirect in Instagram.com Youssef Sammouda (@samm0uda) Meta / Facebook Open redirect $500 02/17/2021
Story of a very lethal IDOR. Vedant Tekale (@_justYnot) - XSS, IDOR, Account takeover N/A (VDP) 02/17/2021
From AWS S3 Misconfiguration to Sensitive Data Exposure Jadek Mark (@mase289) - AWS misconfiguration - 02/17/2021
Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story) Imre Rad (@ImreRad) Google Configuration file injection, RCE - 02/16/2021
Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story) Imre Rad (@ImreRad) Google RCE - 02/16/2021
Hunting for bugs in Telegram’s animated stickers remote attack surface polict (@polict_) Telegram Memory corruption bug, DoS - 02/16/2021
I Own your Cloud Shell: Taking over “Azure Cloud Shell” Kubernetes Cluster Through Unsecured Kubelet API 30,000$ Bounty Chen Cohen (@chencococococo) Microsoft Privilege escalation, RCE $30,000 02/15/2021
Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. Youssef Sammouda (@samm0uda) Meta / Facebook Authorization flaw, Logic flaw $12,500 02/15/2021
Full account takeover worth $1000 Think out of the box Mohsin Khan (@tabaahi_) - Account takeover, CSRF, IDOR $1,000 02/15/2021
Delete linked payments accounts of a Facebook page (or user) Youssef Sammouda (@samm0uda) Meta / Facebook Authorization flaw, Logic flaw $1,000 02/15/2021
URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs. Youssef Sammouda (@samm0uda) Meta / Facebook Logic flaw $500 02/15/2021
Leak of internal categorySets names and employees test accounts. Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure $500 02/15/2021
View orders and financial reports lists for any page shop Youssef Sammouda (@samm0uda) Meta / Facebook Information disclosure, Authorization flaw $500 02/15/2021
Header manipulation to get the premier feature for free Saddam Hussain (@wisdomfreak1) - Logic flaw - 02/14/2021
Stored XSS in icloud.com — $5000 Vishal Bharad - Stored XSS $5,000 02/14/2021
My first bounty (stored-xss) Karan sharma (@karansh491) - Stored XSS $1,000 02/14/2021
IDOR via Websockets allow me to takeover any users account Mohsin Khan (@tabaahi_) - IDOR $450 02/14/2021
How I Hacked Everyone’s Resume/CV’s and Got €€€ Vishal Bharad - IDOR, Authorization flaw, Information disclosure $250 02/14/2021
Changing other users Episode title & description - IDOR Vulnerability in [REDACTED] (Write Up) Evan Ricafort (@evanricafort) - IDOR $1,150 02/13/2021
[GITLAB] — Server Side Request Forgery in “Project Import” page. Lyubomir Tsirkov Gitlab SSRF $1,500 02/13/2021
[GITLAB] — Just another SSRF issue. Lyubomir Tsirkov Gitlab SSRF $1,000 02/13/2021
OAuth Misconfiguration Leads to Full Account takeover Yasser Mohammed (@boomneroli) - OAuth flaw, Clickjacking, CSRF, Account takeover - 02/13/2021
[GITLAB] — Just another SSRF issue. Lyubomir Tsirkov GitLab SSRF $1,000 02/12/2021
How I was able to get extra coins Saddam Hussain (@wisdomfreak1) - Logic flaw, Android app bug - 02/12/2021
Leaked Credentials gives access to internalfb.com Philippe Harewood (@phwd) Meta / Facebook Information disclosure $6,000 02/11/2021
Hacking Chess.com and Accessing 50 Million Customer Records Sam Curry (@samwcyo) Chess.com Reflected XSS, Information disclosure, Account takeover - 02/11/2021
The “P” in Telegram stands for Privacy Dhiraj (@RandomDhiraj) Telegram Privacy issue $3,000 02/11/2021
Escalating reflected XSS with HTTP Smuggling Hazana (@hazanasec) - HTTP request smuggling, Reflected XSS - 02/11/2021
Fastest Subdomain Take Over & DNS Misconfiguration Hunt. Kabeer (@iTheKabeer) - Subdomain takeover, DNS zone transfer - 02/10/2021
Sending ephemeral message to any Facebook user Rahul Kankrale (@RahulKankrale) Meta / Facebook IDOR - 02/10/2021
A Tale of 2nd $xxx Bounty from Facebook Kunjan Nayak Meta / Facebook Logic flaw $500 02/10/2021
Self-XSS to rXSS via Uploaded File Name P4nda (@InfoSecP4nda) - Self-XSS, Reflected XSS - 02/09/2021
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies Alex Birsan Paypal, Shopify, Apple, Netflix, Yelp, Uber, Microsoft & more! Dependency confusion $130,000+ 02/09/2021
Abusing URI Parsers for fun and profit Mohammad Owais (@_mohammadowais) - URL validation bypass $500 02/08/2021
Duplicate Registration - The Twinning Twins Jerry Shah (@Jerry) - Account takeover, Authentication flaw - 02/08/2021
Bigbasket Bug Bounty Writeup Lohith Gowda M (@lohi_gowda_) - Insecure Local Storage - 02/08/2021
Reflected XSS on a Public Program Naveen J (@thevillagehackr) - Reflected XSS - 02/08/2021
How I Gain Access to the Server Administration of a Million-Dollar Company Marx Chryz Del Mundo - Privilege escalation, Mass assignment $5,000 02/06/2021
Escalating SSRF to RCE Sander Wind (@SanderWind) - SSRF, RCE - 02/06/2021
XXE To AWS Metadata Disclosure Al-Madjus (@AlMadjus) - XXE $2,000 02/04/2021
Facebook Messenger Desktop App Arbitrary File Read Renwa (@RenwaX23) Meta / Facebook Arbitrary file read $2,000 02/04/2021
Page Admin Disclosed In Groups Due To Improper Session Handling In Facebook Web Samip Aryal Meta / Facebook Information disclosure - 02/04/2021
Redwood Report2Web XSS and Frame injection vict0ni (@vict0ni) - Reflected XSS, Frame injection - 02/04/2021
Bug bounty failure stories to learn from: how we ended up to hack a bank with no reward Red Timmy Security (@redtimmysec) - DoS, Default credentials - 02/04/2021
Open Redirect vulnerability found using link parameter Muhammad Aamir (@Muhammad__Aamir) - Open redirect $100 02/04/2021
Microsoft Remote Desktop Web Access Authentication Timing Attack Matt Dunn Microsoft Timing attack, Authentication flaw - 02/04/2021
How I was able to Turn a XSS into a Account Takeover Josh Fam (@Pullerze) - Web cache poisoning, Stored XSS, Account takeover, OAuth flaw, Logic flaw - 02/03/2021
CVE-2020-9759 - Getting root on webOS Andreas Lindh (@addelindh) LG Local Privilege escalation, Browser bug - 02/03/2021
Spoofing and Attacking With Skype mr.d0x (@mrd0x) Microsoft Spoofing - 02/02/2021
Stealing Chat session ID with CORS and execute CSRF attack Sunil Yedla (@sunilyedla2) - CSRF, CORS misconfiguration - 02/02/2021
Applying Offensive Reverse Engineering to Facebook Gameroom Eugene Lim (@spaceraccoonsec) Meta / Facebook Insecure deserialization - 02/02/2021
1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group nhiephon (@_nhiephon) Meta / Facebook Information disclosure - 02/02/2021
Spoofing and Attacking With Skype mr.d0x (@mrd0x) Microsoft Spoofing - 02/02/2021
Access developer tasks list of any Facebook Application (GraphQL IDOR) Amine Aboud (@amineaboud) Meta / Facebook IDOR - 02/01/2021
Disclose the FB profile of Facebook employees who create official announcement messages (Bug Bounty) Amine Aboud (@amineaboud) Meta / Facebook Information disclosure - 02/01/2021
An Account Takeover Vulnerability Due to Response Manipulation. Avanish Pathak (@avanish46) - Authentication bypass, Account takeover $4,100 01/31/2021
An unexpected bug Nitin yadav (@Nitinydv14) - Bruteforce - 01/31/2021
An Interesting Account Takeover Vulnerability Avanish Pathak (@avanish46) - IDOR, Account takeover - 01/30/2021
Android apk leaks access token to takeover the whole infrastructure Santosh Kumar Sha (@killmongar1996) - Information disclosure, Hardcoded credentials - 01/30/2021
How I chained P4 To P2 [Open Redirection To Full Account Takeover] Bishal Shrestha (@bishal0x01) - Open redirect, Account takeover - 01/30/2021
Broken Access Control & Stored XSS - Easy Hunt Kabeer (@iTheKabeer) - Stored XSS, IDOR - 01/29/2021
Destroying Armies and Villages through Cross-Site Scripting - Bug Bounty Write-up Fábio Freitas (@0xfabiof) InnoGames Stored XSS $1,000 01/29/2021
Cors Blimey: The power of chaining CORS Hazana (@hazanasec) - CORS misconfiguration, Stored XSS, CSRF - 01/28/2021
Launching Internal & Non-Exported Deeplinks On Facebook Ashley King (@AshleyKingUK) & Rahul Kankrale (@RahulKankrale) Meta / Facebook CSRF $4,000 01/28/2021
Analysing Crash Messages To Achieve Blind Root Command Injection Shawar Khan (@ShawarkOFFICIAL) - Command injection - 01/28/2021
Remote Code Execution – LimeSurvey (CVE-2018-7556) yeuchimse (@yeuchimse) - RCE - 01/28/2021
OTP Bypass Account Takeover to Admin Panel — Ft. Header Injection Avinash Jain (@logicbomb_1) - OTP bypass, Account takeover - 01/28/2021
Business Logic Error Methodology (easy way) + PoC-s Vuk Ivanovic - Logic flaw - 01/28/2021
How We Escaped Docker in Azure Functions Intezer Microsoft Privilege escalation - 01/27/2021
Weird functionality leads to Account Takeover (Millions of Users affected) Sahil Mehra (@nullr3x) - Account takeover, Authentication flaw $4,000 01/27/2021
Bragging Rights(Part 1): Short story of a bug wave Manas Harsh (@ManasH4rsh) - IDOR, Stored XSS, SSRF, Subdomain takeover, Hardcoded credentials $1,550 01/27/2021
Hijacking Google Drive Files (Documents, Photo & Video) Through Google Docs Sharing santuySec (@santuySec) Google Clickjacking $0 (Duplicate) 01/27/2021
$500 For No Rate Limit On Forgot Password Page BBHC (@community_bug) - Lack of rate-limiting, Password reset flaw $500 01/27/2021
Finding SSRF BY Full Automation Santosh Kumar Sha (@killmongar1996) - SSRF - 01/27/2021
BMW Bug Bounty – Account Verification Bypass writeup Pethuraj (@Pethuraj) BMW OTP bypass, Bruteforce, Lack of rate-limiting - 01/26/2021
Leaking issues from linked Jira – Atlassian Confluence Server yeuchimse (@yeuchimse) Atlassian XS-Search $600 01/25/2021
Get paid by smuggling, the legal way James Ling (@James_puppykok) - HTTP Request Smuggling - 01/25/2021
Chaining a self XSS to Account Takeover Arman Sameer (@ArmanSameer95) - Self XSS, Reflected XSS, Account takeover - 01/25/2021
IDOR Revealing Images CDN Links susan wagle - IDOR - 01/25/2021
Bypassing WAF with incorrect proxy settings for Hunting Bugs. Shaurya Sharma (@ShauryaSharma05) - URL validation bypass - 01/25/2021
Sql Injection via hidden parameter Rutvik Hajare (@HajareRutvik) - SQL injection - 01/24/2021
$10,000 for automatic email confirmation bug in Microsoft’s Edge browser Karan Chaudhary (@0xKaran) Microsoft Logic flaw $10,000 01/23/2021
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps CaptainFreak (@0xCaptainFreak) - Local File Read, RCE - 01/23/2021
CSRF Protection Bypass in Atlassian Confluence Server yeuchimse (@yeuchimse) Atlassian CSRF $3,600 01/22/2021
Page Admin Disclosure When Replying Comments Prakash Panta (@prakashpanta268) Meta / Facebook Information disclosure $500 01/22/2021
Staff Information Disclosure on Support Ticketing System ($x,xxx) Ph.Hitachi - Information disclosure - 01/22/2021
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card Yogev Bar-On Amazon RCE $18,000 01/21/2021
Story Behind Sweet SSRF. Rohit Soni (@streetofhacker) - SSRF, XSS - 01/21/2021
SSRF Exploitation in Libreoffice Spreadsheet File Converter R4id3n (@R4id3n__) - SSRF - 01/21/2021
[Bug Bounty] 600$ Info Disclosure: obtain any user’s backup data Tommaso De Ponti - Information disclosure, IDOR - 01/19/2021
Open-redirect [in email] Akhil - Open redirect - 01/19/2021
Simple & Sweet: Bypass email update restriction to change emails of team members Sunil Yedla (@sunilyedla2) - Logic flaw, Authorization flaw - 01/19/2021
The Embedded YouTube Player Told Me What You Were Watching (and more) David Schütz (@xdavidhu) Google Information disclosure $1,337 01/18/2021
How I was rewarded a $1000 bounty after abusing File Upload functionality to Stored XSS Vulnerability leading to credential theft of a vistor in a website. Kunal Khubchandani (@iamkun4l) - Unrestricted file upload, Stored XSS $1,000 01/18/2021
Let’s know How I have explored the buried secrets in React Native application secureITmania (@secureitmania) - Information disclosure, Hardcoded credentials - 01/18/2021
ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792 Ashley King (@AshleyKingUK) Apple, Google Insecure deeplink, Information disclosure $0 01/17/2021
Strange Admin Panel Bypass Story | | Bug Bounty Ranjeet Kumar Singh (@geekboyranjeet) - Authentication bypass, Account takeover - 01/17/2021
My first and last crit of 2020 on Hackerone Takester (@dhiraj_ramteke) - Lack of rate-limiting, Bruteforce, IDOR, Password reset flaw, Account takeover - 01/16/2021
Finding 0day to hack Apple Harsh Jaiswal (@rootxharsh) &Rahul Maini (@iamnoooob) Apple RCE $50,000 01/16/2021
Weaponizing Apify for mass bug bounty $$$ Randy Gingeleski (@gingeleski) - Akamai ARL attack - 01/16/2021
Hacking naked Akamai ARL at scale Randy Gingeleski (@gingeleski) - Akamai ARL attack - 01/15/2021
BitLocker Lockscreen bypass Jonas L (@jonasLyk) Microsoft Lockscreen bypass, Local privilege escalation - 01/15/2021
Attack of the clones 2: Git CLI remote code execution strikes back Vitor Fernandes (@Rapt00rVF) GitHub RCE - 01/15/2021
How I hijacked the top-level domain of a sovereign state Fredrik N. Almroth (@Almroot) Internet Bug Bounty Domain takeover - 01/15/2021
Insertion Of Malicious Links For Execution In Profile Picture - Unvalidated User Input In MS Sharepoint 2019 (CVE-2020-1456) David (@slashcrypto) & user_x73x76x6E Microsoft XSS - 01/15/2021
Irremovable Facebook group album photos and entire album under certain circumstances (Bounty: 1000 USD) Shubham Bhamare (@theshubh77) Meta / Facebook Logic flaw $1,000 01/14/2021
Tale of 2 TOOTB Bugs: Google and WhatsApp Circle Ninja (@circleninja) Google, Meta / Facebook Information disclosure, Logic flaw $0 01/14/2021
How I managed to trigger a Stored-XSS in an online store with the help of Cache Poisoning Schizo! - Web cache poisoning, Stored XSS N/A (VDP) 01/14/2021
Story of a really cool SSRF bug. Vedant Tekale (@_justYnot) - SSRF - 01/13/2021
Making Clouds Rain :: Remote Code Execution in Microsoft Office 365 Steven Seeley (@steventseeley) Microsoft RCE - 01/12/2021
Stealing User Information Via XSS Via Parameter Pollution Hamza Avvan (@hamzaavvan) - Open redirect, XSS $1,250 01/12/2021
CSRF with IDOR - A Deadly Combo Jerry Shah (@Jerry) - CSRF, IDOR - 01/12/2021
Unrestricted File Upload Binamra Pandey - Unrestricted file upload - 12/12/2021
Guest Blog Post: Leaking silhouettes of cross-origin images Aleksejs Popovs (@aleksejspopovs) Mozilla, Chrome Side-channel information leakage, Browser bug - 01/11/2021
Stealing Your Private YouTube Videos, One Frame at a Time David Schütz (@xdavidhu) Google IDOR $5,000 01/11/2021
UNEP Breached, 100K+ Employee Records Accessed Jackson Henry (@JacksonHHax), John Jackson (@johnjhacking), Nick Sahler (@nicksahler) & Aubrey Cottle United Nations Information disclosure N/A (VDP) 01/11/2021
Weblogic Remote Code Execution (Exploiting CVE-2019-2725) Mahmoud Gamal (@Zombiehelp54) - RCE - 01/10/2021
Unauthorized Access to OData Entities + $2K Bounty From Microsoft Borna Nematzadeh (@LogicalHunter) Microsoft Authorization flaw, Information disclosure $2,000 01/10/2021
How I was able to Regain access to account deleted by Admin leading to $$$ Rajesh Ranjan (@rajesh_ranjan) - Logic flaw, Authorization flaw - 01/10/2021
A ‘Novel’ Way to Bypass Executable Signature Checks with Electron Parsia Hackerman (@cryptogangsta) - Local privilege escalation - 01/08/2021
Create post on any Facebook page Pouya Darabi (@Pouyadarabi) Meta / Facebook IDOR $30,000 01/08/2021
Exploiting Application-Level Profile Semantics (APLS) Niemand (@niemand_sec) - APLS misconfiguration, API misconfiguration - 01/08/2021
Blind XSS in Google Analytics Admin Panel — $3133.70 Ashish Dhone Google Blind XSS $3,133.70 01/08/2021
Information Disclosure through Signup Endpoint Sunil Yedla (@sunilyedla2) - Information disclosure - 01/08/2021
Facebook: Linkshim protection bypass using fb://webview Rahul Kankrale (@RahulKankrale) Meta / Facebook Open redirect - 01/08/2021
$10,000 for a vulnerability that doesn’t exist Valeriy Shevchenko (@Krevetk0Valeriy) - Path traversal $10,500 01/07/2021
Github Organization Takeover By Claiming Owner Invitation Abss (@absshax) Github Account takeover, Logic flaw $5,000 01/07/2021
Stored XSS on Product Description [HIGH] — $400 Emanuel Beni Harijanto - Stored XSS $400 01/07/2021
Subdomain Take Over Worth 100£ c0d3x27 (@c0d3x27) - Subdomain takeover £100 01/07/2021
Finding bugs on Chess.com Seqrity (@seqrity9) Chess.com Lack of rate limiting, Bruteforce, CSRF $180 01/07/2021
Nick’s infrequently updated blog Nick Booher Cloudflare WAF bypass, IP spoofing - 01/06/2021
Achieving Remote Code Execution By Exploiting Variable Check Feature Shawar Khan (@ShawarkOFFICIAL) - RCE - 01/06/2021
Incident Response during Christmas TMO - Subdomain takeover - 01/05/2021
Each and every request make sense… Akshar Tank - Privilege escalation, Exposed JWT generation endpoint - 01/05/2021
Privilege Escalation: From being a normal user to admin Akshar Tank - Privilege escalation, Broken access control - 01/05/2021
Exploiting Max. Character Limitation Sunil Yedla (@sunilyedla2) - Logic flaw, DoS $400 01/05/2021
Patch. Bypass. Repeat: Story of a FaceBook Page Admin Disclosure bug worth $5000 Shubham Bhamare (@theshubh77) Meta / Facebook Information disclosure $5,000 01/04/2021
Expose the email address of Workplace users Youssef Sammouda (@samm0uda) Meta / Facebook IDOR, Information disclosure $5,000 01/03/2021
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers Youssef Sammouda (@samm0uda) Meta / Facebook XSS, Account takeover $30,000 01/01/2021
API based IDOR to leaking Private IP address of 6000 businesses Rafi Ahamed (Leonidas D. Ace) - IDOR - 01/01/2021

Bug bounty writeups published in 2020

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it Youssef Sammouda (@samm0uda) Meta / Facebook Account takeover, Parameter pollution $21,000 12/31/2020
Facebook bug bounty (500 USD) : A blocked fundraiser organizer would be unable to view or remove themselves from the fundraiser. Vivek ps (@vivekps143) Meta / Facebook DoS, Logic flaw $500 12/31/2020
Cross Domain Referrer Leakage Mohsinalibukc - Cross-Domain Referrer Leakage $300 12/31/2020
Replying Comments On Someone’s Livestream From Page Is Posted As Personal Identity Prakash Panta (@prakashpanta268) Meta / Facebook Information disclosure $500 12/30/2020
Group Admin Can’t Able To Moderate Comments When Posted Through Page : Facebook Bug Bounty 2020 Prakash Panta (@prakashpanta268) Meta / Facebook Logic flaw - 12/30/2020
Event Creator Is Not Able To Block The Attacker During Event Livestream Prakash Panta (@prakashpanta268) Meta / Facebook Logic flaw $0 (Informative) 12/30/2020
Cache-Key Normalization - What could go wrong? youstin (@iustinBB) - Web cache poisoning, DoS - 12/29/2020
Sensitive data leak using IDOR in integration service Ronak Patel (@ronak_9889) - IDOR - 12/29/2020
Facebook page admin disclosure by “Create doc” button (Bounty: 5000 USD) Shubham Bhamare (@theshubh77) Meta / Facebook Information disclosure $5,000 12/28/2020
How I Got My First Bounty & Hof From Google (CSRF Lead To Account Delete) Bhupendra Rajbhar (@bhupendra1238) Google CSRF - 12/28/2020
[Google VRP] Hijacking Google Docs Screenshots Sreeram KL (@kl_sree) Google PostMessage bug, XSS - 12/27/2020
Regular expression injection, a code review low hanging fruit Dominic (@dee__see) - ReDoS - 12/27/2020
Chaining CORS by Reflected xss to Account takeover #My first Blog Santosh Kumar Sha (@killmongar1996) - CORS misconfiguration, Reflected XSS, Account takeover - 12/26/2020
Facebook page admin disclosure by “Message Seller” button (Bounty: 1500 USD) Shubham Bhamare (@theshubh77) Meta / Facebook Information disclosure $1,500 12/26/2020
Full Address Bar Spoofing On Opera Mini Android Piyush Raj ~ Rex (@0x48piraj) Opera, Google Address Bar Spoofing - 12/26/2020
EN | Account Takeover via Web Cache Poisoning based Reflected XSS Lütfü Mert Ceylan (@lutfumertceylan) - Reflected XSS, Web cache poisoning, Account takeover - 12/26/2020
Hiding from custom story privacy list is possible in FBlite making the victim unable to remove you from the list. Baibhav Anand (@SpongeBhav) Meta / Facebook Logic flaw $500 12/24/2020
Supply Chain Pollution: Hunting a 16 Million Download/Week npm Package Vulnerability for a CTF Challenge Eugene Lim (@spaceraccoonsec) Node.js third-party modules Prototype pollution - 12/23/2020
Cookie Tossing to RCE on Google Cloud JupyterLab s1r1us (@S1r1u5_) Google Self-XSS, DoS, CSRF, RCE $3133.70 12/23/2020
Hack crypto secrets from heap memory to exploit Android application secureITmania (@secureitmania) - Cryptographic issues - 12/22/2020
SSTI in Google Maps s1r1us (@S1r1u5_) Google SSTI $0 (Informative) 12/22/2020
This is how I was able to view anyone’s private email and birthday on Instagram Saugat Pokharel (@saugatpk5) Meta / Facebook Information disclosure, Logic flaw $13,125 12/20/2020
Facebook bug Bounty -Finding the hidden members of the private events. Vivek ps (@vivekps143) Meta / Facebook Information disclosure, Logic flaw $1,000 12/20/2020
Worth $1,500 IDOR (Access Unauthorize Data) Muhammad Asim Shahzad (@protector47) - IDOR $1,500 12/20/2020
Write Up: Google VRP N/A – Sandboxed Rce As Root On Apigee API Proxies Omar Espino (@omespino) Google RCE $0 (N/A) 12/19/2020
Broken Access Control on samsung.com subdomain leads to Mass Account Takeover of Samsung employees application accounts Gal Nagli (@naglinagli) Samsung Information disclosure, Account takeover, Authorization flaw $0 (OOS) 12/18/2020
Misconfigured s3 bucket leads to Sensitive Data exposure(No super controls ) Virdoexhunter - AWS misconfiguration $400 12/18/2020
My Bug Bounty Journey and My First Critical Bug — Time Based Blind SQL Injection Marx Chryz - SQL injection $3,500 12/17/2020
Github Secrets exposed due to RCE in Formatter Action from pull_request_target event Anthony Weems Google RCE $500 12/17/2020
How I hacked IBM and got full access on many services? Abdullah Mohamed (@3bodymo_) IBM Information disclosure - 12/16/2020
JavaScript analysis leading to Admin portal access Rikesh Baniya / NotRickyy (@rikeshbaniya) - Authorization flaw, Broken access control - 12/16/2020
TikTok Careers Portal Account Takeover Lauritz (@lauritz) TikTok CSRF, Open redirect, Account takeover $2,373 12/15/2020
Download Filename Manipulation due to improper rendering of RTLO characters Jayateertha Guruprasad (@JayateerthaG) - RTLO - 12/15/2020
Disclosing the members of private Facebook Group as a non-member. Baibhav Anand (@SpongeBhav) Meta / Facebook Authorization flaw, Logic flaw $4,500 12/15/2020
Confirm an email address belonging to a specific user abdellah yaala (@yaalaab) Meta / Facebook Information disclosure $5,000 12/12/2020
How I hacked Facebook: Part One Alaa Abdulridha (@alaa0x2) Meta / Facebook Lack of authentication, Authentication bypass, Account takeover $7,500 12/11/2020
How i got my First Bug Bounty in Intersting Target (LFI to SXSS) Ph.Hitachi - LFI, Stored XSS $250 12/11/2020
How I dumped PII information of customers in an ecommerce site? Rikesh Baniya / NotRickyy (@rikeshbaniya) - AWS misconfiguration - 12/11/2020
Exploiting new-era of Request forgery on mobile applications Sayed Abdelhafiz (@dPhoeniixx) Pinterest CSRF, Account takeover - 12/11/2020
Hiding from a custom list is possible on who sees our post is possible making victim not remove them from the list. Baibhav Anand (@SpongeBhav) Meta / Facebook Logic flaw $500 12/11/2020
Game On – Finding vulnerabilities in Valve’s “Steam Sockets” Eyal Itkin Eyal Itkin (@EyalItkin) Valve Memory corruption bug - 12/10/2020
Content-Security-Policy Bypass to perform XSS using MIME sniffing Kleiton Kurti (@kleiton0x7e) - XSS, CSP bypass - 12/10/2020
Hacking — Tamper with the URL Parameters, especially if they modify the page Jack - HTTP Parameter Pollution - 12/09/2020
Facebook leak referrer data Neilmark Ochea (@nmochea) Meta / Facebook Open redirect - 12/08/2020
How I Was Able To Take Over One Of Dell’s Subdomains Taha Bıyıklı (@tahabykl) Dell Subdomain takeover - 12/08/2020
Facebook push notification linkshim bypassed Neilmark Ochea (@nmochea) Meta / Facebook Open redirect - 12/07/2020
“Important, Spoofing” - zero-click, wormable, cross-platform remote code execution in Microsoft Teams Oskars Vegeris Microsoft RCE, Stored XSS, CSP bypass, CSTI - 12/07/2020
Story of the best vulnerability I’ve found so far… Vedant Tekale (@_justYnot) - Self-XSS, Blind XSS, Account takeover - 12/07/2020
[CVE-2019-17674 & CVE-2020-11025] Stored XSS through navigation menu item edited in Customizer in Wordpress (Write Up) Evan Ricafort (@evanricafort) WordPress Stored XSS $600 12/06/2020
RCE via LFI Log Poisoning - The Death Potion Jerry Shah (@Jerry) - RCE, LFI, Log poisoning N/A (VDP) 12/06/2020
How Redirects work on Facebook? Technical breakdown Abhisek R (@abh1sek_r) Meta / Facebook Open redirect $0 12/06/2020
Opera Browser Cross Site Scripting (XSS) Neilmark Ochea (@nmochea) Opera XSS - 12/05/2020
$10000 Facebook SSRF (Bug Bounty) Amine Aboud (@amineaboud) Meta / Facebook SSRF $10,000 12/03/2020
Leaking Credit card Activity in logs? Yes Sir! Rody Shahnazarian (@Komradz86) - Information disclosure $800 12/03/2020
Cross Site Scripting (XSS) Reflected in one of the subdomains of “General Motors”(Bugbounty) - General Motors Reflected XSS N/A (VDP) 12/03/2020
Site Wide CSRF On Glassdoor Tabahi (@_tabahi) Glassdoor CSRF $3,000 12/03/2020
Leaking Browser URL/Protocol Handlers Tabahi (@_tabahi) Google, Microsoft, Mozilla Information disclosure $0 (Informative) 12/03/2020
SSTI to Local File Read Demon (@R29k_) - SSTI, LFI - 12/02/2020
Hacking — Always check out the Images Jack GitLab Information disclosure $500 12/02/2020
An iOS zero-click radio proximity exploit odyssey Ian Beer (@i41nbeer) Apple Buffer overflow - 12/01/2020
Chaining vulnerabilities lead to account takeover Ahmed (@ahzsec) - Account takeover, Password reset flaw, Open redirect, Lack of rate limiting $0 (Duplicate) 12/01/2020
Exploiting Blind Postgresql Injection And Exfiltrating Data In Psycopg2 Shawar Khan (@ShawarkOFFICIAL) - SQL injection $3,000 11/30/2020
AliExpress Captcha Reuse Unicorn Security AliExpress Captcha bypass - 11/30/2020
Chaining Multiple Requests to Achieve Rate Limiting Vulnerabilities Ahmad Halabi (@Ahmad_Halabi_) - Rate limiting bypass $1,000 11/29/2020
Bcrypt — Account TakeOver Due To Weak Encryption — #HR51KDB DarkLotus (@darklotuskdb) - Information disclosure, Account takeover - 11/29/2020
The Story of my first critical bug Shellbr3ak (@0xShellbr3ak) - SQL injection - 11/29/2020
How i got easy $$$ for SQL Injection Bug Rafi Andhika Galuh - SQL injection - 11/26/2020
Pre-Account Takeover using OAuth Misconfiguration the_unluck_guy (@7he_unlucky_guy) - OAuth flaw $800 11/26/2020
How images on Github will leak your private information fuomag9 (@fuomag9) Github Information disclosure $0 (Informative) 11/24/2020
Reflected Cross Site Scripting on REDACTED Program (Bounty: 750$) can1337 (@canmustdie) - Reflected XSS $750 11/23/2020
Fixing a Google Vulnerability I (@InsecureNature) & Allison Donovan (@matter_of_cat) Google Privilege escalation - 11/22/2020
Escalating XSS to Account Takeover Aditya Verma (@0cirius0) - Reflected XSS, Account takeover - 11/22/2020
Weird (im)possible XSS on error page Rody Shahnazarian (@Komradz86) - Reflected XSS - 11/21/2020
2 Reflected XSS In Razer Mostafa Razer Reflected XSS - 11/21/2020
Turning Blind Error Based SQL Injection into Exploitable Boolean One Ozgur Alp (@ozgur_bbh) - SQL injection - 11/21/2020
Exploiting dynamic rendering engines to take control of web apps Vasilii Ermilov (@ermil0v) - SSRF, Open redirect $5,000 11/19/2020
Bypassing the Redirect filters with 7 ways ElMahdi Mrhassel (@ElMrhassel) - Open redirect, OAuth flaw - 11/19/2020
Arbitrary File Write On Client By ADB Pull Serafina (Sera) Tonin Brocious (@daeken) Google Arbitrary file write $0 11/19/2020
Out of Band XXE in an E-commerce IOS app Gaurang Bhatnagar (@0xgaurang) - XXE - 11/19/2020
GraphQL IDOR in Facebook streamer dashboard. Kailash (@Corrupted_brain) Meta / Facebook IDOR, GraphQL bug $2,000 11/18/2020
Server Side Misconfigurartion - A Funny Fix Jerry Shah (@Jerry) Basecamp Information disclosure $100 11/18/2020
Tale of 3 vulnerabilities to account takeover! Avinash Jain (@logicbomb_1) - SSRF, Account takeover - 11/17/2020
Firefox: How a website could steal all your cookies Pedro Oliveira (@kanytu) Mozilla Arbitrary file read $5,000 11/16/2020
Stealing User’s PII info by visiting API endpoint directly Kunal pandey (@kunalp94) - Information disclosure, Logic flaw $500 11/16/2020
RCE via Server-Side Template Injection Gaurav Mishra (@gmishra010) - SSTI, RCE - 11/15/2020
Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data YoKo Kho (@YokoAcc) - Information disclosure, Broken access control, IDOR, SQL injection $4,750 11/15/2020
Microsoft Bug Bounty Writeup – Stored XSS Vulnerability Pethuraj (@Pethuraj) Microsoft Stored XSS - 11/15/2020
Weak Cryptography to Account Takeover’s letmeslidein (@VasuYadaav) - Cryptographic issues, Account takeover, IDOR - 11/15/2020
Exploiting API with AuthToken Rafi Ahamed (Leonidas D. Ace) - Token leak, Information disclosure - 11/15/2020
Account takeover through password reset Omar Hamdy (@seaman00o) - Account takeover, Password reset flaw $2,000 11/14/2020
Theoretically Possible To Practical Account Takeover Mukul Lohar (@ironfisto) - IDOR, Account takeover - 11/14/2020
Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity Prakash Panta (@Prakashpanta268) Meta / Facebook Logic flaw $500 11/13/2020
Smuggling an (Un)exploitable XSS Julien Ahrens (@MrTuxracer) - HTTP Request Smuggling, XSS - 11/13/2020
How I Found The Facebook Messenger Leaking Access Token Of Million Users Guhan Raja (@havocgwen) Meta / Facebook Information disclosure $16,125 11/13/2020
Interesting case of SQLi Nik srivastava (@niksthehacker) - SQL injection $3,000 11/13/2020
Commenting on a post by opening it via page’s news-feed goes from a wrong actor (i.e. admin’s personal account) Samip Aryal Meta / Facebook Information disclosure $500 11/13/2020
User’s private watched videos/saved videos exposed through a messenger call from a locked smartphone. Samip Aryal Meta / Facebook Information disclosure, Authorization flaw $500 11/13/2020
Evading Filters to perform the Arbitrary URL Redirection Attack Harsh Bothra (@harshbothra_) - Open redirect - 11/12/2020
Bounty $1000 — Critical Business Logic Flaw leads to Account Takeover & Product Order Amount Manipulation Muhammad Asim Shahzad (@protector47) - Logic flaw, Account takeover, Price tampering $1,000 11/12/2020
Evernote: Universal-XSS, theft of all cookies from all sites, and more Oversecured (@OversecuredInc) Evernote UXSS - 11/12/2020
Local Privilege Escalation Vulnerability Discovered in VMware Fusion Rich Mirch (@0xm1rch) VMware Local Privilege Escalation - 11/11/2020
31k$ SSRF in Google Cloud Monitoring led to metadata exposure David Nechuta (@david_nechuta) Google SSRF $31,337 11/10/2020
SSRF (Server Side Request Forgery) worth $4,913 | My Highest Bounty Ever ! Sayaan Alam (@ehsayaan) Dropbox SSRF $4,913 11/10/2020
Chaining password reset link poisoning, IDOR, and information leakage to achieve account takeover at api.redacted.com Jadek Mark (@mase289) - HTTP header injection $0 (Duplicate) 11/10/2020
Firefox for Android: LAN-Based Intent Triggering initstring (@init_string) Mozilla Insecure intents - 11/10/2020
Facebook iOS address bar spoofing Rahul Kankrale (@RahulKankrale) Meta / Facebook Address Bar Spoofing $1,500 11/10/2020
How i could take over any Account on a USA Department of Defense Website due to a simple IDOR Gal Nagli (@naglinagli) U.S. Dept Of Defense IDOR, Account takeover - 11/07/2020
Facebook DOM Based XSS using postMessage Samm0uda (@samm0uda) Meta / Facebook DOM XSS, postMessage bug $25,000 11/07/2020
Attack of the clones: Git clients remote code execution Vitor Fernandes (@Rapt00rVF) & Julio Fort GitHub RCE $0 (Duplicate) 11/06/2020
Story of a Pre-Account Takeover Kushal Dhakal (@dhakal0kushal) - Account takeover, OAuth flaw - 11/06/2020
1000$ for Open redirect via unknown technique [BugBounty writeup] ruvlol GitLab Open redirect $1,000 11/05/2020
How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day sickcodes (@sickcodes) Brave Software Information disclosure $100 11/05/2020
Delete Any Photos In Facebook Lokesh Kumar (@lokeshdlk77) Meta / Facebook Authorization flaw, Logic flaw $10,750 11/04/2020
From a 500 error to Django admin takeover Shashank (@cyberboyIndia) - Authorization bypass, Account takeover $3,000 11/03/2020
Forcing for a bounty$$ Rafi Ahamed (Leonidas D. Ace) - Authorization flaw $500 11/03/2020
Reveal the page admin that uploaded a video on the page in comment section Lokesh Kumar (@lokeshdlk77) Meta / Facebook Information disclosure, Logic flaw $4,838 11/02/2020
Reveal the page admin that uploaded a video on the page in comment section Lokesh Kumar (@lokeshdlk77) Meta / Facebook Information disclosure, Logic flaw $4,838 11/02/2020
CVE-2020-13294 Lauritz (@lauritz) - Authentication flaw, OpenID Connect vulnerability - 11/01/2020
Subdomain Takeover in Azure: making a PoC Diego Bernal Adelantado (@secfaults) - Subdomain takeover - 11/01/2020
Leaked .git folder leads to RCE James Clee (@jtcsec) - .git folder disclosure, RCE - 11/01/2020
CVE-2020-13294 Lauritz (@lauritz) GitLab OAuth misconfiguration $0 (Duplicate) 11/01/2020
An often overlooked Oauth misconfiguration. & Payload VipItHunter (@VipItHunter1) - OAuth misconfiguration - 11/01/2020
How i got 7000$ in Bug-Bounty for my Critical Finding. Kishan Kumar / Noobie BoY (@hst_kishan) - Information disclosure $7,000 10/31/2020
Abusing ‘Report Abuse’ Aseem Shrey (@AseemShrey) - Logic flaw, Authorization flaw $200 10/31/2020
Beyond the wall: command injection still alive. Ahmed Constant (@a_Constant_) - Command injection - 10/31/2020
Hinge Hackerone Writeup Tyler Butler (@tbutler0x90) Hinge Broken access control - 10/31/2020
Ability To Backdoor Facebook For Android Ashley King (@AshleyKingUK) Meta / Facebook Insecure deeplink - 10/30/2020
Wormable remote code execution in Alien Swarm mev Valve RCE - 10/30/2020
Rate Limit Bypassing Allowing Identity Spoofing Mohamed Talaat (@T4144t) - Rate limiting bypass, OTP bypass - 10/29/2020
Manual broken link monitoring GrumpinouT (@RVerwilghen) - Broken link hijacking - 10/29/2020
Story of an interesting bug. Vedant Tekale (@_justYnot) - Lack of rate limiting, DoS - 10/28/2020
Error-Based SQL Injection on a WordPress website and extract more than 150k user details Ynoof Alassiri - SQL injection - 10/27/2020
Automating xss identification with Dalfox & Paramspider Paras Arora (@parasarora06) - Reflected XSS - 10/27/2020
The YouTube bug that allowed unlisted uploads to any channel Ryan Kovatch Google IDOR, Information disclosure $6,337 10/27/2020
How i got 250$ in 5 munites using my phone telaviv_h4x0r Basecamp HTML injection $250 10/26/2020
TikTok fixes privacy issue discovered by Check Point Research Eran Vaknin & Alon Boxiner TikTok Information disclosure - 10/26/2020
Link Previews: How a Simple Feature Can Have Privacy and Security Risks Talal Haj Bakry (@parasarora06) & Tommy Mysk Discord, Meta / Facebook, Google, LINE, LinkedIn, Slack, Twitter, Zoom Information disclosure - 10/25/2020
Perform substring search for emails even if Workplace admin hides email profile field. Rahul Kankrale (@RahulKankrale) Meta / Facebook Broken access control, Authorization flaw $1,000 10/25/2020
My first bug on Google Manas Harsh (@ManasH4rsh) Google IDOR - 10/25/2020
Accidental Observation to Critical IDOR Harsh Bothra (@harshbothra_) - IDOR - 10/24/2020
Samsung S20 - RCE via Samsung Galaxy Store App F-Secure Samsung RCE $0 10/23/2020
300$ P3 Easy Bug in 30 Seconds Omar Hamdy (@seaman00o) - Lack of authentication, Broken access control $300 10/22/2020
Perform substring search for emails even if Workplace admin hides email profile field. Rahul Kankrale (@RahulKankrale) Meta / Facebook Authorization flaw $2,000 10/21/2020
Facebook Page Admin Disclosure Rahul Kankrale (@RahulKankrale) Meta / Facebook Information disclosure $3,000 10/21/2020
GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty William Bowling / vakzz (@wcbowling) GitHub RCE, Path traversal $25,000 10/20/2020
Back to 2019: Disclosure Employers PII and Credentials Saneklarek (@wh11tew0lf) - Information disclosure $1,000 10/20/2020
Multiple Address Bar Spoofing Vulnerabilities In Mobile Browsers Rafay Baloch (@rafaybaloch) Yandex, Apple, Opera Address Bar Spoofing - 10/20/2020
GitHub Gist - Account takeover via open redirect - $10,000 Bounty William Bowling / vakzz (@wcbowling) GitHub Open redirect, Account takeover $10,000 10/19/2020
GitHub - RCE via git option injection (almost) - $20,000 Bounty William Bowling / vakzz (@wcbowling) GitHub RCE $20,000 10/18/2020
Discord Desktop app RCE Masato Kinugawa (@kinugawamasato) Discord RCE $5,000 10/17/2020
Weaponizing XSS For Fun & Profit Saad Ahmed (@XSaadAhmedX) - XSS, CSRF $2,200 10/14/2020
I had fun with this XSS yappare (@yappare) - XSS - 10/13/2020
Blind SSRF - The Hide & Seek Game Shrey Shah (@ShreySh43332033) - Blind SSRF $400 10/13/2020
How I find my first P1 level Bug. $$$ Harsh - XSS - 10/13/2020
Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account Mustafa Ahmed (@mustafa0x2021) Meta / Facebook Information disclosure $500 10/12/2020
Guest Blog Post: Rollback Attack Xiaoyin Liu (@general_nfs) Mozilla Local Privilege Escalation - 10/12/2020
Unauthorized access to all the user’s account. Rahul Naidu - Account takeover, Authentication bypass, JWT misconfiguration - 10/12/2020
Leveraging XSS to Read Internal Files Aditya Dixit (@zombie007o) - XSS, LFI - 10/09/2020
JS is l0ve ❤️. Shivam Kamboj Dattana (@sechunt3r) - Information disclosure, API key leakage $5,000 10/09/2020
Weak Password Setting function on practo.com dark-haxor Practo Authorization flaw $0 (Won’t fix) 10/09/2020
CVE-2018–5230 | JIRA Cross Site Scripting Paras Arora (@parasarora06) - Reflected XSS - 10/09/2020
Exploiting Admin Panel Like a Boss Shivam Kamboj Dattana (@sechunt3r) - Authorization bypass, Weak credentials $1,500 10/08/2020
ATO via Host Header Poisoning Shivam Kamboj Dattana (@sechunt3r) - Host header injection, Account takeover, Password reset flaw $2,000 10/08/2020
Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure Intezer Microsoft Privilege escalation, RCE - 10/08/2020
SVE-2020-18025: Unauthorised access to Samsung secure folder files Rahul Kankrale (@RahulKankrale) Samsung Authorization flow $3,750 10/07/2020
Research: The mass CSRFing of .google.com/ products. Missoum Said (@missoum1307) Google CSRF $30,000 10/07/2020
6k$ Worth Account Takeover via IDOR in Starbucks Singapore Kamil Onur Özkaleli (@ko2sec) Starbucks IDOR, Account takeover $6,000 10/07/2020
Sensitive Info Leak in Curve App [Bug Bounty] ΡRΛSΞUDΟ ® (@praseudo) Curve Information disclosure $1,500 10/07/2020
6k$ Worth Account Takeover via IDOR in Starbucks Singapore/a> Kamil Onur Özkaleli (@ko2sec) Starbucks IDOR, Account takeover $6,000 10/07/2020
Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program McAfee Advanced Threat Research (ATR) Microsoft Local privilege escalation, RCE, Security Feature bypass $160,000 10/06/2020
90 days, 16 bugs, and an Azure Sphere Challenge Cisco Talos Microsoft Local privilege escalation, RCE, DoS, Information disclosure - 10/06/2020
Watch your requests! Open redirect to a complete account takeover Suraj Disoja (@ninetyn1ne_) - Path traversal, Open redirect, SSRF, Account takeover - 10/05/2020
Easy wins : verbose error worth Facebook HOF Mukul Lohar (@ironfisto) Meta / Facebook Information disclosure $500 10/05/2020
Leveraging LFI to RCE in a website with +20000 users Kleiton Kurti (@kleiton0x7e) - LFI, RCE - 10/04/2020
Spend more time doing recon, you’ll find more BUGS. Vedant Tekale (@_justYnot) - Reflected XSS, Information disclosure - 10/03/2020
Exploiting Payment Gateways letmeslidein (@VasuYadaav) - Payment tampering - 10/03/2020
Journey Of My First Bug Bounty (Nov 2018) Harsh Tyagi (@harshtya9i) Samsung Authentication bypass $200 10/02/2020
Arbitrary code execution on Facebook for Android through download feature Sayed Abdelhafiz (@dPhoeniixx) Meta / Facebook Arbitrary code execution $10,000 10/02/2020
The Powerful HTTP Request Smuggling 💪 Ricardo Iramar dos Santos (@ricardo_iramar) - HTTP Request Smuggling $17,050 10/01/2020
Write Up – Google Bug Bounty: XSS To Cloud Shell Instance Takeover (Rce As Root) – $5,000 USD Omar Espino (@omespino) Google XSS, RCE $5,000 10/01/2020
Story of a weird vulnerability I found on Facebook Amine Aboud (@amineaboud) Meta / Facebook Authentication bypass, Information disclosure - 09/30/2020
The Art of IDOR: 7 IDORs in Edm0d0 Pratyush Anjan Sarangi Edmodo IDOR - 09/29/2020
Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts Thomas Orlita (@ThomasOrlita) Google GCP bucket misconfiguration, Information disclosure - 09/29/2020
Taking down the SSO, Account Takeover in the Websites of Kolesa due to Insecure JSONP Call Yasho (@YShahinzadeh) - Account takeover - 09/28/2020
P1: Critical - Discovering and Foiling a Threat Actor Jackson Henry (@JacksonHHax) & John Jackson (@johnjhacking) - Information disclosure $1,550 09/27/2020
5 Ways to do Account Takeover in a Single Website letmeslidein (@VasuYadaav) - Account takeover, OAuth misconfiguration, Lack of rate limiting, OTP bypass, IDOR, JWT misconfiguration - 09/27/2020
Chains on Chains: Chaining multiple low-level vulns into a Critical. Daniel Marte (@Masonhck3571) - Blind XSS, CSP bypass, Lack of rate limiting, Exposed JWT generation endpoint - 09/26/2020
Hacking the Medium partner program Mohammad-Ali Bandzar Medium Logic flaw - 09/26/2020
Parameter Tampering ₹→$ SuneetSingh - Parameter tampering - 09/26/2020
Advisory: security issues in AWS KMS and AWS Encryption SDKs Thai Duong (@XorNinja) Amazon Cryptographic issues, Information disclosure - 09/25/2020
PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover Pradeep Kumar (@Killer007p) - IDOR, Information disclosure - 09/25/2020
Dangling DNS: AWS EC2 Mohamed Elbadry (@_melbadry9) - Dangling DNS records, Subdomain takeover $2,900 09/24/2020
VMware Workstation: Attack surface through Virtual Printer Lê Hữu Quang Linh (@linhlhq) VMware Memory corruption bug, Integer overflow - 09/23/2020
#Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$ ganiganesh (@ganiganeshss79) - IDOR, Information disclosure $800 09/22/2020
Fun with Header and Forget Password Vuk Ivanovic - HTTP Header Injection - 09/22/2020
suPHP - The vulnerable ghost in your shell🎯Business Logic Flaw in Google Acquisition! (Hall Of Fame)🎯 Ritesh Gohil (@RiteshG37659480) Google Logic flaw - 09/21/2020
suPHP - The vulnerable ghost in your shell Maxime (@punkeel) & (@swapgs) - Local privilege escalation - 09/21/2020
Unauthenticated File upload Vulnerability on Synology Sub-domain Touhid Shaikh Synology Unrestricted file upload $2,000 09/20/2020
How I earned $500 from Google - Flaw in Authentication Hemant Patidar (@HemantSolo) Google Authentication flaw $500 09/20/2020
$25K Instagram Almost XSS Filter Link — Facebook Bug Bounty Andres Alonso (@al0nnso) Meta / Facebook Stored XSS $25,000 09/20/2020
How I By-pass the login page and 2FA authentication….. Harsh - Authentication bypass, OTP bypass, 2FA bypass - 09/20/2020
Cross-tenant Cloud Function compromise via storage bucket squatting Anthony Weems Google Cross-tenant vulnerability $3,133.70 09/20/2020
Remote code execution in import image task via storage bucket squatting Anthony Weems Google RCE $3,133.70 09/19/2020
Emoji error handling shesha sai_c (@Cyb3r_4ss4s1n) - SQL injection - 09/19/2020
CVE-2020-9964 - An iOS infoleak Muirey03 (@Muirey03) Apple Memory initialisation issue - 09/19/2020
Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$) — CVE-2020–15149 Muhammed Eren Uygun (@erenuyguun) NodeBB IDOR, Account takeover $512 09/19/2020
Reflected XSS via a hidden parameter on Dutch Gov. website Supras (@LdrTom) Dutch Government Reflected XSS N/A (VDP) 09/19/2020
My First Bug Bounty From Bug Bounty Platform redstorm.io Novan Aziz Ramadhan (@novan_rmd) RedStorm CSRF - 09/17/2020
Dropbox Escalation of Privileges to SYSTEM on Windows Teresa Alberto Dropbox Local privilege escalation $0 (Duplicate) 09/17/2020
Res-block: Extension Resources Block Attack on Chrome’s Incognito Mode Piyush Raj (@0x48piraj) Google Browser bug - 09/16/2020
Exploiting a “Useless” Cookie-Based XSS and Making it Useful Daniel Thatcher - XSS - 09/16/2020
How I Accidentally Got My First Bounty From Facebook Bishal Shrestha (@bishal0x01) Meta / Facebook Logic flaw - 09/15/2020
Firefox for Android: LAN Based Intent Triggering initstring (@init_string) Mozilla Insecure intents - 09/15/2020
Account takeover by OTP bypass Bhavarth Kandoria/td> <td markdown="span">- OTP bypass - 09/13/2020
Business logic vulnerabilities — Low-level logic flaw Harry D - Logic flaw - 09/13/2020
SQL Injection & Remote Code Execution - Double P1 Shrey Shah (@ShreySh43332033) - SQL injection, RCE N/A (VDP) 09/13/2020
How I hacked redbus [An online bus-ticketing application] Sangeetha Rajesh S(@rajesh_sangi12) redBus LFI, SSRF/td> <td markdown="span">- 09/12/2020
How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM Orange Tsai (@orange_8361) Meta / Facebook RCE, JNDI Injection - 09/12/2020
Universal XSS in Android WebView (CVE-2020-6506) Alesandro Ortiz (@AlesandroOrtizR) Google, Microsoft, Twitter UXSS $15,560+ 09/10/2020
Unintended Behaviour of domain got me P4 Takester (@dhiraj_ramteke) - Logic flaw - 09/10/2020
How often do we overlook vulnerabilities? Baibhav Anand (@SpongeBhav) Hackerone Information disclosure - 09/09/2020
How often do we overlook vulnerabilities? Baibhav Anand (@SpongeBhav) HackerOne IDOR, Information disclosure - 09/09/2020
CVE-2020-8150 – Remote Code Execution as SYSTEM/root via Backblaze Jason Geffner (@JasonGeffner) Backblaze RCE, Elevation of Privilege - 09/09/2020
XSS->Fix->Bypass: 10000$ bounty in Google Maps Zohar Shachar Google XSS $10,000 09/07/2020
From Android Static Analysis to RCE on Prod Aditya Dixit (@zombie007o) - RCE, Directory listing, Lack of authentication - 09/07/2020
My first bug in google and how i got CSRF token for victim account rather than bypass it ($1337)! Oday Alhalbe Google CSRF $1,337 09/07/2020
How response Manipulation got me a little, but sweet Bounty Tommaso De Ponti (@heytdep) - 2FA bypass - 09/07/2020
Never Give Up, The Story Behind a Dupe-To-Triaged Alan Brian (@soyelmago) - XSS, OAuth flaw, Account takeover - 09/06/2020
XSS that can pay your Bills :) Smile Hacker (@smile_hacker) - Reflected XSS €500 09/05/2020
How_i_was_able_to_pawned_website_via_escilating_webcache deception to rce mohit (@mohit29295572) - Web cache deception, SSRF, RCE - 09/05/2020 Archived page
Account Takeover via IDOR Roma Ramazanoff (@r0hack) - IDOR, Account takeover $25,000 09/04/2020
Denial of Service in the protection service provided by Avast Security Premium. Silton Santos Avast DoS - 09/01/2020
Stop scratching the surface, and hack the dependencies Rotem Reiss (@rotem_reiss) - Stored XSS - 08/31/2020
Page shops with a hidden Product in “Featured product section” which could be controlled by attacker (Ex Editor). Rohit kumar (@rohitcoder) Meta / Facebook Logic flaw $0 (Informative) 08/31/2020
Unhiding the hidden I am Broot - Client-side enforcement of server-side security, Authorization flaw, CSRF $530 08/30/2020
The Importance of keeping up to date, or how I found an interesting bug thanks to a tweet Vuk Ivanovic - Stored XSS - 08/29/2020
Oversecured automatically discovers persistent code execution in the Google Play Core Library Oversecured Google Arbitrary code execution in Android app - 08/28/2020
My Hacking Adventures With Safari Reader Mode Nikhil Mittal (@c0d3G33k) Apple CSP bypass, SOP bypass - 08/27/2020
Accessing the website directly through its IP address, a case of a poorly hidden sql injection Vuk Ivanovic - SQL injection - 08/27/2020
Delete IDOR on a Fashion eCommerce Website Amey Anekar (@ameyanekar) - IDOR - 08/26/2020
Auth bypass: Leaking Google Cloud service accounts and projects Ezequiel Pereira (@epereiralopez) Google Authentication bypass - 08/26/2020
Bug Bounty Failsx101[4] ArcherL (@realArcherL) - 2FA bypass $0 (Informative) 08/26/2020
Waze: How I Tracked Your Mother Peter Gasper (@malgregator) Google (Waze) Logic flaw, Information disclosure $1,337 08/25/2020
Stealing local files using Safari Web Share API Pawel Wylecial (@h0wlu) Apple Browser bug $0 08/24/2020
Account Takeover For The Win 🏆 Ricardo Iramar dos Santos (@ricardo_iramar) - Account takeover, Authentication flaw, Password reset flaw $2,225 08/24/2020
$$ Bounties for Unauthenticated file read in Cisco ASA CVE-2020–3452 Supun Halangoda (@halangoda_supun) - LFI - 08/23/2020
How I was able to find easy P1 just by doing Recon Kirtan Patel (@kirtanpatel9111) - LFI - 08/22/2020
The Short tale of two bugs on Google Cloud Product— Google VRP [Resolved] Sriram Kesavan (@sriramoffcl) Google IDOR, Privilege of escalation - 08/22/2020
Upload to the future Vuk Ivanovic - IDOR - 08/22/2020
How I Found My First Bug Stored Xss and Earned My First Bounty 1000$ Nazmul Haque (@0xnazmul) Badoo Stored XSS $1,000 08/21/2020
(Shopify.com) Blind Stored XSS Via Staff Name \(\) Rio Mulyadi (@riomulyadi_) Shopify Stored XSS $0 (Out of scope) 08/19/2020
The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer Allison Husain (@ezhes_) Google Email spoofing $0 (Out of scope) 08/19/2020
A perfect duplicate or how to send an email with a spoofed invoice’s content Mateusz Olejarka (@molejarka) - Email spoofing, Open mail relay, Lack of authentication $0 (Duplicate) 08/19/2020
Django debug mode to RCE in Microsoft acquisition Syed Abuthahir (@writerabu) Microsoft Information disclosure, RCE - 08/19/2020
Escalating a GitHub leak to takeover entire organization Shashank (@cyberboyIndia) - Information disclosure $4,000 08/18/2020
Fun with header and forget password, with a twist: Vuk Ivanovic - Password reset flaw, Host header injection - 08/18/2020
How to contact Google SRE: Dropping a shell in cloud SQL [email protected] (@wtm_offensi) & Ezequiel Pereira (@epereiralopez) Google SQL injection, Privilege escalation, Parameter injection, RCE - 08/18/2020
How could I Tag Photo to any user’s Scrapbook on Facebook Raja Sudhakar (@Rajasudhakar) Meta / Facebook Authorization flaw - 08/18/2020
From SQL Injection to Hall Of Fame Jadek Mark (@mase289) - SQL injection N/A (VDP) 08/18/2020
Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488 ACTIVELabs Microsoft Local privilege escalation - 08/18/2020
Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties Abss (@absshax) Google, [Undisclosed programs] Hardcoded API keys, Information disclosure $30,000+ 08/17/2020
Account Takeover Using Re-Register [ Bug Bounty ] Myo Min Thu (@myominthu1337) - Account takeover $2,048 08/17/2020
Stealing your data using XSS Viren Pawar (@VirenPawar_) - XSS - 08/17/2020
Witnet Network Bug Bounty: DOS Bug from Harsh Jain Harsh Jain Witnet DoS - 08/17/2020
InfluxDB Access at redact.8x8.com Myo Min Thu (@myominthu1337) 8x8 Lack of authentication - 08/16/2020
How I got 450$ just in one Google search (SQLi + RXSS)? Zhenwar Hawlery - XSS, SQL injection $450 08/16/2020
Disclosing wifi password via content provider injection in Xiaomi Vishwaraj Bhattrai (@vishwaraj101) Xiaomi Content provider injection, Vulnerable Android content provider - 08/16/2020
How I was able to send Authentic Emails as others — Google VRP [Resolved] Sriram Kesavan (@sriramoffcl) Google Logic flaw, HTML injection, Email spoofing, Open mail relay - 08/15/2020
How recon helped me to find an interesting bug… Vedant Tekale (@_justYnot) - Open redirect N/A (VDP) 08/15/2020
Open Sesame: Escalating Open Redirect to RCE with Electron Code Review Eugene Lim (@spaceraccoonsec) - Open redirect, RCE - 08/14/2020
Crowdsource Success Story: From an Out-of-Scope Open Redirect to CVE-2020-1323 Ozgur Alp (@ozgur_bbh) Microsoft Open redirect - 08/14/2020
Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020 Saugat Pokharel (@saugatpk5) Meta / Facebook Logic flaw, Privacy issue $6,000 08/14/2020
Improper Implementation of My Status video time limit in WhatsApp Vishal Ranjan Meta / Facebook Logic flaw, Privacy issue $0 08/14/2020
False2True, Match and Replace bug hunting — A cautionary tale Vuk Ivanovic - Privilege escalation - 08/14/2020
From Copy&Paste XSS To Full Account Takeover! be1807v (@BE1807V) - CSRF, Account takeover, XSS - 08/13/2020
Leaking AWS Metadata - The Unusual Way Shubham Garg (@nullb0t) - Information disclosure, RCE - 08/13/2020
Journey to my First Bug Hunt\(\) Bala Praneeth (@Begin_hunt) - CSRF $900 08/13/2020
Blind OS Command Injection Ashik B - Command injection - 08/12/2020
Cache poisoning of wget Vuk Ivanovic - Web cache poisoning $0 08/12/2020
Cracking the 2FA Rushikesh Gaikwad (@rsg_1212) - 2FA bypass - 08/12/2020
How I made $2000 with URL REDIRECTION? Simran Singh - Open redirect, SQL injection $2,000 08/12/2020
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon! Paolo Stagno (@Void_Sec) Microsoft Local privilege escalation - 08/11/2020
How I was able to find page/personal account disclosure on Instagram Ajay Gautam (@evilboyajay) Meta / Facebook Information disclosure $2,000 08/11/2020
Group Admin Can’t Able to Moderate Comments When Posted Through Page : Facebook Bug Bounty 2020 Prakash Panta (@Prakashpanta268) Meta / Facebook Logic flaw - 08/11/2020
CVE-2020-11518: how I bruteforced my way into your Active Directory Pieter Hiele (@honoki) - RCE, Insecure deserialization, Arbitrary file upload, Bruteforce - 08/10/2020
CSP Bypass Vulnerability in Google Chrome Discovered - Almost Every Website In The World Was At Risk Gal Weizman (@WeizmanGal) Google CSP bypass $3,000 08/10/2020
My 2nd 4digit Bug Bounty From Facebook Sudip Shah Meta / Facebook Logic flaw, Information disclosure - 08/10/2020
Bypassing 403 Michael Hyndman (@michaelhyndman) - Authentication bypass - 08/09/2020
Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom Mazin Ahmed (@mazen160) Zoom Information disclosure, RCE, Memory leak $0 08/08/2020
Bypassing Google Maps API Key Restrictions Aditya Dixit (@zombie007o) Google Logic flaw $0 08/08/2020
Bug Hunting with Param Miner: Cache poisoning with XSS, a peculiar case Vuk Ivanovic - XSS, Web cache poisoning - 08/08/2020
Reflected XSS in Facebook’s mirror websites Sudhanshu Rajbhar (@sudhanshur705) Meta / Facebook Reflected XSS $500 08/08/2020
The feature works as intended, but what’s in the source? Zseano (@zseano) - Information disclosure - 08/08/2020
How Our Co-Founder Earned $10.6K in just 10 Hours Tensecure Systems - Information disclosure $10,600 08/07/2020
Exploiting JWT - Lack of Signature Verification Aditya Dixit (@zombie007o) - Account takeover - 08/07/2020
Smear phishing: a new Android vulnerability Jim Fisher (@MrJamesFisher) Google Smear phishing/td> <td markdown="span">$0 08/06/2020
Reflected XSS at fotoservice.hema.nl Jonathan Bouman (@JonathanBouman) Hema Reflected XSS, Open redirect - 08/06/2020
Blind SQL Injection at fasteditor.hema.com Jonathan Bouman (@JonathanBouman) Hema SQL injection - 08/06/2020
Stored XSS on Slack, Bug Bounty Tommysuriel Slack Stored XSS $4,875 08/06/2020
Apache Example Servlet leads to \(\) Debangshu Kundu (@debangshu_kundu) - Clickjacking - 08/06/2020
CSRF PoC mistake that broke crucial functions for the end user/victim Vuk Ivanovic - Logic flaw - 08/05/2020
I want all these features Mohamed Ayad - Logic flaw, Payment tampering - 08/05/2020
How I was able to do Mass Account Takeover[Bug Bounty] Not Rickyy (@RickyyNot) - Password reset flaw - 08/05/2020
Vulnerability in new TouchID feature put iCloud accounts at risk of being breached Thijs Alkemade (@xnyhps) Apple OAuth flaw, Account takeover - 08/03/2020
Rare Race Condition — P3 Mohammed Ehssan (@alone_Wwolf) - Race condition $0 (Duplicate) 08/03/2020
Account takeover in cups.mail.ru kminthein / weev3 (@kyawminthein99) Mail.ru Logic flaw, Password reset flaw, Account takeover $1,500 08/03/2020
Banning users Race condition Saddam Hussain (@wisdomfreak1) - Race condition - 08/02/2020
Multi-factor Auth Bypass with Password Reset Function Vaibhav Joshi (@vj0shii) - 2FA bypass, Password reset flaw, Account takeover - 08/02/2020
Refocusing in bug hunting, Bonus: An interestingly simple to test CSRF bypass Vuk Ivanovic - CSRF - 08/01/2020
CVE-2020-13379 Unauthenticated Full-Read SSRF in Grafana Justin Gardner (@Rhynorater) - SSRF, Open redirect - 08/01/2020
CVE-2020–9854: “Unauthd” - (three) logic bugs ftw! Ilias Morad (@A2nkF_) Apple Local Privilege Escalation, Logic flaw - 08/01/2020
Unauthd - Logic bugs FTW Ilias Morad (@A2nkF_) Apple Logic flaws - 07/31/2020
Bypassing OTP via reset password Ahmed Cj (@0x0Cj) - OTP bypass - 07/30/2020
Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code Zseano (@zseano) - Information disclosure - 07/30/2020
New features means new bugs Zseano (@zseano) - Logic flaw, Authorization flaw, Payment bypass - 07/30/2020
Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook Ashok Chapagai (@ashokcpg) Meta / Facebook Logic flaw - 07/30/2020
Exploiting Business Logic — Wallet Money Keshav Malik (@g0t_rOoT_) - Payment tampering, Logic flaw - 07/30/2020
One Click to Compromise – Fun With ClickOnce Deployment Manifests Dave Cossa (@G0ldenGunSec) Microsoft NTLMv2 hash disclosure, One-click execution of arbitrary .Net assemblies $0 07/30/2020
Zoom Security Exploit – Cracking private meeting passwords Tom Anthony (@TomAnthonySEO) Zoom CSRF, Lack of rate limiting $0 07/29/2020
THE NOOB WAY OF TAKING OVER ACCOUNTS Mudassir Sharief - Authorization flaw, Account takeover, Homograph attack $955 07/29/2020
Stealing your Paytm information using XSS Viren Pawar (@VirenPawar_) Paymt XSS INR 94,700 (~ $1,261) 07/29/2020
XSS, RCE & HTML File Upload in same endpoint Tarikul Islam (@sa1tama0) - XSS, RCE, Unrestricted file upload $1,200 07/29/2020
FFUF and my first bounty Suryansh Mansharamani - Information disclosure $300 07/29/2020
Authorization bypass in Google’s ticketing system (Google-GUTS) Zohar Shachar Google Authorization flaw $1,337 07/28/2020
Authentication_token_bypass Leads Too_idor mohit (@mohit29295572) - Authentication bypass - 07/28/2020
Pre-Access to Victim’s Account via Facebook Signup Akshansh Jaiswal (@Akshanshjaiswl) - OAuth flaw, Account takeover $500 07/28/2020
Bug HTML Injection On Tokopedia ! jowi Tokopedia HTML injection - 07/28/2020
CSRF + Open Redirect To Account Takeover R29k (@R29k_) - CSRF, Open redirect, Account takeover - 07/28/2020
CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data Matt Shockley(@mattshockl) Apple MacOS privilege escalation, Authorization flaw - 07/27/2020
Exploiting popular macOS apps with a single “.terminal” file. Vladimir Metnew (@vladimir_metnew) The Internet, Slack, Keybase, Telegram File Quarantine bypass $750 07/27/2020
An unreproducable bug due to the load balancer, an unusual Open Redirect bug tololovejoi (@tolo7010) - Open redirect - 07/27/2020
How I bypassed 2fa in a 3 years old private program! Shivangx01b (@shivangx01b) - 2FA bypass, Bruteforce, Lack of rate limiting - 07/26/2020
Obtained a bunch of sensitive data in just few steps — Hacking Airlangga Visnhu Murthi - AWS misconfiguration, Information disclosure $550 07/26/2020
A Simple IDOR which should not be missed on dating site ;) neelam - IDOR, Information disclosure - 07/26/2020
DNS Rebinding, The treacherous attack it can be Vuk Ivanovic - DNS Rebinding $0 (OOS) 07/25/2020
A $5000 Account Takeover neelam - Account takeover, Password reset flaw $5,000 07/25/2020
Hunting Android Application Bugs Using Android Studio. Tarek Mohammed (@Conan0x3) - Authorization flaw, Client-side enforcement of server-side security, Information disclosure $3,000 07/24/2020
HTTP Parameter Pollution - It’s Contaminated Shrey Shah (@ShreySh43332033) - HTTP Parameter Pollution - 07/24/2020
Disclose content of internal Facebook javascript modules ( Revisited ) Samm0uda (@samm0uda) Meta / Facebook Information disclosure, Authorization flaw - 07/23/2020
Hack Till Your Last Breath mechboy / m.u.h.e (@Muhe76355002) - IDOR $200 07/21/2020
Increasing reward points N number of time Saddam Hussain (@wisdomfreak1) - Logic flaw - 07/21/2020
Denial of Service(DoS) By Regex Ashik B - DoS - 07/20/2020
The $1,000 worth cookie Jadek Mark (@mase289) Mail.ru XSS $1,000 07/19/2020
DOS over wep application Mohamed Ayad - DoS - 07/19/2020
Chaining rate limiting for account lockout Sandip Oli - Lack of rate limiting - 07/19/2020
bypass user-restriction registration Mohamed Ayad - Logic flaw, Payment tampering - 07/18/2020
How I landed on my first bounty : No SPF / DMARC Record Found leading to Social Engineering Attack Fardeen Ahmed Lululemon No valid SPF records, No DMARC records $250 07/18/2020
Unique Case for Price Manipulation | BugBounty | VAPT Harshit Sengar (@sengarharshit1) - Payment tampering - 07/18/2020
Creative Android pin bypass with Race conditon Baluz (@t3chman) - Race conditon, Authentication bypass - 07/18/2020
Android pin bypass with rate limiting Baluz (@t3chman) - Lack of rate limiting, Authentication bypass - 07/18/2020
Idor in google product Baluz (@t3chman) Google IDOR $5,000 07/17/2020
How I lost my followers on Medium Florian (@fh4ntke) Medium GraphQL bug, Authorization flaw - 07/17/2020
The Story of My first 4 digit bounty from Facebook Sudip Shah Meta / Facebook Logic flaw, Information disclosure - 07/17/2020
I am able to see user’s sensitive data through JSON file. Saurabh siddharam sanmane (@saurabhsanmane2) - Information disclosure, Authorization flaw $150 07/17/2020
The 3 Day Account Takeover Mr. Beast (@mr_beast) - Logic flaw, Password reset flaw, Account takeover, Bruteforce, Lack of rate limiting - 07/17/2020
Admin ,Editor can disclose personnel email of other editor, admin on page(who created shop) abdellah yaala (@yaalaab) Meta / Facebook Information disclosure $1,000 07/16/2020
Exploiting Imported Libraries to Bypass WAF Greg Gibson - Reflected XSS - 07/14/2020
SSRF in import file function Rafael Silva - SSRF - 07/14/2020
How An API Misconfiguration Can Lead To Your Internal Company Data Me9187 (@Me9187) - Information disclosure - 07/12/2020
Self stored xss to full account takeover Jatin Aesthetic (@techyfreakk) - XSS, Account takeover - 07/12/2020
Bug Bounty Experience: Unvalidated Redirection Vulnerability Simply Secure - Open redirect - 07/12/2020
How I was able to change victim’s password using IDN Homograph Attack Abhishek Karle (@AbhishekKarle3) - IDN homograph attack $600 07/11/2020
A tale of critical account take over Shivam Pandey (@shivam31200) - Account takeover, Exposed JWT generation endpoint - 07/10/2020
Phone number validation bypass through url path manipulation . ben aymen (@ben_aymen_182) - OTP bypass $0 (Duplicate) 07/10/2020
Don’t stop at one bug \(\) Dheeraj Madhukar (@Dheerajmadhukar) - Open redirect, XSS, LFI - 07/10/2020
See whether a Hackercup Facebook participant allows recruitment contact Philippe Harewood (@phwd) Meta / Facebook Information disclosure, Logic flaw - 07/09/2020
Remote Denial-of-Service with Chrome Dan Lyton Google DoS $0 (OOS) 07/09/2020
Exploiting Application Logic to Referral Code Disclosure Vaibhav Joshi (@vj0shii) - Logic flaw, Information disclosure - 07/09/2020
Global grant uri in Android 8.0-9.0 (2018 year) Dzmitry Lukyanenka (@vulnano) Google Authorization flaw $0 (Duplicate) 07/09/2020
From N/A to Resolved For BackBlaze Android App[Hackerone Platform] Bucket Takeover Sahil Tikoo (@viperbluff) BackBlaze Hardcoded credentials, Information disclosure - 07/09/2020
Journey from low to critical bug $$$ Dheeraj Madhukar (@Dheerajmadhukar) - IDOR - 07/09/2020
How I found 10 Remote Code Execution in 10 minutes CVE-2020–5902 Saransh Srivastav (@malfuncti0n_) - RCE - 07/07/2020
XSS in Zoom.us Signup Flow Eduardo Vela (@sirdarckcat) Zoom XSS - 07/07/2020
Free blockchain storage – Tale of a bug in Substrate’s FRAME runtime Mudit Gupta (@Mudit__Gupta) Parity Technologies Blockchain bug $250 07/07/2020
From . in regex to SSRF — part 3 Niemiec Marcin (@xvnpw) - SSRF, CRLF $400 07/07/2020
How i was able to bypass Email Confirm — P4 Mohammed Ehssan (@alone_Wwolf) - Information disclosure - 07/06/2020
Issue 1040755: Security: Another “universal” XSS via copy&paste Michał Bentkowski (@SecurityMB) Google Universal XSS, Browser bug $2,000 07/06/2020
Make Featured Product in any video abdellah yaala (@yaalaab) Meta / Facebook IDOR - 07/05/2020
My First Bug: Blind SSRF Through Profile Picture Upload swaysthinking (@swaysThinking) - SSRF - 07/05/2020
RCE via image upload functionality Adwaith KS - Unrestricted file upload, RCE - 07/05/2020
Case Study I - Browser Anomaly with Facebook Apps -1500$ easySIEM (@easySIEM) Meta / Facebook Authorization flaw $1,500 07/05/2020
Taking Over Files in a chat —IDOR in Microsoft Teams Aly Anwar (@alyanwarr) Microsoft IDOR $0 (N/A) 07/05/2020
From Host Header injection to SQL injection Daoud Youssef / smacker dodi (@daoud_youssef) - Host header injection, SQL injection - 07/05/2020
Why I paid 3.5K to become a TLD registrar reseller when doing bug bounty hg_real (@hgreal1) - XXE $7,500 07/05/2020
BBC Bug Bounty Write-up | XSS Vulnerability Pethuraj (@Pethuraj) BBC Reflected XSS N/A (VDP) 07/05/2020
How I got hall of fame in Microsoft Akash basnet (@noneofyou007) Microsoft XSS - 07/04/2020
EN | Account Takeover and Sensitive Data Leakage via CORS Misconfiguration Lütfü Mert Ceylan (@lutfumertceylan) - CORS misconfiguration, CSRF, Account takeover - 07/04/2020
CSRF Attack!!! Bala Praneeth (@Begin_hunt) - CSRF $500 07/04/2020
Bug bounty write-up: From SSRF to $4000 & Video thehackerish (@thehackerish) - SSRF, RCE $4,000 07/03/2020
[Writeup][Bug Bounty][Tokopedia] Manipulate Other User’s Cart and Wishlist on Tokopedia [EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Tokopedia IDOR $135 07/03/2020
Breaking Business Logic via Coupons — The Story of my 1st Valid Bug Bounty Dominic Ifediri (@Edi4all) - Payment tampering, Logic flaw - 07/03/2020
How i got 200$ with an out of the box open redirect vulnerability Tarek Galleze - Open redirect, Token theft $200 07/03/2020
Price Tampering due to Improper checks on applying Coupon Vaibhav Joshi (@vj0shii) - Payment tampering, Logic flaw - 07/03/2020
Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page. Samm0uda (@samm0uda) Meta / Facebook Information disclosure $5,500 07/02/2020
Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text Yasho (@YShahinzadeh) Cafebazaar SSRF $2,500 07/02/2020
How I made $1500 dollars using base64 decoder :) Dilip (@dilip_spartn) - Information disclosure $1,500 07/02/2020
Misconfigured S3 Bucket Access Controls to Critical Vulnerability Harsh Bothra (@harshbothra_) - AWS misconfiguration - 07/02/2020
Blast from the past: Cross Site Scripting on the AWS Console Johann Rehberger (wunderwuzzi23) Amazon DOM XSS - 07/01/2020
Art of bug bounty: a way from JS file analysis to XSS Jakub Żoczek (@zoczus) Verizon Media, Tumblr XSS $1,000 07/01/2020
ZombieVPN, Breaking That Internet Security 0xSha (@0xsha) Bitdefender, AnchorFree RCE, Deserialization - 07/01/2020
Stored XSS with Password Recovery Page Lütfü Mert Ceylan (@lutfumertceylan) - Stored XSS - 07/01/2020
Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run CertiK (@certik_io) Symbol XSS, RCE - 07/01/2020
Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS kminthein / weev3 (@kyawminthein99) Mail.ru Stored XSS $1,000 06/30/2020
Using Inspect Element to Bypass Security restrictions | Bug Bounty POC Muhammad Khizer Javed (@khizer_javed47) - Client-side enforcement of server-side security - 06/30/2020
Patched Zoom Exploit: Altering Camera Settings via Remote SQL Injection Keegan Ryan (@inf_0_) Zoom SQL injection $2,000 06/29/2020
API Endpoint leads to Account Takeover In Android Application Adesh Nandkishor kolte (@AdeshKolte) - Exposed token generation endpoint, Information disclosure - 06/28/2020
Taking over Azure DevOps Accounts with 1 Click Sean Yeoh (@seanyeoh) Microsoft Subdomain takeover, Account takeover $3,000 06/28/2020
How I hacked a bank their application using it for hacking another bank company — 10K XSS hg_real (@hgreal1) - XSS $10,000 06/28/2020
How I was able to take over any account via the Password Reset Functionality. Firas Fatnassi (@Fatnass1F1ras) - Password reset flaw, Account takeover - 06/28/2020
An attempt to escalate a low-impact hidden input XSS Ayush Ojha (@officialaimm) - XSS - 06/28/2020
How I Bypassed open redirect and i have get reward from yandex Mino Metidji (@minometidjii) Yandex Open redirect $100 06/27/2020
How i hacked worldwide ZOOM users s3c (@s3c_krd) Zoom OAuth flaw, Account takeover - 06/27/2020
Create hidden comment by blocking an Admin: Facebook Bug Bounty 2020 Saugat Pokharel (@saugatpk5) Meta / Facebook Logic flaw - 06/25/2020
Bug Bounty in Lockdown (SQLi and Business Logic) Abhishek Yadav (@abhishake100) - SQL injection, Logic flaw - 06/24/2020
All About Getting First Bounty with IDOR Mukul Trivedi (@M0hn1sh) - IDOR - 06/23/2020
Exploiting Bitdefender Antivirus: RCE from any website Wladimir Palant (@WPalant) Bitdefender RCE, Information disclosure $0 (Declined by bug hunter) 06/22/2020
A tale of my first ever full SSRF bug Jadek Mark (@mase289) - SSRF $1,000 06/22/2020
Leveraging an SSRF to leak a secret API key Julien Cretel (@jub0bs) - SSRF $1,000 06/22/2020
API Token Hijacking Through Clickjacking DarkLotus (@darklotuskdb) - Clickjacking - 06/22/2020
How i was able to chain bugs and gain access to internal okta instance Mmohammed Eldeeb (@malcolmx0x) - Lack of authentication - 06/22/2020
It took me only 5 minutes to find an RCE on Bentley Divyansh Sharma Bentley RCE, Weak credentials $300 06/21/2020
Simple story of some complicated XSS on Facebook Bipin Jitiya (@win3zz) Meta / Facebook Reflected XSS - 06/21/2020
Bypass 2FA like a Boss Seqrity (@seQrity) - Lack of rate limiting, Bruteforce $0 (Duplicate) 06/20/2020
How did i find information Disclosure on Facebook-Writeup Alaa Abdulridha (@Madrid89001310) Meta / Facebook Information disclosure $1,500 06/20/2020
Hacking Starbucks and Accessing Nearly 100 Million Customer Records Sam Curry (@samwcyo) Starbucks Path traversal $4,000 06/20/2020
From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration YoKo Kho (@YokoAcc) - Information disclosure, MFA bypass $500 06/19/2020
One Token to leak them all : The story of a $8000 NPM_TOKEN Aseem Shrey (@AseemShrey) Google Information disclosure $8,000 06/19/2020
Replying on LiveStream leading to Page Admin Disclosure: Facebook Bug Bounty Saugat Pokharel (@saugatpk5) Meta / Facebook Information disclosure - 06/18/2020
Hackerone Bug Bounty Report: Hinge Tyle Butler (@tbutler0x90) Hinge Information disclosure $250 06/18/2020
A subtle stored-XSS in WordPress core Sam Thomas (@_s_n_t) Wordpress Stored XSS, RCE - 06/17/2020
Bug bounty bout report 0x01 - WebRTC edition Enable Security (@enablesecurity) - Outdated component with a known vulnerability, DoS, RCE, Default credentials, SSRF - 06/16/2020
How I made more than $30K with Jolokia CVEs Patrik Fehrenbach (@ITSecurityguard) - Reflected XSS, RCE, Information disclosure $33,500 06/16/2020
How I managed to Escalate privilege as admin Abisheik Magesh (@AbisheikMagesh) - Lack of rate limiting, Bruteforce, Weak credentials - 06/16/2020
How I was able to buy t-shirt for €1 — Payment Price Manipulation Muztahidul Tanim (@TheMuztahidul) - Payment tampering $2,000 06/16/2020
All *.intercom.help subdomains vulnerable to Subdomain Takeover from intercom Service Mohamed Haron (@m7mdharon) Intercom Subdomain takeover $0 (N/A) 06/16/2020
Tail of IDOR Saddam Hussain (@wisdomfreak1) - IDOR $300 06/16/2020
SMTP Injection in Gsuite Zohar Shachar Google SMTP injection $3,133.7 06/15/2020
Reflected User Input == XSS! Silent Bronco (@silentbronco) - Reflected XSS $50 06/15/2020
Business logic flaw in the invitation system allows to Takeover any account at a private company Daniel V. (@d4niel_v) - Account takeover, IDOR - 06/15/2020
Another “Fappening” on the Horizon? Sociosploit Apple Account takeover, Phishing - 06/15/2020
How to Secure AWS ServerLess Lambda from ReDoS(Regular Expression Denial-of-Service) & Resultant Financial Impact Ddigvijay (@itsdig) - ReDoS - 06/14/2020
Privilege escalation in Partners Portal to Admin access Samm0uda (@samm0uda) Meta / Facebook Privilege escalation - 06/14/2020
Disclose internal files related to testing of some Facebook tools Samm0uda (@samm0uda) Meta / Facebook Information disclosure - 06/14/2020
Disclose the Instagram account linked to a Facebook user account or page Samm0uda (@samm0uda) Meta / Facebook Information disclosure - 06/14/2020
Internal directories enumeration in www Samm0uda (@samm0uda) Meta / Facebook Information disclosure, Internal directories enumeration - 06/14/2020
RACE Condition vulnerability found in bug-bounty program Pravinrp - Race condition - 06/13/2020
Account Takeover via OTP Bruteforce (Apigee API) Vishnuraj - OTP bypass, Bruteforce, Lack of rate limiting - 06/13/2020
DoS and BugBounties :A series of DoS attacks on HackerOne Ninad Mishra (@iamr000t) - DoS $500 06/12/2020
Let’s Bypass CSRF Protection & Password Confirmation to Takeover Victim Accounts :D Harsh Bothra (@harshbothra_) - CSRF - 06/12/2020
Race Conditions - Exploring the Possibilities Milind Purswani (@MilindPurswani) Reddit, [Private programs] Race condition - 06/11/2020
HUNT for SQL Injection- The Smart Way! Mudassir Sharief - SQL injection - 06/11/2020
The Frustrating XSS Mr. Beast (@mr_beast) - XSS - 06/11/2020
Guest Blog: From File Upload to RCE Lukasz Wierzbicki (@v13rs8a) - Unrestricted file upload, RCE - 06/10/2020
Privilege Escalation by Changing HTTP Response (Admin Access) Bachrudin Ashari Pujakusuma (@Bachrudinashari) - Privilege Escalation IDR 8.000.000 (~ $563) 06/10/2020
Utilizing Lockdown: Blind Sqli leads to Account Takeover & Data Extraction Shakti Mohanty (@3ncryptSaan) - Blind SQL injection, Account takeover $1,400 06/10/2020
The “P5” Link Injection Story Silent Bronco (@silentbronco) - Link injection - 06/10/2020
Abusing Microsoft Teams rate limiting for DDoS Omayr Zanata (@omayrzanata) Microsoft DoS $0 (Informative) 06/10/2020
Cmd Hijack - a command/argument confusion with path traversal in cmd.exe Julian Horoszkiewicz Microsoft OS Command injection, Path traversal $0 (Informative) 06/10/2020
The Accidental RCE Mr. Beast (@mr_beast) - Unrestricted file upload $4,800 06/09/2020
Local Privilege Escalation Discovered in VMware Fusion Rich Mirch (@0xm1rch) & Jeff Ball (@jeffball55) VMware Local Privilege Escalation - 06/09/2020
This is fine 🐶 Ricardo Iramar dos Santos (@ricardo_iramar) - Information disclosure $0 (Informative, Won’t fix) 06/08/2020
Different host header injection worth 2k Imran Nissar (@Imrannissar3) - Host header injection $2,000 06/07/2020
How i earned $500 from google by change one character . Oday Alhalbe Google CSRF $500 06/06/2020
XSS to Database Credential Leakage & Database Access — Story of total luck! Harsh Bothra (@harshbothra_) - Reflected XSS, Information disclosure - 06/06/2020
From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response YoKo Kho (@YokoAcc) - Privilege Escalation $1,000 06/06/2020
Multiple Information exposed due to misconfigured Service-now ITSM instances Th3G3nt3lman - Lack of authentication, Information disclosure $30,000 06/05/2020
Account takeover via postMessage socket (@yxw21) - Account takeover, postMessage bug $1,500 06/05/2020
Local file read via XSS using PDF generate functionality Sanjay Singh Jhala (@lordjerry0x01) - XSS, LFI - 06/05/2020
Story of Blind SQL with a typo error. Amyrahm (@Amyrahm11) - SQL injection - 06/05/2020
[IDOR] Delete saved credit cards from any Business Manager Account — Facebook Bug Bounty Rohit kumar (@rohitcoder) Meta / Facebook IDOR - 06/05/2020
Three Privilege Escalation Bugs in Google Cloud Platform’s OS Login initstring (@init_string) Google Local privilege Escalation - 06/04/2020
Another image removal vulnerability on Facebook Pouya Darabi (@Pouyadarabi) Meta / Facebook IDOR $10,000 06/04/2020
Privilege Escalation in Google Cloud Platform’s OS Login Chris Moberly (@init_string) Google Privilege escalation - 06/04/2020
How I got my first big bounty payout with Tesla CJ Fairhead (@xyantix) Tesla Information disclosure $5,000 06/04/2020
From CRLF to Account Takeover Valeriy Shevchenko (@Krevetk0Valeriy) - CRLF, HTTP response splitting, Reflected XSS, Account takeover - 06/03/2020
IP-in-IP protocol routes arbitrary traffic by default yannayl (@Yannayli) The Internet DoS, Spoofing $750 06/02/2020
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers Michał Bentkowski (@securitymb) Google, Mozilla XSS $30,000 06/02/2020
Double URL-encoded XSS vict0ni (@vict0ni) - Reflected XSS - 06/02/2020
When it’s not only about a Kubernetes CVE… Reever Zax (@ReeverZax) & Hach (@_hach) Microsoft SSRF +$40,000 06/02/2020
Information disclosure and reflected XSS on Tokopedia wis4nggeni Tokopedia Reflected XSS, Information disclosure - 06/01/2020
How I leveraged an interesting CSRF vulnerability to turn self XSS into a persistent attack? Akash Methani (@0xAkash) - Self XSS, CSRF - 06/01/2020
How I made $31500 by submitting a bug to Facebook Bipin Jitiya (@win3zz) Meta / Facebook SSRF $31,500 05/31/2020
h1{Error based XXE - bug bounty writeup} f4d3 (@f4d3_cl) - XXE - 05/31/2020
Hunting on ASPX Application For P1’s [Unauthenticated SOAP,RCE, Info Disclosure] ElMahdi Mrhassel (@ElMrhassel) - RCE, Information disclosure, IDOR - 05/31/2020
Weird “Subdomain Take Over” pattern of Amazon S3 Simgamsetti Manikanta (@zaheckmania) - Subdomain takeover - 05/31/2020
The story of My First $xxx Bug Bounty From Facebook Sudip Shah Meta / Facebook Logic flaw, Information disclosure - 05/31/2020
Cross-site scripting: The power of the hidden parameters. Kassih Mouhssine (@KassihMouhssine) Sony Reflected XSS - 05/30/2020
Zero-day in Sign in with Apple Bhavuk Jain (@bhavukjain1) Apple Account takeover $100,000 05/30/2020
Microsoft’s first bug Lê Hữu Quang Linh (@linhlhq) Microsoft File format vulnerability - 05/30/2020
Weak Cryptography Leads To Open Redirect DarkLotus (@darklotuskdb) - Open redirect - 05/30/2020
Analysis of CVE-2020-13693 Raphael Karger (@aptNum) Wordpress Privilege escalation - 05/29/2020
My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft Ben Sadeghipour (@nahamsec) & Serafina (Sera) Tonin Brocious (@daeken) Lyft SSRF - 05/29/2020
IDOR in session cookie leading to Mass Account Takeover Zonduhackerone (@zonduu1) - IDOR, Account takeover $2,000 05/29/2020
XSS Stored On Messages In [ Outlook Web — Outlook Android App ] ElMahdi Mrhassel (@ElMrhassel) Microsoft Stored XSS - 05/28/2020
Bypassing WAF to perform XSS Kleiton Kurti (@kleiton0x7e) - XSS - 05/28/2020
How I was able to see Private Video Uploader Via Facebook Rights Manager.[Responsible Disclosure] Kishore TK (@kishoretk_off) Meta / Facebook Information disclosure - 05/28/2020
A Long Overdue Write-up: How I got into the Oppo Hall of Fame Shibin B. Shaji (@shibinbshaji06) Oppo Login screen bypass, Authentication bypass 10,000 INR (~ $133) 05/28/2020
Clickjacking to Account Takeover Abhishek Yadav (@abhishake100) - Clickjacking - 05/28/2020
iOS Outlook Stored XSS Write-Up($3000) kminthein (@kyawminthein99) Microsoft XSS $3,000 05/28/2020
Stored XSS in Microsoft outlook kminthein (@kyawminthein99) Microsoft Stored XSS - 05/28/2020
Stored XSS in Yahoo mail IOS app($3500) kminthein (@kyawminthein99) Yahoo Stored XSS $3,500 05/28/2020
Android : SOP Bypass to steal system files. Rahul Kankrale (@RahulKankrale) - SOP bypass - 05/28/2020
Bug Hunting Stories: Schneider Electric & The Andover Continuum Web.Client Niv Levy (@restr1ct3d) Uber XXE, Reflected XSS - 05/27/2020
No-Rate and Input limitations on password reset page chained into Denial Of Service attack on one of US Dept of Defense website. Gal Nagli (@naglinagli) U.S. Dept Of Defense Password reset flaw, DoS, Lack of rate limiting - 05/27/2020
Chaining an IDOR with a business-logic error to achieve critical impact Julien Cretel (@jub0bs) - IDOR, Logic flaw - 05/26/2020
How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber Andrey Abakumov (@andrewaeva) Uber HTTP request splitting, SSRF, CRLF, RCE - 05/25/2020
Story About OTP Bypass To Stored XSS PJ Borah (@PJBorah1) - OTP bypass, Stored XSS - 05/23/2020
Using P3 Bug to escalate other P4 to P3 Saddam Hussain (@wisdomfreak1) - Information disclosure - 05/22/2020
How Source code reading helped me find an IDOR Sanjay Verdu (@codersanjay) - IDOR, Information disclosure $0 (Swag) 05/22/2020
My First Bug Bounty — 2 Factor Authentication Bypass Talatmehmood - OTP bypass $100 05/22/2020
Parsing the DOM elements of Other pages via XSS: A Bug Bounty Story Mandeep Jadon (@1337tr0lls) - XSS, Information disclosure - 05/22/2020
RCE in Google Cloud Deployment Manager Ezequiel Pereira (@epereiralopez) Google SSRF, RCE $31,337.00 05/21/2020
Bypassing Message Request inbox Abdellah Yaala (@yaalaab) Meta / Facebook Authorization flaw, Logic flaw - 05/21/2020
Change any link at https://fbwat.ch/ Philippe Harewood (@phwd) Meta / Facebook Authorization flaw, Logic flaw $1,000 05/20/2020
Become member of close & public group abdellah yaala Meta / Facebook Authorization flaw, Logic flaw $7,500 05/20/2020
Easy bounties with subdomain discovery - Using Project Sonar for bug bounty Torben Capiau (@TorbenCapiau) Bpost Broken access control, Authorization flaw $100 05/20/2020
How I got 200$ in 5 minutes – Sensitive data leak Sanjay Verdu (@codersanjay) - Information disclosure $200 05/19/2020
How I was Able To Bypass Email Verification Saddam Hussain (@wisdomfreak1) - Email verification bypass $0 (Duplicate) 05/19/2020
Teradici and CVE-2020-10965: An issue of routing. Benjamin Heald (@heald_ben) Teradici, [Private program] Lack of authentication $1,350 05/18/2020
FB & Messenger for iOS : Address Bar spoofing using data uri Rahul Kankrale (@RahulKankrale) Meta / Facebook Address Bar Spoofing, URL spoofing $3,000 05/18/2020
CVE-2020–1088 — Yet another arbitrary delete EoP Søren Fritzbøger (@fritzboger) Microsoft Windows privilege escalation - 05/18/2020
Multiple flaws leads to Account Takeover within an Application Harshit Sengar (@sengarharshit1) - Account takeover, Password reset flaw, Sign-up flaw - 05/18/2020
My first 10k bdt bounty from an e-commerce site Md Saikat - IDOR 10,000 BDT (~ $117) 05/18/2020
Tale of Account Takeovers (Part-2) Vijaysimha Reddy Bathini (@fatratfatrat) - Account takeover - 05/17/2020
Stored XSS Leads to Plaintext Password Disclosure bad5ect0r (@bad5ect0r) - Stored XSS, Information disclosure, Unrestricted file upload - 05/17/2020
One Param => $10k Bilal Khan (@bilalmerokhel) - IDOR, XSS, Account takeover $10,000 05/17/2020
Account takeover CSRF Misconfiguration Saddam Hussain (@wisdomfreak1) - CSRF, Account takeover - 05/17/2020
Logical Bug which let me stop Users from Creating Ads at a Website Merbin Russel (e_23_e) - Logic flaw, DoS - 05/17/2020
Vulnerability – Account takeover using OAuth Misconfiguration Saddam Hussain (@wisdomfreak1) - OAuth misconfiguration, Account takeover, CSRF $300 05/16/2020
How I was able to make users loss of money on Google Pay santuySec (@santuySec) Google Clickjacking $0 (Duplicate) 05/16/2020
Chained Bugs [ Account TakeOver ] Bilal Khan (@bilalmerokhel) - IDOR, XSS, Account takeover $1,050 05/16/2020
Password Reset Poisoning leading to Account Takeover Swapnil Maurya (@swapmaurya20) - Password reset flaw, Account takeover - 05/16/2020
How I got my first swag on Edmodo with a simple XSS. Sanjay Verdu (@codersanjay) Edmodo Stored XSS $0 (Swag) 05/16/2020
Weak Cryptography in Password Reset to Full Account Takeover Harsh Bothra (@harshbothra_) - Account takeover, Password reset flaw, Cryptographic issues - 05/15/2020
Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability Talatmehmood - Payment tampering - 05/14/2020
$3000 Bug Bounty Award from Mozilla for a successful targeted Credential Hunt Johann Rehberger (wunderwuzzi23) - Information disclosure $3,000 05/13/2020
Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click Merbin Russel (e_23_e) - SQL injection - 05/13/2020
Change the profanity filter for any Facebook page Philippe Harewood (@phwd) Meta / Facebook Authorization flaw, Logic flaw $750 05/12/2020
Magic of the Back Slash Anil Tom (mr_4nk) - Path traversal $2,100 05/11/2020
Another Zoho ManageEngine Story frycos (@frycos) Zoho Authentication bypass - 05/11/2020
How I made $10K in bug bounties from GitHub secret leaks Tillson Galloway (tillson_) - Information disclosure $10,000 05/10/2020
Bypass XSS filter using HTML Escape Syahri Ramadan (@adonkidz7) Google XSS $4,133.70 05/08/2020
$20000 Facebook DOM XSS Vinoth Kumar (@vinodsparrow) Meta / Facebook DOM XSS $20,000 05/07/2020
I Found XSS Security Flaws in Rails – Here’s What Happened. Jesse Campos Ruby on Rails XSS $500 05/07/2020
DOM-Based XSS at accounts.google.com by Google Voice Extension. missoum1307 (@missoum1307) Google DOM XSS $3,133.7 05/07/2020
How we Hijacked 26+ Subdomains Aishwarya Kendle (@aish_kendle) - Subdomain takeover - 05/07/2020
DOM XSS Walkthrough Youssef Lahouifi (@YLahouifi) - DOM XSS - 05/06/2020
Google Acquisition XSS (Apigee) TnMch (@TnMch_) Google XSS - 05/06/2020
A tale of verbose error message and a JWT token Marek Geleta (@marek_geleta) - Information disclosure, Authorization flaw - 05/05/2020
Stored XSS on biz.waze.com Uranium238 (@uraniumhacker) Google (Waze) XSS - 05/05/2020
Multiple XSS Uranium238 (@uraniumhacker) Google Stored XSS - 05/05/2020
G Suite - Device Management XSS Uranium238 (@uraniumhacker) Google XSS - 05/05/2020
Cool paste jacking attack earned me $$$ Aman Rawat (@theamanrawat) - Paste jacking - 05/04/2020
DOM XSS in Gmail with a little help from Chrome Enguerran Gillier (@opnsec) Google DOM XSS $5,000 05/03/2020
#BugBounty — Adding Money Using Response Modification Line_no 6 - Payment tampering, Logic flaw - 05/03/2020
Private Dashboards were accessible by other Admins in Analytics Dashboard Rohit kumar (@rohitcoder) Meta / Facebook Authorization flaw - 05/02/2020
Reflected XSS on Microsoft.com via Angular Js template injection Pratik Dabhi (@impratikdabhi) Microsoft CSTI, XSS - 05/02/2020
Blind SSRF on coda.io Kleiton Kurti (@kleiton0x7e) Coda SSRF $0 (OOS) 05/02/2020
Exposure of Facebook object type by knowing the object ID Samm0uda (@samm0uda) Meta / Facebook Information disclosure - 05/02/2020
Add draft subtitles to any Facebook video and Full Path Disclosure Samm0uda (@samm0uda) Meta / Facebook Information disclosure - 05/02/2020
Ok Google! bypass ‘flag_secure’ Pankaj Upadhyay (@_pupadhyay) Google Authorization flaw - 05/01/2020
The Story of Blind SSRF leads to internal Host discovery. kaustubh padwad (@s3curityb3ast) - SSRF $0 (OOS) 05/01/2020
Hacking Razer Pay Ewallet App Richard Tan (@sambal0x) Razer IDOR $6,000 04/30/2020
Researching Polymorphic Images for XSS on Google Scholar Lorenzo Stella (@lorenzostella) Google Stored XSS $9,401.1 04/30/2020
[Bug Bounty Writeups] Exploiting SQL Injection Vulnerability Ahmed ElTijani - SQL injection $2,000 04/30/2020
Account taken over in style !!! kishore hariram (@kishorehariram) - Logic flaw, CSRF, Account takeover - 04/30/2020
Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin Florian Courtial (@theflofly) Trello XSS $3,600 04/29/2020
Indirect UXSS issue on a private Android target app Kunal pandey (@kunalp94) - UXSS $1,000 04/29/2020
Recon to Sensitive Information Disclosure in Minutes Harsh Bothra (@harshbothra_) - Information disclosure, Outdated component with a known vulnerability - 04/28/2020
Private giant chat app – Send message to victim while sender blocked Rahul Kankrale (@RahulKankrale) - Authorization flaw, Logic flaw - 04/28/2020
Piercing the Veal: Short Stories to Read with Friends d0nut DuckDuckGo, [Private programs] SSRF $4,800 04/27/2020
Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams Omer Tsarfati (@OmerTsarfati) Microsoft Account takeover, Subdomain takeover - 04/27/2020
Bitrix WAF bypass Roma Ramazanoff (@r0hack) Mail.ru Reflected XSS $300 04/27/2020
1-click RCE on Keybase smaury (@smaury92) Keybase RCE $0 (Duplicate) 04/27/2020
Fun With CORS Misconfiguration — II Aman Gupta (@gupt4j1) - CORS misconfiguration, XSS - 04/25/2020
XSS in Peerio 2 Windows Application (Write Up) Evan Ricafort (@evanricafort) Peerio XSS C$1,000 04/24/2020
Web Cache Poisoning in Postmates [$1500] Aung Pyae Ko Ko (@BlcKVRtuL1) Postmates Web cache poisoning $1,500 04/24/2020
From Recon to P1 (Critical) — An Easy Win Harsh Bothra (@harshbothra_) - Exposed registration page - 04/24/2020
Two Factor Authentication Bypass [ $50 ] Aung Pyae Ko Ko (@BlcKVRtuL1) - 2FA bypass $50 04/24/2020
Messenger Rooms Bug Bounty Write-up Jane Manchun Wong (@wongmjane) Meta / Facebook Privilege escalation, Authorization flaw - 04/24/2020
Hiding ourself in close friend’s list and avoiding victim to remove us from his close friend’s list. Baibhav Anand (@SpongeBhav) Meta / Facebook Authorization flaw, Logic flaw $500 04/23/2020
Misconfigured WordPress takeover to Remote Code Execution Smaran Chand (@smaranchand) - Wordpress takeover, RCE, Security misconfiguration - 04/22/2020
From P5 to P2, from nothing to 1000+$ Mohamed Daher (@DaherMohamed4) - Race condition, Self-XSS, Blind XSS > $1,000 04/22/2020
The Secret sauce of bug bounty Mohamed Slamat (@oxxy37) - CSTI, Stored XSS, CORS policy bypass - 04/22/2020
Exploiting a Race Condition Vulnerability Vivek Kumar Singh (@v7nc3nz) - Race condition - 04/22/2020
CORS bug on GOOGLE’s 404 page REWARDED!!! Jayateertha Guruprasad (@JayateerthaG) Google CORS misconfiguration - 04/21/2020
DOM based open redirect to the leak of a JWT token Adolphoramirez - Open redirect, DOM-based open redirect, OAuth token theft - 04/20/2020
Google Maps API (Not the Key) Bugs That I Found Over the Years Ozgur Alp (@ozgur_bbh) Google Logic flaws - 04/19/2020
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts Sam Curry (@samwcyo) Rocket League HTTP cache poisoning, Open redirect N/A (VDP) 04/19/2020
How was i able to find privilege escalation. Akshar Tank (@Akshar__tank) - IDOR, Authorization flaw - 04/18/2020
Here is the Non Technical write-up on Technical Bug for My Second Bounty of $xxxx From Facebook Ashok Chapagai (@ashokcpg) Meta / Facebook Logic flaw, Privacy issue - 04/17/2020
Strange Redirect (Fixed but no bounty) Abhishek Yadav (@abhishake100) - Open redirect - 04/17/2020
OTP Verification Bypass Kanhaiya Kumar Singh - OTP bypass - 04/17/2020
[Writeup][Bug Bounty][Instagram] Instagram Still Send New DMs and Video Calls to Device After Logout [ID][EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Facebook (Instagram) Session management flaw $750 04/16/2020
Tricky Oracle SQL Injection Situation yappare (@yappare) - SQL injection - 04/16/2020
Netflix Party — XSS Vulnerabilities kr-b (@pirxcy) Netflix XSS - 04/14/2020
$55,000 Facebook token leak vs Funny Airline token leak. MasterSEC (@MasterSEC_AR) - XSS $0, 50,000 miles 04/14/2020
Business Logic Errors - A New Look Shrey Shah (@ShreySh43332033) - Logic flaw - 04/14/2020
Bounty Tip !! Easiest way to bypass API’s Rate Limit. Shaurya Sharma (@ShauryaSharma05) - Rate limiting bypass - 04/14/2020
Hacking a Telecommunication company(MTN) Afolic MTN Group OTP bruteforce - 04/13/2020
How i Unlocked the blocked accounts? Maria Zulfiqar - Password reset flaw, HTTP Parameter Pollution, IDOR - 04/11/2020
The story of a fuzzing integration reward Andrea Brancaleoni (@nJoyneer) Google Memory corruption bug $10,000 bounty 04/08/2020
Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs Thomas Orlita (@ThomasOrlita) Google IDOR - 04/07/2020
Unrestricted CV File Upload vict0ni (@vict0ni) - Unrestricted file upload - 04/07/2020
Stored XSS in Google Nest Harikrishnan Chandraganesan (@hari_cybex) Google Stored XSS - 04/07/2020
$3K Bounty For Elastic-Search Takeover Ashish Kunwar (@D0rkerDevil) - Elastic-Search Takeover $3,000 04/06/2020
How we abused Slack’s TURN servers to gain access to internal services Sandro Gauci (@sandrogauci) Slack SSRF $3,500 04/06/2020
How a Simple CSRF Attack Turned into a P1 Level Bug Lady Secspeare (@bejuveria_) - CSRF, Account takeover - 04/05/2020
Page Admin Disclosure: Facebook Bug Bounty 2020 Saugat Pokharel (@saugatpk5) Meta / Facebook Information disclosure, Logic flaw - 04/04/2020
Cannot Delete Post on Facebook Group: Facebook Bug Bounty Saugat Pokharel (@saugatpk5) Meta / Facebook Logic flaw - 04/04/2020
Playing with JSON Web Tokens for Fun and Profit Muhammad Qasim Munir (@MeetAn0nym0us) - Password reset flaw, Email confirmation bypass - 04/04/2020
Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps Sahil Tikoo (@viperbluff) Evernote, Dropbox Authentication bypass - 04/03/2020
iPhone Camera Hack Ryan Pickren Apple Zero-Click Unauthorized Access to Sensitive Data $75,000 04/02/2020
Hundreds of internal servicedesks exposed due to COVID-19 Inti De Ceukelaire (@securinti) - Security misconfiguration >$10,000 04/02/2020
Always escalate! From Self-XSS to Persistent XSS on Login Portal Phuriphat Boontanon (@zanezenzane) - Self XSS, CSRF $650 04/02/2020
Account Take Over without user Interaction Ravilla Bharath - Password reset flaw, Information disclosure, Account takeover $0 (Duplicate) 04/02/2020
Privilege Escalation - Hello Admin Shrey Shah (@ShreySh43332033) - Privilege escalation - 04/02/2020
The story of my first ever, 1500$, bounty from Facebook. Ashok Chapagai (@ashokcpg) Meta / Facebook Logic flaw $1,500 04/01/2020
$3133.7 Google Bug Bounty Writeup- XSS Vulnerability! Pethuraj (@Pethuraj) Google Reflected XSS $3,133.7 04/01/2020
Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Microsoft RCE $0 03/31/2020
Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability Duc Nguyen (@ducnt_) - SQL injection - 03/31/2020
Hacking makes me forget my pain Abida Fahd - SQL injection - 03/31/2020
Limited freemarker ssti to arbitrary liql query and manage lithium cms Mert (@mertistaken) & F. Celal Erdik (@celalerdik) - SSTI - 03/30/2020
Restriction is not a promise : Privilege escalation on Google. Hariharan.s (@DJHARIZ1) Google Privilege escalation, Authorization flaw $500 03/30/2020
CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS cliqz (@cliqz) Mozilla, Brave Universal XSS - 03/30/2020
OTP Bruteforce- Account Takeover Ranjit Kumar - OTP bruteforce, Account takeover - 03/29/2020
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study Abdulrahman Nour (@aboodnour) Bitdefender RCE $5,000 03/28/2020
Executing scripts in Safari Reader Mode to CSP Bypass Nikhil Mittal (@c0d3G33k) Apple XSS, CSP bypass - 03/28/2020
I Want that Cookie !!! Adnan Malik (@infoadnanmalik) - Logic flaw - 03/27/2020
Exploiting magic links, critical bugs are one line away 0xSha (@0xsha) Razer Information disclosure, Lack of authentication $0 (Duplicate) 03/27/2020
1st Bug Bounty Write-Up — Open Redirect Vulnerability on Login Page Phuriphat Boontanon (@zanezenzane) - Open redirect $250 03/27/2020
Getting lucky in bug bounty — shamelessly profiting off of other’s work Jeppe Bonde Weikop - Authentication bypass, Lack of rate limiting, Credentials sent over unencrypted channel $3,200 03/26/2020
Account Takeover Flow In Mail.ru ‘s Ext.A Domain [ $150 ] Myo Min Thu (@myominthu1337) - Logic flaw, Account takeover $150 03/26/2020
Exploitation of the CVE-2018-15961 – Unrestricted File Upload in Adobe ColdFusion Supras (@LdrTom) - Unrestricted file upload - 03/26/2020
Stealing Videos From VLC Dhiraj (@RandomDhiraj) The Internet IDOR - 03/26/2020
XSS WAF & Character limitation bypass like a boss Prial Islam Khan (@prial261) - XSS - 03/25/2020
Self XSS to Account Takeover Ch3ckM4te - Account takeover, XSS, CSRF - 03/24/2020
Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image) Muhammad R. Maulana - RCE, Unrestricted file upload - 03/21/2020
API DOCS takeover on Readme.io Oktavandi (@0ktavandi) - Subdomain takeover - 03/19/2020
EN | Administrator level Privilege Escalation story Samet Sahin (@sametsahinnet) - Privilege escalation $0 (Duplicate) 03/19/2020
Reflected XSS on microsoft.com subdomains Raimonds Liepins (@lv_linkers) Microsoft Reflected XSS $0 03/19/2020
Hacking — Always Check the Cross-domain Policy Jack Starbucks SOP bypass, CSRF $750 03/19/2020
XXE-scape through the front door: circumventing the firewall with HTTP request smuggling Pieter Hiele (@honoki) - XXE - 03/18/2020
Where is my Train : Tracking to Hacking ! Anil Tom (mr_4nk) Google Reflected XSS, SQL injection - 03/17/2020
How I was able to verify any contact number for my account? Paras Arora (@parasarora06) - OTP bypass, 2FA bypass - 03/17/2020
Razer mobile PIN verification bypass $1k Bug Sourav Sahana (@kernel_rider) Razer OTP bypass, 2FA bypass $1,000 03/17/2020
How I Earned $1750 at Shopify Bug Bounty Program Ashish Dhone Shopify XSS, Open redirect $1,750 03/16/2020
Weak session validation bug let you login even after changing the session IDs and logging out from the accounts Manasjha (@manas_hunter) viator.com Logic flaw, Session management flaw - 03/16/2020
Using Vulnerability Analytics Feature Like a Boss Ozgur Alp (@ozgur_bbh) - SSRF, Reflected XSS, Authentication bypass $8,600 03/15/2020
How I earned $800 for Host Header Injection Vulnerability Pethuraj (@Pethuraj) - Host header injection, Password reset flaw $800 03/15/2020
My Weirdest Bug Bounty — Getting PII from O365. Omaid Faizyar (@rulesofthetrade) Microsoft Subdomain takeover $1,000 03/14/2020
Blocked User Can Send Notification Due to Logical Bug in Instagram | First Instagram Bug Divyanshu Shukla Meta / Facebook Logic flaw $0 (Duplicate) 03/14/2020
What is your GCP infra worth?…about ~$700 [Bugbounty] Chris Gates (@carnal0wnage) Tokopedia Information disclosure $700 (Never paid) 03/13/2020
User’s email disclosure via invalid password reset link [$250] Myo Min Thu (@myominthu1337) - Password reset flaw, Information disclosure $250 03/13/2020
API secret key Leakage leads to disclosure of Employee’s Information Ace Candelario (@phspades) - Information disclosure $2,000 03/13/2020
Generate valid signatures for FBCDN urls Philippe Harewood (@phwd) Meta / Facebook Logic flaw, Authorization flaw - 03/13/2020
How I got access to critical data of a Company in no time ? Kaustubh Kale - Information disclosure, Lack of rate limiting, Bruteforce - 03/12/2020
[Bug Bounty] Email Content Injection Navneet (@na5n33t) - Email content injection $25 03/12/2020
How I Reported a DoS Vulnerability to AWS Amey Anekar (@ameyanekar) Amazon DoS - 03/11/2020
Generate valid signatures for files hosted in Facebook CDNs Samm0uda (@samm0uda) Meta / Facebook Authorization flaw, Logic flaw - 03/11/2020
Ability to bruteforce Instagram account’s password due to lack of rate limitation protection Samm0uda (@samm0uda) Meta / Facebook Lack of rate limiting, Bruteforce $3,000 03/11/2020
How I was able to bypass the current password? Ninad Mathpati (@ninad_mathpati) - Account takeover, CSRF - 03/11/2020
OTP Bypass - Developer’s Check Shrey Shah (@ShreySh43332033) - OTP bypass - 03/11/2020
Finding a P1 in one minute with Shodan.io (RCE) sw33tLie (@sw33tLie) - RCE - 03/11/2020
Got Easiest Bounty with HTML injection via email confirmation! Shaurya Sharma (@ShauryaSharma05) - HTML injection - 03/11/2020
Vulnerable design leads to personal data leakage- yet another case of an inter-application vulnerability… Marcin Szydlowski (@SecurityKsl) - Logic flaw - 03/09/2020
Broke limited scope with a chain of bugs (tips for every rider CORS) Valeriy Shevchenko (@Krevetk0Valeriy) - CORS misconfiguration, RCE - 03/09/2020
The unexpected Google wide domain check bypass David Schütz (@xdavidhu) Google Logic flaw $6,000 03/08/2020
Breaking the Competition (Bug Bounty Write-up) George O (@georgeomnet) - Race condition, DoS, Logic flaw, Session management flaw $0, Swag 03/08/2020
$5,005 worth vulnerability Duplicated, How I loose $5,005 in a day? Denial of Service - Billion LAUGH Attack (XXE) Muhammad Asim Shahzad - DoS, XXE $0 (Duplicate) 03/08/2020
Google Ads Self-XSS & Html Injection $5000 Syahri Ramadan (@adonkidz7) Google Self XSS, HTML injection $5,000 03/07/2020
How I exploit the JSON CSRF with method override technique Simgamsetti Manikanta (@zaheckmania) - CSRF - 03/07/2020
Google Bug Bounty: Clickjacking on Google Payment (1337$) santuySec (@santuySec) Google Clickjacking $1,337 03/06/2020
Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision ! Shaurya Sharma (@ShauryaSharma05) - Account takeover - 03/05/2020
Abusing Slack for Offensive Operations Cody Thomas (@its_a_feature_) Slack Logic flaw $0 (Informative) 03/04/2020
SOP Bypass Kenan (@kenanistaken) - SOP Bypass - 03/03/2020
Exploiting an SSRF: Trials and Tribulations A Bug’z Life (@abugzlife1) - SSRF $0 (Duplicate) 03/03/2020
ManageEngine ServiceDesk Plus: Arbitrary File Upload Duc Anh Bui - Arbitrary file upload, RCE - 03/03/2020
How I CSRF’d My First Bounty! Rajesh Ranjan (@rajesh_ranjan4) - CSRF $500 03/03/2020
SQL Injection Via Stopping the redirection to a login page Abde Ouabala (@4mgh0z) - SQL injection, Authorization flaw - 03/03/2020
SSRF on PDF generator. John Michael (@michan2514) - SSRF - 03/02/2020
Discord embed spoofing DarkMatterMatt Discord Phishing $0 03/02/2020
Facebook OAuth Framework Vulnerability Amol Baikar (@AmolBaikar) Meta / Facebook OAuth flaw $55,000 03/01/2020
A mysterious bug in the firmware of Google’s Titan M chip (CVE-2019-9465) Alexander Bakker Google Cryptographic issues - 02/29/2020
Account Hijack using Authorization bypass \(\) Bhavesh Thakur (@Bhavesh_Thakur_) - Account takeover, Authorization flaw - 02/28/2020
Page Admin Disclosure via an Upgraded Page Post Dan Fabro (@0x61_) Meta / Facebook Authorization flaw, Information disclosure $3,000 02/28/2020
The Tricky XSS Smaran Chand (@smaranchand) - XSS $0 (Won’t fix) 02/28/2020
Facebook CSRF bug which lead to Instagram Partial account takeover. Samm0uda (@samm0uda) Meta / Facebook CSRF, OAuth flaw $12,500 02/28/2020
RCE via Apache Struts2 - Still out there. Abhishek (@abhishake100) - RCE - 02/27/2020
Write-up: AWS Document Signing Security Control Bypass Ozgur Alp (@ozgur_bbh) - AWS flaw $1,000 02/26/2020
Long String DoS Shrey Shah (@ShreySh43332033) - DoS $100 02/26/2020
How I Get my first P1 (Sensitive Information Disclosure) using WPScan Harrmahar (@harrmahar) - Information disclosure - 02/26/2020
How i found 3 SSRF in one day on different bug bounty targets Damanpreet Singh (@MrDamanSingh) - SSRF - 02/25/2020
Mail.Ru Ext.B Scope Account Takeover [ $1500 ] Myo Min Thu (@myominthu1337) Mail.ru Account takeover, OAuth flaw $1,500 02/25/2020
Stored-XSS-on-groups-google-com Alessandro Rumampuk (@Rando02355205) Google Stored XSS $0 (Won’t fix) 02/25/2020
Discord DoS with a single message DarkMatterMatt Discord DoS $0 02/24/2020
Blind XSS against a Googler Uranium238 (@uraniumhacker) Google Blind XSS - 02/23/2020
Reflected XSS In AT&T Myo Min Thu (@myominthu1337) AT&T Reflected XSS - 02/23/2020
Tale of Account Takeovers (Part-1) Vijaysimha Reddy Bathini (@fatratfatrat) - Account takeover, HTTP Parameter Pollution, Password reset flaw, OTP bypass $5,000 02/22/2020
Hunting Tesla Model Y Secrets in the Parts Catalog Evan Connelly (@Evan_Connelly) Tesla Authorization flaw - 02/22/2020
Exploiting Jira for Host Discovery Alex Peña Atlassian CSRF - 02/20/2020
Hacking SMS API Service Provider of a Company |Android App Static Security Analysis | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Information disclosure, Hardcoded credentials - 02/19/2020
A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell Eugene Lim (@spaceraccoonsec) - XXE, RCE, Directory Traversal - 02/18/2020
From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World YoKo Kho (@YokoAcc) - Information disclosure, RCE - 02/18/2020
My First Bounty From Google. Syahri Ramadan (@adonkidz7) Google Self XSS, HTML injection $5,000 02/18/2020
How We Found Another XSS in Google with Acunetix Andrey Leonov (@4lemon) Google XSS $5,000 02/17/2020
Plan Change Logic in Google Fiber (Webpass) Craig Arendt (@signalchaos) Google Logic flaw, Payment tampering - 02/17/2020
Exploiting WebSocket [Application Wide XSS / CSRF] Osama Avvan (@osamaavvan) - XSS, CSRF - 02/17/2020
How I Gain Unrestricted File Upload Remote Code Execution Bug Bounty Shay Grant (@kidshay) - Unrestricted file upload - 02/17/2020
Uploading Backdoor For Fun And Profit. Mohammed Abdul Raheem (@mohdaltaf163) - Unrestricted file upload, RCE - 02/17/2020
How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties Red Timmy Security (@redtimmysec) - RCE - 02/16/2020
Open-redirect Vulnerability on Facebook dw1 Meta / Facebook Open redirect $500 02/16/2020
Blind IDOR in LinkedIn iOS application Hailstorm (@hailstorm1422) LinkedIn IDOR $0 02/16/2020
A Simple IDOR to Account Takeover Swapnil Maurya (@swapmaurya20) - IDOR, Account takeover $4,500 02/11/2020
Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches Ozgur Alp (@ozgur_bbh) - Information disclosure $1,500 02/11/2020
How I discovered an SSRF leading to AWS Metadata Leakage Amey Anekar (@ameyanekar) - SSRF - 02/10/2020
A step-by-step walk-through of an Invalid Endpoint Mohammed Israil (@mdisrail2468) - Information disclosure - 02/09/2020
External XML Entity via File Upload (SVG) Atul (@0xatul) - XXE, Unrestricted file upload - 02/08/2020
Determine users with detailed role model on behalf of any Facebook Application Amol Baikar (@AmolBaikar) Meta / Facebook IDOR - 02/08/2020
IDOR leads to Data leakage and Profile Update vict0ni (@vict0ni) - IDOR, Bruteforce - 02/07/2020
How Inspect Element Got me a Bounty Aditya Soni (@hetroublemakr) - Client-side enforcement of server-side security - 02/06/2020
Popping Alerts in Mixmax Chrome Extension (Write Up) Evan Ricafort (@evanricafort) Mixmax XSS - 02/06/2020
Simple Remote Code Execution Vulnerability Examples for Beginners Ozgur Alp (@ozgur_bbh) - RCE, Unrestricted file upload $15,000 02/05/2020
Google APIS ClickJacking ( $1337) Myo Min Thu (@myominthu1337) Google Clickjacking $1,337 02/05/2020
Site wide CSRF on a popular program Ajinkya Pathare (@fellchase) - CSRF - 02/05/2020
How I Made $600 in Bug Bounty in 15 Minutes with Contrast CE – CVE- 2019-8442 David Lindner (@golfhackerdave) Atlassian (Jira) Information disclosure $600 02/05/2020
Using CSRF I Got Weird Account Takeover Mohamed Sayed (@FlEx0Geek) - CSRF, Account takeover - 02/05/2020
An Unexpected Bounty — Email Bounce Issues Keshav Malik (@g0t_rOoT_) - DoS, Email Bounce Issue - 02/05/2020
Hijacking shared report links in Google Data Studio sushiwushi (@sushiwushi2) Google Authorization flaw - 02/05/2020
How, I dumped crypto data by chaining directory listing to open S3 Bucket Ddigvijay - AWS misconfiguration, Directory listing, Information disclosure - 02/05/2020
Arbitary File Upload too Stored XSS - Bug Bounty m0chan (@m0chan98) - Arbitrary file upload, Stored XSS - 02/04/2020
Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access Gal Weizman (@WeizmanGal) Facebook (WhatsApp) Stored XSS, CSP bypass, Open redirect, RCE $12,500 02/04/2020
Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE Jatin Dhankhar (@jatindhankhar_) HackerEarth RCE - 02/04/2020
Exploiting Insecure Firebase Database! Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Insecure Firebase database - 02/04/2020
Easily leaking passenger information on an Airline Zseano (@zseano) - IDOR - 02/04/2020 Alternative link
CSRF CSRF CSRF… Navneet (@na5n33t) - CSRF $50 02/03/2020
Tumblr Bug Bounty ( $200) Myo Min Thu (@myominthu1337) Automattic (Tumblr) Unrestricted file upload, XSS, Authorization flaw $200 02/02/2020
Disclose Full Admin List of any Facebook Applications Amol Baikar (@AmolBaikar) Meta / Facebook IDOR - 02/02/2020
OK Google: bypass the authentication! Mattia Vinci Google Authentication bypass $0 (Wontfix) 01/31/2020
2FA Bypass via Logical Rate Limiting Bypass Jeppe Bonde Weikop - 2FA bypass, Logic flaw $500 01/30/2020
How I was able to takeover the company’s LinkedIn Page Vijaysimha Reddy Bathini (@fatratfatrat) - Broken Link Hijacking $500 01/29/2020
How I get my first SWAG from SIDN (Sensitive Data Expose) Mehedi Hasan Remon (@mehedi1194) SIDN Broken access control, Information disclosure $0, Swag 01/29/2020
Vimeo Livestream Bug Bounty WriteUp Mohamed Slamat (@oxxy37) Livestream IDOR, Parameter tampering - 01/29/2020
Hyperlink Injection - Easy Money (sometimes) Abhishek Yadav (@abhishake100) - Hyperlink injection $450 01/28/2020
Tale of a Misconfiguration in Password Reset Naveenroy - Password reset flaw, Information disclosure - 01/27/2020
Escalating reflected XSS with HTTP Smuggling Hazana (@HazanaSec) - Reflected XSS, HTTP Request Smuggling - 01/27/2020
XSS on Facebook-Instagram CDN Server bypassing signature protection Amol Baikar (@AmolBaikar) Meta / Facebook XSS - 01/26/2020
Disclose Facebook Business Account ID Amol Baikar (@AmolBaikar) Meta / Facebook Information disclosure $1,500 01/26/2020
XSS on Facebook’s acquisition Oculus CDN Server Amol Baikar (@AmolBaikar) Meta / Facebook XSS - 01/26/2020
Improper Input Validation | Add Custom Text and URLs In SMS send by Snapchat | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Meta / Facebook (Snapshat) Parameter tampering $1,000 01/26/2020
Accidental IDOR that Deleted Admin Account. Sayaan Alam (@ehsayaan) - IDOR $325 01/25/2020
The unexpected bounty: A story of Zendesk takeover on REDACTED.com wis4nggeni - Subdomain takeover - 01/25/2020
Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover Samm0uda (@samm0uda) Meta / Facebook Cross-Site Websocket Hijacking (CSWH), Account takeover $12,500 01/23/2020
How I was able to take over any users account with host header injection Ajay Gautam (@evilboyajay) - Host header injection $900 01/23/2020
CORS Misconfiguration leading to Private Information Disclosure Virus0X01 (@Virus0X01) - CORS misconfiguration - 01/23/2020
A Less Known Attack Vector, Second Order IDOR Attacks Ozgur Alp (@ozgur_bbh) - IDOR - 01/22/2020
Password Reset Token Leak Via Referrer Shrey Shah (@ShreySh43332033) - Password reset flaw, Information disclosure - 01/22/2020
Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic Ritish Kumar Singh Meta / Facebook Logic flaw $500 01/22/2020
User Account Takeover via Signup Feature | Bug Bounty POC Muzammil Kayani (@muzammilabbas2) - Account takeover, Logic flaw, Authorization flaw - 01/22/2020
Google Bug Bounty: CSRF in learndigital.withgoogle.com santuySec (@santuySec) Google CSRF $0 (Duplicate) 01/21/2020
Cross Site Request Forgery vulnerability Leads to User Profile Change in Microsoft Express Logic Adesh Nandkishor kolte (@AdeshKolte) Microsoft CSRF - 01/21/2020
How i bought my way to subdomain takeover on Tokopedia wis4nggeni Tokopedia Subdomain takeover - 01/20/2020
GGvulnz — How I hacked hundreds of companies through Google Groups Milan Magyar Google Logic flaw - 01/20/2020
How I accidentally found Bug in Google Search Console Tomi (@noobe_io) Google Logic flaw, Authorization flaw $1,337 01/18/2020
Adding a malicious notebook to be treated like a trusted notebook in Google Colab — 1337$ Raushan Raj (@raushan_rajj) Google Authorization flaw, Logic flaw $1,337 01/17/2020
The trouble with Microsoft’s Troubleshooters Imre Rad (@ImreRad) Microsoft RCE, MiTM $0 (Won’t fix) 01/15/2020
From . in regex to SSRF — part 2 Niemiec Marcin (@xvnpw) - SSRF - 01/14/2020
How I discovered an interesting account takeover flaw? Akash Methani (@0xAkash) - Account takeover, Password reset flaw, Lack of rate limiting - 01/14/2020
In Cloud we “Trust”: Wrong Kubernetes implementation by Google Cloud Platform & Microsoft Azure affecting customers Chen Cohen (@chencococococo) Microsoft, Google Old components with known vulnerabilities - 01/12/2020
No Rate Limit - 2K Bounty Shrey Shah (@ShreySh43332033) Yahoo Lack of rate limiting $2,000 01/12/2020
How I earn $500 from Razer open S3 bucket Sourav Sahana (@kernel_rider) Razer AWS misconfiguration $500 01/12/2020
My First RCE (Stressed Employee gets me 2x bounty) Abhishek Yadav (@abhishake100) - RCE, Unrestricted file upload $900 01/10/2020
Hunting Good Bugs with only <HTML> Ak1T4 (@akita_zen) - Open redirect, HTML injection, SSRF - 01/10/2020
Google Chrome display locking fuzzing Pawel Wylecial (@h0wlu) Google Heap Use-After-Free $5,000 01/08/2020
The Bug That Exposed Your PayPal Password Alex Birsan Paypal XSSI $15,300 01/08/2020
Update: Want to take over the Java ecosystem? All you need is a MITM! Jonathan Leitschuh (@jlleitschuh) Github Insecure communications $2,300 01/08/2020
HTML Injection(Unique Exploitation) Pratik Yadav (@PratikY9967) - HTML injection $250 01/07/2020
Saying Goodbye to my Favorite 5 Minute P1 Allyson O’Malley (@ally_o_malley) Microsoft Information disclosure - 01/06/2020
How I found a Privilege Escalation Bug in a private Ecommerce? Baibhav Anand (@SpongeBhav) - Privilege escalation - 01/06/2020
XSS on Sony subdomain Gökhan Güzelkokar (@gkhck_) Sony Reflected XSS - 01/06/2020
From . in regex to SSRF — part 1 Niemiec Marcin (@xvnpw) - SSRF - 01/05/2020
Account takeover via HTTP Request Smuggling hipotermia (@hipotermia) - HTTP request smuggling, Account takeover, Open redirect, Internal header disclosure - 01/03/2020
Bypass 2FA in a website Sourav Sahana (@kernel_rider) - 2FA bypass - 01/01/2020
Bypass Mobile PIN Verification Sourav Sahana (@kernel_rider) - Authentication bypass $100 01/01/2020

Bug bounty writeups published in 2019

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date Link 2 / Archived page
Story of an IDOR via HTTP Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 12/31/2019
Exploiting HTML Injection in Email Shuaib Oladigbolu (@_sawzeeyy) - HTML injection - 12/31/2019
From POST to GET Open redirect Sourav Sahana (@kernel_rider) - Open redirect $450 12/31/2019
Bug Hunting Journey of 2019 Sudhanshu Rajbhar (@sudhanshur705) Alibaba, Verizon Media, [Private program] XSS, Privilege escalation, Information disclosure $2,500 12/31/2019
Exploiting a Self Stored XSS with an IDOR Shuaib Oladigbolu (@_sawzeeyy) - Self XSS, Stored XSS, IDOR - 12/31/2019
How did I earn $3133.70 from Google Translator? Beri Bey (@uppmen) Google XSS $3,133.70 12/30/2019
Facebook Bug bounty Story: $X000 for an Information Disclosure Bug Circle Ninja (@circleninja) Meta / Facebook Information disclosure - 12/29/2019
How I made $7500 from My First Bug Bounty Found on Google Cloud Platform James Grunewald Google Logic flaw $7,500 12/29/2019
Drop the mic?! no! Drop the connection ;) Sasi Levi (@sasi2103) Google DOM XSS - 12/29/2019
Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty Omkar Bhagwat (@th3_hidd3n_mist) - XSSI $0 (Duplicate) 12/27/2019
Bypassing Brand Collabs Manager Eligibility on Facebook Ajay Gautam (@evilboyajay) Meta / Facebook Authorization flaw $0 12/26/2019
Subdomain takeover via pantheon Smaran Chand (@smaranchand) - Subdomain takeover - 12/26/2019
Microsoft Edge (Chromium) - EoP via XSS to Potential RCE Abdulrahman Alqabandi (@Qab) Microsoft XSS, RCE $40,000 12/24/2019
SOP Bypass via browser-cache Aaron Costello (@ConspiracyProof) Keybase SOP bypass $1,500 12/24/2019
Abusing ImageMagick to obtain RCE Strynx (@Strynx_Security) - ImageMagick, RCE $5,000 12/24/2019
How we hacked one of the worlds largest Cryptocurrency Website Strynx (@Strynx_Security) - SQL injection, RCE - 12/24/2019
Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR) Vijay Kumar (@IndoAppSec) Airbnb IDOR $3,000 12/24/2019
Bugbounty | A Dom Xss Jinone (@jinonehk) - DOM XSS $500 12/24/2019
GraphQL IDOR leads to information disclosure Eshan Singh (@R0X4R) - IDOR - 12/24/2019
CSRF Token Bypasss — A Tale of my $2k bug Adeyefa Oluwatoba (@adeyefa_codes) - CSRF, Account takeover $2,000 12/23/2019
reCAPTCHA Exploits Dr. Neal Krawetz (@hackerfactor) Google reCAPTCHA bypass $0 12/23/2019
From broken link to subfolder takeover on Bukalapak wis4nggeni Bukalapak AWS flaw - 12/23/2019
2 FA Bypass via CSRF Attack Vishal Bharad Mail.ru 2FA bypass, CSRF $0 (Out of scope) 12/23/2019
Full Account Takeover (Android Application) Vishal Bharad - Information disclosure, Account takeover - 12/21/2019
Bypassing Captcha ! Abhishek Yadav (@abhishake100) - Captcha bypass $200 12/20/2019
Account Takeover Through Password Reset Poisoning Vishal Bharad - Password reset flaw, Account takeover - 12/19/2019
#BugBounty — How Snapdeal (India’s Popular E-commerce Website) Kept their Users Data at Risk! Nanda Kumar (@nk00_nk) Snapdeal Insecure storage of sensitive information - 12/19/2019
[Google VRP] SSRF in Google Cloud Platform StackDriver Ron Chan (@ngalongc) Google SSRF - 12/19/2019
Abusing feature to steal your tokens Harsh Jaiswal (@rootxharsh) - OAuth flaw $3,750 12/17/2019
BreakingApp – WhatsApp Crash & Data Loss Bug Dikla Barda, Roman Zaikin & Yaara Shriki Meta / Facebook DoS - 12/17/2019
[email protected] Disclosure via IDOR Pratyush Anjan Sarangi - IDOR $750 12/16/2019
Stored Iframe Injection + CSRF = Account Takeover 😎😎 Rounak Dhadiwal (@XploiteR_D) - HTML injection, CSRF - 12/16/2019
How I Took Over 2 Subdomains with Azure CDN Profiles m0chan (@m0chan98) - Subdomain takeover - 12/16/2019
4 Google Cloud Shell bugs explained [email protected] (@wtm_offensi) Google RCE - 12/16/2019
Authorization bug that every bug hunter missed on a popular program Ajinkya Pathare (@fellchase) - Authorization flaw - 12/15/2019
Vimeo upload function SSRF Sayed Abdelhafiz (@dPhoeniixx) - SSRF $5,000 12/13/2019
How I was able to find a logical bug on Instagram? Jabir Khan (@Jabirkhan0x0) Meta / Facebook Logic flaw - 12/13/2019
Facebook New Account Verification Bypass Santosh Baral (@santoshbrl5) Meta / Facebook Authentication bypass $0 (Internal duplicate) 12/13/2019
Multiple Host Header Attacks after bypassing protection with… a Header Attack vict0ni (@vict0ni) - Host header injection - 12/12/2019
$500 getClass Ezequiel Pereira (@epereiralopez) Google Java vulnerability $500 12/12/2019
A $25 Easy Bug. Navneet (@na5n33t) - Session management flaw $25 12/12/2019
SSRF via FFmpeg HLS processing Pflash Punk (@PflashPunk) - SSRF $0 (Duplicate) 12/11/2019
Blind Xss (A mind game to win the battle) Dirtycoder (@dirtycoder0124) - Blind XSS $1,000 12/11/2019
AirDoS: Remotely render any nearby iPhone or iPad unusable Kishan Bagaria (@KishanBagaria) Apple DoS - 12/10/2019
Get pwned by scanning QR Code Nikhil Mittal (@c0d3G33k) Mozilla XSS, CSP bypass - 12/10/2019
Authentication Bypass Rushiikesh (@u1tran00b) - 2FA bypass $700 12/09/2019
Media deletion CSRF vulnerability on Instagram Pouya Darabi (@Pouyadarabi) Meta / Facebook CSRF $3,000 12/09/2019
Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution. Vladimir Metnew (@vladimir_metnew) Telegram RCE $500 12/08/2019
Spilling Local Files via XXE when HTTP OOB fails Rahul Maini - XXE - 12/07/2019
Reusing Cookies Ricardo Iramar dos Santos - Session management flaws $400 12/07/2019
HTML Injection to XSS bypass in [REDACTED.com] Evan Ricafort (@evanricafort) - Reflected XSS $600 12/07/2019
$150 XSS at Error Page of Respository Code Navneet (@na5n33t) - Reflected XSS $150 12/07/2019
Google Chrome portal element fuzzing Pawel Wylecial (@h0wlu) Google RCE, Heap Buffer Overflow, Heap Use-After-Free $8,000 12/06/2019
HTTP Request Smuggling + IDOR hipotermia (@hipotermia) - HTTP request smuggling, IDOR - 12/05/2019
XSS like a Pro Anas Mahmood (@AnasIsHere) - XSS $450 12/05/2019
Dank Writeup On Broken Access Control On An Indian Startup Divyanshu Shukla - Unrestricted file upload, Authorization flaw - 11/30/2019
My first RCE: a tale of good ideas and good friends rez0 (@rez0__) - RCE, ImageTragick - 11/29/2019
How I turned Self XSS to Stored via CSRF Abhishek Yadav (@abhishake100) - Self XSS, CSRF $550 11/29/2019
Hacking GitHub with Unicode’s dotless ‘i’ John Gracey (@jagracey) Github Logic flaw - 11/28/2019
XSS Stored On [ Outlook Web — Outlook Android App ] ElMahdi Mrhassel (@ElMrhassel) Microsoft Stored XSS $2,400 11/28/2019 Archived page
Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge Samm0uda (@samm0uda) Meta / Facebook Reflected XSS, Account takeover $5,000 11/27/2019 Archived page
Site Isolation bypass via Chrome extension Anthony Weems Google Browser bug, Site Isolation bypass $3,133.70 11/27/2019
Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings Johns Simon (@Johnssimon22) - Authorization flaw - 11/27/2019 Archived page
How Did Tons of People Like Me on Tinder? Mustafa iran (@Mustafaran) - HTTP request smuggling $2,500 11/25/2019
Finding a security bug in Discord and what it taught me Tristan Farkas (@TristanAtFarkas) Discord OAuth flaw - 11/24/2019
CORS Misconfiguration to Account TakeOver [Out of scope to grab items In-Scope] Mashoud1122 (@mashoud1122) - CORS misconfiguration, Open redirect, Reflected XSS, Session management flaw $1,500 11/24/2019
The AccountTakeOver Killing Chain أنس روبي (@xhzeem) - Account takeover, CSRF, Self-XSS - 11/23/2019
Exploiting padding oracles with fixed IVs Teddy Katz (@not_aardvark) - Padding oracle, Account takeover - 11/23/2019
IDOR via Websockets Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 11/23/2019
Stories Of IDOR-Part 2 Shivbihari Pandey (@ninja_pandit_) - IDOR $3,650 11/21/2019
Disable Any Unconfirmed Account in Facebook Lokesh Kumar (@lokeshdlk77) Meta / Facebook Bruteforce $1,000 11/21/2019
700$ Denial of Service(DoS) vulnerability in script-loader.php (CVE-2018-6389) Pankaj Thakur (@Nep_1337_1998) - DoS $700 11/21/2019
Reply To Instagram Stories where privacy of who can reply is set to ‘Nobody’. (Part 2) Baibhav Anand (@SpongeBhav) Meta / Facebook Authorization flaw $1,000 11/21/2019
How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads Mohamed Daher (@DaherMohamed4) - XSS $1,054 11/20/2019
Cracking reCAPTCHA, Turbo Intruder style James Kettle (@albinowax) Google Race condition $0 11/20/2019
Subdomain Takeover via Campaignmonitor.com Mohamed Haron (@m7mdharon) - Subdomain takeover $900 11/20/2019
How I could delete Facebook Ask for Recommendations post’s place objects in comments Raja Sudhakar (@Rajasudhakar) Meta / Facebook IDOR - 11/20/2019
Broken session management leads to bypass 2FA and Permanent access to Facebook user’s Mahmoud Barakat (@0xBarakat) Meta / Facebook Authentication bypass - 11/19/2019
Disclose the owner of a recruiting manager in Jobs Beta Philippe Harewood (@phwd) Meta / Facebook Information disclosure - 11/19/2019
Million Users PII Leak Data Leak Shivbihari Pandey (@ninja_pandit_) - Information disclosure, Blind XSS $3,250 11/18/2019
XSS in GMail’s AMP4Email via DOM Clobbering Michał Bentkowski (@securitymb) Google XSS, DOM Clobbering - 11/18/2019
This is How I was able to hunt a rare bug in a private program Abida Fahd - Lack of authentication, Privilege escalation - 11/18/2019
My First Bug ($500) Abhishek Yadav (@abhishake100) - No valid SPF records $500 11/18/2019
Bypassing the patch for my previous Instagram bug. Baibhav Anand (@SpongeBhav) Meta / Facebook Authorization flaw, Logic flaw - 11/18/2019
Privilege Escalation with simple recon Mayur Gupta (@RisingHunter_) - Privilege Escalation, Blind XSS - 11/16/2019
LDAP Admin Account Bypassed :) Himanshu Pdy (@himanshu_pdy_01) - LDAP injection, Authentication bypass - 11/16/2019
View the ranked messenger users for any page Philippe Harewood (@phwd) Meta / Facebook Information disclosure, Authorization flaw - 11/16/2019
[Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Tokopedia IDOR $135 11/15/2019
Authenticated CORS with Access-Control-Allow-Origin: * BitK (@BitK_) Chromium Caching issue, Browser bug $0 (won’t fix) 11/15/2019
Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE) Daniel Marte (@DanielM59720745) - IDOR - 11/15/2019
Taking over Facebook Page Tabs Sagar Tanur (@Sagarvd01) Meta / Facebook Broken link hijacking $0 (informative) 11/14/2019
[Server Side Request Forgery] Blind SSRF due to Sentry Misconfiguration Kent Bayron (@bayronkentoy) - SSRF $300 11/14/2019
Command Injection Through BLH Shankar R (@trapp3r_hat) Meta / Facebook Broken link hijacking $0 (informative) 11/14/2019
Mass XS-Search using Cache Attack terjanq (@terjanq) Google XS-Search - 11/12/2019
How I accidentally took down GitHub Actions Teddy Katz (@not_aardvark) GitHub Denial of Service, Commit Hash Collisions $5,000 11/12/2019
Bug Bounty: Broken API Authorization Th3hidd3nmist (@th3_hidd3n_mist) - Authorization flaw $440 11/12/2019
How i Bought VPS, Hosting, Domain only $0.01 Zerb0a - Payment tampering $500 11/12/2019
Keylogging users via Slack themes Matt Langlois (@fletchto99) Slack CSS injection $500 11/11/2019
My First SSRF Using DNS Rebinding Marek Geleta (@marek_geleta) - SSRF, DNS rebinding - 11/11/2019
DOM-Based XSS | Bug Bounty Writeup HacknPentest (@HacknPentest) - DOM XSS $100 11/10/2019
BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎 Akash Agrawal (@akashmagrawal) - 2FA bypass, Lack of rate limiting - 11/08/2019
How I Hacked Dutch Government in 5 Minutes? Twitter Account Takeover Numan ÖZDEMİR (@numanozdemircom) Dutch Government Broken link hijacking $0, Swag 11/06/2019
A simple post auth bypass leads to unauthorized web server access Hein Thant Zin (@H3Lowr) - Default credentials $750 11/08/2019
Bypassing GitHub’s OAuth flow Teddy Katz (@not_aardvark) GitHub OAuth flaw, Authorization bypass $25,000 11/05/2019
BugBounty | A Simple SSRF Jinone (@jinonehk) - SSRF, DNS Rebinding $1,500 11/05/2019
XSS will never die Oleksandr Opanasiuk (@Lekssik2) - XSS - 11/02/2019
Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty Sam Curry (@samwcyo) - Null byte buffer overflow $40,000 11/01/2019
Download this tool and you win zoid (@z0idsec) - Open redirect - 10/31/2019
Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security&section=sessions&view Naufal Septiadi Meta / Facebook Logic flaw $500 10/30/2019
GraphQL introspection leads to sensitive data disclosure. Eshan Singh (@R0X4R) - Information disclosure - 10/30/2019
5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!) YoKo Kho (@YokoAcc) Avast Reflected XSS $5,000 10/29/2019
Cross Site Request Forgery Critical Exploitable IN Infected Site? Hossam Mesbah - CSRF - 10/29/2019
XSS to Account Takeover Tomi (@noobe_io) - XSS, CSRF - 10/29/2019
[Leak] Can I take the user information, please?!! Mohamed Sayed (@FlEx0Geek) - Information disclosure - 10/29/2019
How I hacked 50+ Companies in 6 hrs Vignesh C (@pwn_r00t) - SSTI, RCE - 10/29/2019
[Writeup — FB] Crash web — app through application form of job application pages TienDat Meta / Facebook DoS - 10/28/2019
Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO) YoKo Kho (@YokoAcc) Opera RTLO - 10/26/2019
How to Takover a ldap server. Ashish Kunwar (@D0rkerDevil) - Exposed LDAP server - 10/25/2019
Session Expiration Bypass in Facebook Creator App Ajay Gautam (@evilboyajay) Meta / Facebook Session expiration bypass $1,500 06/22/2019
How I earned \(\) by finding confidential customer data including plain-text passwords! Sushant Soni (@sushantsoni5392) - Directory listing, Information disclosure - 10/24/2019
NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] Nightwatch Cybersecurity (@nightwatchcyber) Google NFC - 10/24/2019
(POC) Disclose members in any closed Facebook group Ahmad Talahmeh Meta / Facebook Information disclosure $3,000 10/22/2019
[ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google ) Danang Tri Atmaja (@danangtriatmj) Google Authentication flaw - 10/21/2019
How PayPal helped me to generate XSS Pflash Punk (@PflashPunk) Paypal Reflected XSS $250 10/20/2019
Escalating Privileges like a Pro Gaurav Narwani (@gauravnarwani97) - Privilege escalation - 10/20/2019
Hunting for bounties antihack.me case study 0xSha (@0xsha) AntiHack.me RCE, XSS, Logic flaw, Information disclosure - 10/20/2019
[email protected] Disclosure via IDOR Pratyush Anjan Sarangi - IDOR, Information disclosure $750 10/18/2019
1-800-Flowers Credentials and message log leak via facebook.com/facebook Philippe Harewood (@phwd) Meta / Facebook AWS misconfiguration - 10/17/2019
How I was able to bypass OTP code requirement in Razer [The story of a critical bug] Ananda Dhakal (@dhakal_ananda) Razer OTP bypass $1,000 10/16/2019
How I found RCE But Got Duplicated Smile Hacker - Unrestricted file upload, RCE - 10/15/2019
[ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint. TienDat Meta / Facebook Information disclosure $500 10/15/2019
How I bypassed 2 Factor Authentication Hemant Singh Manral - 2FA bypass $250 10/15/2019
An inconsistent CSRF Smaran Chand (@smaranchand) - CSRF $0 10/15/2019
Finding SQL injections fast with white-box analysis — a recent bug example frycos (@frycos) Zoho SQL injection - 10/13/2019
Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. Rohit kumar (@rohitcoder) Meta / Facebook Authorization flaw - 10/12/2019
Bypass Uppercase filters like a PRO (XSS Advanced Methods) MasterSEC (@MasterSEC_AR) - XSS $1,000 10/11/2019
How i Hacked BASF Company !! Murtada Kamil BASF Lack of authentication - 10/10/2019
EXIF Geolocation Data Not Stripped From Uploaded Images Sourav Newatia (@souravnewatia) - Information disclosure $500 10/09/2019
Vulnerability To Bypass Clickjacking Protection In Youtube spidersec (@SpiderSec) Google Clickjacking - 10/06/2019
How “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce / eStores Prateek Tiwari Samsung Information disclosure - 10/05/2019
From Multiple IDORs leading to Code Execution on a different Host Container Rahul (@Rahul_R95) - IDOR, RCE - 10/04/2019
How I made 1000$ with AT&T Bug Bounty(H1) Adesh Nandkishor kolte (@AdeshKolte) AT&T CSRF, Account takeover $1,000 10/02/2019
REST framework Admin Panel bypass and how I recon for this vulnerability Aziz Hakim (@hackerb0y_) - Authentication bypass - 10/02/2019
GraphQL Introspection leads to Sensitive Data Disclosure. Pranay Bafna - Information disclosure - 10/02/2019
How a double-free bug in WhatsApp turns to RCE Awakened Facebook (WhatsApp) Memory corruption bug, RCE, Android app bug - 10/02/2019
How to get RCE on AEM instance without Java knowledge byq (@ByQwert) - RCE $1,000 10/01/2019
Stealing login credentials with Reflected XSS mehulpanchal007 (@007_sharky) - Reflected XSS $100 10/01/2019
One Way to Find Hidden IDOR Vulnerability Vulkey_Chen (@Vulkey_Chen) - IDOR ¥3,000 (~ $28) 10/01/2019
Bug Hunting: Xss On Cookie Popup Warning vict0ni (@vict0ni) - Reflected XSS - 09/30/2019
Spear texting via parameter injection Kyle (@B3nac) - Parameter tampering $900 09/29/2019
XSS Is Love <3 ! Nirmal Dahal (@TheNittam) - XSS - 09/29/2019
Stories Of IDOR Shivbihari Pandey (@ninja_pandit_) - IDOR - 09/28/2019
OnePlus Open/Unvalidated Redirects & Forwards Mainak Sadhukhan OnePLus Open redirect - 09/26/2019
Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure Sam Curry (@samwcyo) Atlassian Path traversal $11,000 09/25/2019
Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork - 1,000 USD YoKo Kho (@YoKoAcc) Paypal Information disclosure $1,000 09/24/2019
ONEPLUS XSS vulnerability in Customer Support Portal Mainak Sadhukhan OnePLus XSS - 09/24/2019
Fuzzing Till Verneet (@err0rrrrr) - SSTI - 09/23/2019
Broken Link Hijacking - s3 buckets Tutorgeeks (@tutorgeeks) Google Broken link hijacking - 09/22/2019
[Bug Bounty] Exploiting Cookie Based XSS by Finding RCE Tomi (@noobe_io) - Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE, XSS - 09/22/2019
[Case Study] OAuth Misconfiguration leads to Account Takeover Gaurang Bhatnagar (@0xgaurang) - OAuth flaw, Account takeover - 09/21/2019
Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public Guhan Raja (@havocgwen) Meta / Facebook Privilege escalation $500 09/21/2019
A Simple bypass of Registration Activation that Lead to many Bug - YoKo Kho (@YoKoAcc) - Information disclosure, IDOR, CSRF - 09/21/2019
Bug or Feature? GitHub Adventure #001 Dominik Opyd (@oad_earth) - OAuth flaw, Open redirect $0 09/21/2019
Stored XSS on Zendesk via Macro’s PART 2 Hariharan.s (@DJHARIZ1) Zendesk Stored XSS - 09/20/2019
IDOR in One plus leads to leak User personal Info. Aditya Sharma (@Assass1nmarcos) OnePlus IDOR $0, Swag 09/20/2019 Archived page
How I able to Takeover 10 subdomains in a Private Program ? Mohamed Haron (@m7mdharon) - Subdomain takeover $500 09/20/2019
Business ID leak via Creative Hub redirect Philippe Harewood (@phwd) Meta / Facebook Open redirect - 09/20/2019
Admin hijacked by Sea Surf Pirates Gaurav Narwani (@gauravnarwani97) Dolibarr Stored XSS, CSRF, Account takeover - 09/19/2019
SSRF | Reading Local Files from DownNotifier server Dr.FarFar (@3XS0) - SSRF - 09/18/2019
RCE with Flask Jinja Template Injection AkShAy KaTkAr (@AkShAy KaTkAr) - SSTI, RCE - 09/17/2019
Client, not client! Tung Pun - LFI $1,000 09/15/2019
Google Referer Leak Bug Jayateertha Guruprasad (@JayateerthaG) Google Referer leakage, Information disclosure - 09/15/2019
How I found a simple and weird Account takeover bug Bijan Murmu (@0xBijan) - Account takeover, Lack of authentication - 09/14/2019
OTP Manipulation Kishan choudhary (@choudhary_1337) - OTP bypass $300 09/14/2019
Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3) YoKo Kho (@YoKoAcc) - Race condition, RCE, Unrestricted file upload - 09/14/2019
I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead Anand Prakash (@sehacure) Uber Information disclosure $6,500 09/13/2019 Mirror link
How two dead accounts allowed remote crash of any instagram android user Valerio brussani (@val_brux) Meta / Facebook DoS - 09/13/2019
Unauthorized access to all user information leaks C1h2e1 (@C1h2e11) - Information disclosure - 09/13/2019
HTTP Request Smuggling CL.TE memN0ps (@memN0ps) - HTTP request smuggling - 09/13/2019
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. HackerOn2Wheels (@HackerOn2Wheels) - RCE, Unrestricted file upload $3,000 09/13/2019
Facebook employee internal tool and conversations leaked in Facebook video Philippe Harewood (@phwd) Meta / Facebook Information disclosure - 09/12/2019
How does my recon win $250 in 15 minutes Hein Thant Zin (@H3Lowr) - Open redirect $250 09/12/2019
Add users to roles on Facebook pages without an invitation consent Philippe Harewood (@phwd) Meta / Facebook Authorization flaw - 09/12/2019
Pwn Them All #BugBounty Bilal Khan (@bilalmerokhel) - Host header injection, Password reset flaw - 09/11/2019
Subscribe to the list of requesters to join a Facebook live video using MQTT Philippe Harewood (@phwd) Meta / Facebook Authorization flaw - 09/10/2019
H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress Julien Ahrens (@MrTuxracer) Uber Stored XSS, SQL injection - 09/10/2019
Telegram addresses another privacy issue Dhiraj (@RandomDhiraj) Telegram Logic flaw, Privacy issue €2,500 09/09/2019
Accessing 2 million Verizon Pay Monthly contracts Daley Bee (@daley) Verizon Information disclosure, Authentication bypass, IDOR - 09/09/2019
Oculus identity verification bypass through brute-force karthik kumar reddy (@karthiksunny007) Meta / Facebook OTP bypass, Lack of rate limiting $750 09/09/2019
XSS in Zoho Mail Anas Mahmood (@AnasIsHere) Zoho Mail XSS $200 09/08/2019
Exploiting JSONP and Bypassing Referer Check Osama Avvan (@osamaavvan) - Information disclosure, JSONP flaw - 09/07/2019
Write up of two HTTP Requests Smuggling C1h2e1 (@C1h2e11) - HTTP request smuggling - 09/07/2019
Finding Gem in Someone’s Report: Instant $500USD at HackerOne Platform Hisoka Morou - Information disclosure $500 09/07/2019
Super Glamorous Recon with Intended Functionalities hateshape (@hateshaped) - SSTI, XSS - 09/06/2019
DOM Based XSS in Private Program Mohamed Haron (@m7mdharon) - DOM XSS $500 09/05/2019
Readme.com Account Takeover Ankush Goel (@0xankush) Readme.com Password reset flaw $0 (No response) 09/05/2019
Exposed Jenkins to RCE on 8 Adobe Experience Managers Corben Leo (@hacker_) - RCE - 09/04/2019
Add new user with Admin permission and takeover the organization Tarek Mohamed (@Conan0x3) - Authorization flaw, Privilege escalation - 09/04/2019
RCE using Path Traversal inc0gbyt3 (@incogbyte) - RCE, Path traversal - 09/02/2019
HTML to PDF converter bug leads to RCE in Facebook server Samm0uda (@samm0uda) Meta / Facebook RCE $1,000 09/02/2019 Archived page
Google Cloud Blog platform vulnerability Alexandru Coltuneac (@dekeeu) Google XSS - 09/01/2019
Graphql Bug to Steal Anyone’s Address Pratik Yadav (@PratikY9967) - Information disclosure, GraphQL bug - 09/01/2019
My First LFI Tirtha Mandal (@tirtha_mandal) - LFI $1,000 08/31/2019
Shodan is your friend!!! If you ignore him you will lose many… Vijaysimha Reddy Bathini (@fatratfatrat) - SQL injection, Authentication bypass - 08/28/2019
Address bar spoofing in Firefox Lite for Android …and the idiocy that followed Piyush Raj (@0x48piraj) Mozilla Address Bar Spoofing, URL spoofing - 08/29/2019
How to look for JS files Vulnerability for fun and profit? Yeasir Arafat - Information disclosure - 08/27/2019
Private bug bounty \(,\)$ USD: “RCE as root on Marathon-Mesos instance” Omar Espino (@omespino) - RCE - 08/27/2019
How i was able to exploit the same endpoint 2 times ( multiple xss & open Redirection on 10 subdomain) Ratnadip Gajbhiye (@scspcommunity) Sanity.io XSS, Open redirect - 08/26/2019
How I Hacked Instagram Again Laxman Muthiyah (@LaxmanMuthiyah) Meta / Facebook Password reset flaw, Account takeover $10,000 08/26/2019
Bug Bounty: Bypassing a crappy WAF to exploit a blind SQL injection Robin Verton (@robinverton) - Blind SQL injection - 08/25/2019
Create living room polls as a Facebook page analyst Philippe Harewood (@phwd) Meta / Facebook Authorization flaw $5,000 08/24/2019
From Github Recon To Account Takeover Dipak kumar Das (@d1pakdas) - Information disclosure, Account takeover - 08/24/2019
Cookie worth a fortune Gaurav Narwani (@gauravnarwani97) - Reflected XSS - 08/23/2019
One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse Lorenzo Stella (@lorenzostella) 1Password, Keeper, Dashlane Information disclosure, Content leak - 08/22/2019
Rights Manager Graph API Disclosure of business employee to non business employee Jafar Abo Nada (@Jafar_Abo_Nada) Meta / Facebook Information disclosure - 08/22/2019
Instagram account is reactivated without entering 2FA ($500) Aman Shahid (@amansmughal) Meta / Facebook 2FA bypass, Authentication flaw $500 08/21/2019
Sending Message as page being an analyst/ advertiser? Baibhav Anand (@SpongeBhav) Meta / Facebook Authorization flaw $0 08/21/2019
How I made my first $$$ from finding a bug in Facebook Aayush Pokhrel (@aayushpok) Meta / Facebook Authorization flaw - 08/21/2019
How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener Sergey Kashatov (@iframe0x01) ok.ru Privilege escalation $500 08/20/2019
Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device Arvind (@ar_arv1nd) Meta / Facebook Authorization flaw - 08/19/2019
U.S. Department of Defense - Info Disclosure and SQLi Writeup Aaron Esau (@arinerron) U.S. Dept Of Defense Information disclosure, SQL injection - 08/19/2019
Removing profile pictures for any Facebook user Philippe Harewood (@phwd) Meta / Facebook IDOR $2,500 08/19/2019
Add users to roles on Facebook pages without an invitation consent (revisited) Philippe Harewood (@phwd) Meta / Facebook Logic flaw, Authorization flaw - 08/18/2019
How I was able to earn 1000$ with just 10 minutes of bug bounty? Ninad Mathpati (@ninad_mathpati) - Password reset flaw $1,000 08/17/2019
ByPassing fix of Domain Blocking feature in Business Manager Rohit kumar (@rohitcoder) Meta / Facebook Authorization flaw, Logic flaw - 08/15/2019
Facebook Messenger exposing deleted messages using [Remove for Everyone] Renwa (@RenwaX23) Meta / Facebook Logic flaw - 08/15/2019
BookMyShow account takeover using social login Sukhmeet Singh (@MadGuyyy) BookMyShow OAuth flaw, Account takeover $₹2000 (~ $28) 08/15/2019
[Business Logic] Bypassing Nickname Feature Kent Bayron (@bayronkentoy) - Logic flaw $50 08/14/2019
[Business Logic Bug] Bypassing Nickname Feature Kent Bayron / kntx (@bayronkentoy) - Logic flaw $50 08/14/2019
BugBounty WriteUp — take attention and get Stored XSS Oleksandr Opanasiuk (@Lekssik2) - Stored XSS - 08/14/2019
How I XSSed Admin Account Gaurav Narwani (@gauravnarwani97) - Stored XSS, Account takeover - 08/13/2019
SSRF Vulnerability in https://app.[REDACTED].com Evan Ricafort (@evanricafort) - SSRF $0 (Duplicate) 08/13/2019
Reporting - Amazon 1 click device XSS Sneakerhax (@sneakerhax) Amazon XSS - 08/12/2019
Clickjacking DOM XSS on Google.org Thomas Orlita (@ThomasOrlita) Google Clickjacking, DOM XSS - 08/12/2019
Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up) Evan Ricafort (@evanricafort) - Application-Level DoS $300 08/10/2019
Two Easy RCE in Atlassian Products Valeriy Shevchenko (@Krevetk0Valeriy) Atlassian RCE - 08/09/2019
Read other user support tickets in https://support..com (Write Up) Evan Ricafort (@evanricafort) - IDOR $120 08/09/2019
Privilege Escalation using Api endpoint Ronak Patel (@ronak_9889) - Privilege Escalation - 08/09/2019
Writing my Medium blog to complete account takeover Rotem Reiss (@rotem_reiss) Medium Stored XSS, Account takeover $1,000 08/09/2019
LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo) initstring (@init_string) Microsoft SSRF $0 (Won’t fix) 08/09/2019
Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) - XXE - 08/06/2019
Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) - XXE - 08/06/2019
BugBounty WriteUp — Creative thinking is our everything (Race Condition + Business Logic Error) Oleksandr Opanasiuk (@Lekssik2) - Race condition, Logic flaw - 08/05/2019
Stored XSS on LaporBug.id rizal (@sayadarijawa) LaporBug.id Stored XSS - 08/05/2019
Vulnerability in Hangouts Chat: from open redirect to code execution VulnerabilityLabs Google Open redirect, RCE $7,500 08/04/2019
Leveraging AngularJS-based XSS to Privilege Escalation Shawar Khan (@ShawarkOFFICIAL) - XSS, Privilege escalation - 08/04/2019
How I Found XSS By Searching In Shodan D1vy4n5hu 5hukl4 (@justm0rph3u5) - Reflected XSS - 08/04/2019
No Rate limiting eligible for bounty ? Smaran Chand (@smaranchand) - Lack of rate limiting - 08/03/2019
From Sub domain Takeover to Open-Redirect Anil Tom (mr_4nk) - Subdomain takeover, Open redirect $150 08/02/2019
One Misconfig (JIRA) to Leak Them All- Including NASA and Hundreds of Fortune 500 Companies! Avinash Jain (@logicbomb_1) - Information disclosure - 08/02/2019
Bypassing CORS VulnerabilityLabs - CORS misconfiguration - 08/01/2019
Complete information disclosure using Broken Access Control Bhavesh Thakur (@Bhavesh_Thakur_) - Information disclosure, Authorization flaw $100 08/01/2019
Download predictions details of ads plans of any business. Samm0uda (@samm0uda) Meta / Facebook IDOR - 08/01/2019 Archived page
Internal path disclosure in Instagram server Samm0uda (@samm0uda) Meta / Facebook Internal path disclosure, Information disclosure - 08/01/2019 Archived page
Access portal of Facebook mobile retailers and see earnings and referrals reports. Samm0uda (@samm0uda) Meta / Facebook IDOR, Authorization flaw $500 08/01/2019 Archived page
View orders and financial reports lists for any page shop. Samm0uda (@samm0uda) Meta / Facebook Authorization flaw $500 08/01/2019 Archived page
Bypassing CORS Saad Ahmed (@XSaadAhmedX) - CORS misconfiguration - 08/01/2019
RCE in Ruby using Mustache Templates Rhys Elsmore (@rhyselsmore) - RCE - 08/01/2019
Reposted [2017]: LinkedIn Hacker’s Experience Alexandru Coltuneac (@dekeeu) LinkedIn Stored XSS - 07/30/2019
Reposted [2019]: Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google Authorization flaw - 07/30/2019
Paypal bug $10K - All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts Mohd haji (@mohdhaji24) Paypal IDOR $10,500 07/30/2019
SQL Injection in private-site.com/login.php Mohamed Haron (@m7mdharon) - SQL injection $0 (Out of scope) 07/30/2019
1st Bounty Story | Rewarded 300$ (IDOR) Md Hridoy - IDOR $300 07/29/2019
Story of an IDOR via Email Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 07/29/2019
Old GitHub Profile Takeover! Mohamed Haron (@m7mdharon) - Github account takeover $1,000 07/28/2019
Chaining Cache Poisoning To Stored XSS Rohan aggarwal (@nahoragg) - Web cache poisoning, Stored XSS - 07/28/2019
Solr Injection by abusing Local Parameters on Zomato.com Ronak Patel (@ronak_9889) Zomato Solr Injection $700 07/27/2019
Story about Facebook Oauth Account Takeover Zerb0a iLOTTE Account takeover, OAuth flaw IDR 2.000.000 (~ $150) 07/26/2019
Facebook BugBounty: Tale of an Instagram bug disclosing user’s phone number via checkpoint Bijan Murmu (@0xBijan) Meta / Facebook Information disclosure - 07/26/2019
Full Account Takeover via Changing Email And Password of any User through API Parameters Adesh Nandkishor kolte (@AdeshKolte) - IDOR, Password reset flaw, Account takeover - 07/26/2019
Price Parameter Tampering On Bukalapak Apapedulimu (@LocalHost31337) Bukalapak Parameter tampering $150 07/24/2019
How I found the most critical bug in live bug bounty event? Lakshay (@inn0c3ntd3v1L) - Password reset flaw, Account takeover - 07/24/2019
XSS to RCE in … Hungry Bytes (@hungrybytes) Github XSS, RCE - 07/24/2019
Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV - plex.tv (Write Up) Evan Ricafort (@evanricafort) Plex TV Information disclosure, Path disclosure $0 07/24/2019
XX to XXX in one day Baibhav Anand (@SpongeBhav) WePay, [Private program] Account takeover, Parameter tampering - 07/23/2019
Pwning child company to get access to ParentCompany’s Slack Team Parth Malhotra (@Parth_Malhotra) - SQL injection, Default credentials - 07/23/2019
XSS On Twitter [Worth 1120$] Bywalks (@bywalkss) - XSS $1,120 07/22/2019
Reflected XSS in Ebay.com Sukhmeet Singh (@MadGuyyy) Ebay Reflected XSS $0, HoF 07/22/2019
Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up) Evan Ricafort (@evanricafort) Clause HTML injection $250 07/21/2019
Subscribe to typing notifications for any Instagram user Philippe Harewood (@phwd) Meta / Facebook Authorization flaw $5,750 07/21/2019
Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up) Evan Ricafort (@evanricafort) Clause HTML injection $250 07/21/2019
Shopping Products For Free- Parameter Tampering Vulnerability D1vy4n5hu 5hukl4 (@justm0rph3u5) - Parameter tampering, Payment tampering - 07/21/2019
Exploiting a Tricky Blind SQL Injection inside LIMIT clause Rahul Maini - SQL injection - 07/21/2019
Get Page Inbox notifications for any Facebook page Philippe Harewood (@phwd) Meta / Facebook Authorization flaw, Information disclosure - 07/20/2019
Microsoft ID Open Redirect Burninator Sec Microsoft Open redirect $0 07/19/2019
Microsoft Office 365 - Outlook XSS Abdulrahman Alqabandi (@Qab) Microsoft XSS - 07/19/2019
SQL Injection in Forget Password Function Khaled Gaber - SQL injection - 07/18/2019
How to lock a GitHub user out of their repos (bug or feature?) Teserakt AG Github DoS $0 (Feature) 07/18/2019
Сookie-based XSS exploitation | $2300 Bug Bounty story Max (@iSecMax) - XSS $2,300 07/17/2019
Account Takeover Vulnerability :) Sumit Jain (@sumit_cfe) - Password reset flaw, Account takeover - 07/17/2019
How Recon helped me to to find a Facebook domain takeover Sudhanshu Rajbhar (@sudhanshur705) Meta / Facebook Subdomain takeover $500 07/17/2019
Facebook Informative Bug From Triaged Circle Ninja (@circleninja) Meta / Facebook Lack of rate limiting $0 07/17/2019
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook Lokesh Kumar (@lokeshdlk77) Meta / Facebook CSRF $3,000 07/16/2019
Bypass CSRF With ClickJacking Worth $1250 Injector Pca / SaadAhmed (@XSaadAhmedX) - CSRF, Clickjacking $1,250 07/16/2019
What do Netcat, SMTP and self XSS have in common? Stored XSS Plenum (@plenumlab) - Stored XSS - 07/16/2019
How I Could Get The Instagram Username of Anyone on Tinder Shahar Albeck Tinder Information disclosure - 07/16/2019
The Bugs Are Out There, Hiding in Plain Sight A Bug’z Life (@abugzlife1) - IDOR, SSRF, Information disclosure, CORS misconfiguration $9,000 07/15/2019
500$ bounty: Man in the Middle on Slack Wiard van Rij / Sysrant (@RijWiard) Slack MiTM $500 07/15/2019
Facebook Bug : Sending messages as a page with jobmanager permission Devansh batham (@devanshwolf) Meta / Facebook Authorization flaw, Privilege escalation $0 (Duplicate) 07/15/2019
[TOKOPEDIA] Site-wide CSRF through GraphQL request Rafie Muhammad (@rafiem777) Tokopedia CSRF - 07/15/2019
How I Could Have Hacked Any Instagram Account Laxman Muthiyah (@LaxmanMuthiyah) Meta / Facebook Race condition, Rate limiting bypass $30,000 07/14/2019
Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program Sam Curry (@samwcyo) Tesla Blind XSS $10,000 07/14/2019
Hacking intoTinder’s Premium Model Sanskar Jethi (@sansyrox) Tinder Authorization flaw $0 07/14/2019
Account takeover on Airbnb acquisition | An Unusual Bug Part-2 🐛 PRince CHaddha (@princechaddha) Airbnb IDOR, Account takeover Swag 07/13/2019
Facebook Bug bounty page admin disclose bug {Facebook Android app} Yusuf Furkan (@h1_yusuf) Meta / Facebook Information disclosure $500 07/12/2019
XSS on Google Custom Search Engine KL Sreeram (@kl_sree) Google XSS - 07/11/2019
Story of my Biggest Bounty ever : Command Execution on Jenkins Jay Jani (@JayJani007) - RCE $8,000 07/11/2019
SQL Injection Bug Bounty POC! Arif-ITSEC111 - SQL injection €5,000 07/11/2019
Tale of account takeover — Sensitive info Disclosure + Broken Access Control Md Saqib (@sakyb7) - IDOR, Account takeover $2,650 07/10/2019
OAuth authentication bypass on Airbnb acquisition using 1-char Open Redirect Evgeniy Yakovchuk (@h1_sp1d3r) Airbnb Open redirect, OAuth token theft, Account takeover - 07/10/2019
A malicious editor of a page can support to a community action which can’t be unsupported by the admin! mAshraf Meta / Facebook Authorization flaw - 07/09/2019
Information Disclosure via Misconfigured AWS to AWS Bucket Takeover Pratyush Anjan Sarangi - AWS flaw - 07/08/2019
Cleartext password in LocalStorage (Writeup) ruvlol - Violation of secure design principles $1,500 07/07/2019
Blind (time-based) SQLi - Bug Bounty jspin (@jespinhara) - SQL injection - 07/05/2019
This is how I managed to win $2000 through Facebook Bug Bounty Saugat Pokharel (@saugatpk5) Meta / Facebook Logic flaw $2,000 07/04/2019
Facebook Vulnerability: Unremovable Co-Host in facebook page events Ritish Kumar Singh Meta / Facebook Logic flaw, DoS $500 07/04/2019
Account Takeover Using CSRF(json-based) shub rathore (@shub66452) - CSRF, Account takeover $1,000 07/04/2019
Story of a stored xss to full account takeover vulnerability(N/A to accepted) Jatin Aesthetic (@techyfreakk) - Stored XSS - 07/04/2019
Finding hidden gems vol. 4: Rakefile a.k.a. how to get AWS keys again Mateusz Olejarka (@molejarka) - Information disclosure, Github leak - 07/03/2019
Yeah! I got P2 in 1 minute - Stored XSS via Markdown Editor Schopath - Stored XSS - 07/02/2019
Injecting {{6*200}} to $1200 Gaurav Narwani (@gauravnarwani97) - SSTI $1,200 07/02/2019
Another Download Protection Bypass in Google Chrome – BIN files in Mac OS Nightwatch Cybersecurity (@nightwatchcyber) Google Browser flaw $1,000 07/02/2019
How I escalated RFI into LFI Hassan Khan Yusufzai (@Splint3r7) - RFI, LFI - 07/01/2019
Accidental IDOR Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR - 07/01/2019
Stored XSS on Indeed Tirtha Mandal (@tirtha_mandal) Indeed Stored XSS $1,500 06/30/2019
One more Parameter manipulation bug (🤑) Kanchan Singh Yadav (@KanchanSingh0) - Parameter tampering - 06/28/2019
Facebook BugBounty : Short story on Page admin disclosure Bijan Murmu (@0xBijan) Meta / Facebook Authorization flaw, Privilege escalation - 06/28/2019
Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution Reegun J (@reegun21) Microsoft RCE - 06/28/2019
Gain adfly SMTP access with SSRF via Gopher Protocol Zerb0a Adf.ly SSRF - 05/27/2019
View Facebook payouts for any Facebook Trivia Game Philippe Harewood (@phwd) Meta / Facebook Information disclosure $0 (Informative) 05/27/2019
1-Click Account Takeover in Virgool.io — a Nice Case Study Yasho (@YShahinzadeh) Virgool Account takeover, Open redirect - 06/27/2019
CORS To CSRF Attack Osama Avvan (@osamaavvan) - CORS misconfiguration, CSRF - 06/27/2019
Toggle Group Rules Agreement as a non-member Philippe Harewood (@phwd) Meta / Facebook Authorization flaw - 06/26/2019
Sensitive Information Disclosure: Web Cache Deception Attack Wasim Shaikh (@Wa_sim_sim) Intuit Information disclosure $0, HoF 06/26/2019
Download .arexport files for any public AR Studio Effect Philippe Harewood (@phwd) Meta / Facebook IDOR - 06/24/2019
CSV injection at Comment Section. Navneet (@na5n33t) - CSV injection N/A (VDP) 06/24/2019
Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference) Muhammad Asim Shahzad - Password reset flaw, IDOR, Account takeover $1,200 06/22/2019
Page Admin Disclosure | Facebook Bug Bounty 2019 Ajay Gautam (@evilboyajay) Meta / Facebook Authorization flaw $1,000 06/22/2019
How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105 Bryan Appleby (@bryapp) Microsoft XSS - 06/21/2019
Catching support emails from my internet service provider Sander Lentink T-Mobile Email account takeover N/A (VDP) 06/21/2019
$1800 worth Clickjacking Osama Avvan (@osamaavvan) - Clickjacking $1,800 06/21/2019
About a Sucuri RCE…and How Not to Handle Bug Bounty Reports Julien Ahrens (@MrTuxracer) Sucuri RCE $750 06/22/2019
IDOR: Payment Fraud Vibhurushi Chotaliya (@Vibhurushi) - IDOR, Payment tampering - 06/20/2019
Self XSS To Evil XSS Injector Pca / SaadAhmed (@XSaadAhmedX) - XSS $0 06/20/2019
A Fight For Duplicate Marked Bug: Story of BBC Hall Of Fame Wasim Shaikh (@Wa_sim_sim) BBC XSS N/A (VDP) 06/20/2019
How a classical XSS can lead to persistent ATO Vulnerability? Milind Purswani (@MilindPurswani) & Yash Sodha (@y_sodha) - XSS, Account takeover - 06/19/2019
Facebook Vulnerability: Unremovable Co-Host in facebook group events Ritish Kumar Singh Meta / Facebook Logic flaw $500 06/19/2019
Account Takeover with Clickjacking Osama Avvan (@osamaavvan) - Clickjacking - 06/19/2019
XSS Filter Evasion m0z (@LooseSecurity) - XSS - 06/17/2019
Business user Employees could have applied block list to all ad accounts listed in the business manager. Rohit kumar (@rohitcoder) Meta / Facebook Authorization flaw, Logic flaw $500 06/17/2019
Reflected XSS in Tokopedia Train Ticket Jon Bottarini (@jon_bottarini) New Relic Reflected XSS IDR 3.000.000 (~ $212) 06/17/2019
Using Burp Suite match and replace settings to escalate your user privileges and find hidden features Jon Bottarini (@jon_bottarini) New Relic Client-side enforcement of server-side security $500 06/17/2019
Parameter Pollution issue in API resulting $XXX Smaran Chand (@smaranchand) - Parameter pollution - 06/17/2019
SQl Injection Injector Pca / SaadAhmed (@XSaadAhmedX) - SQl Injection $500 06/17/2019
Bypassing XSS filter and Stealing User Payment Data Osama Avvan (@osamaavvan) - XSS $0 (Duplicate) 06/17/2019
Password Bypass and Something Else… Vibhurushi Chotaliya (@Vibhurushi) - Authentication bypass $600 06/16/2019
How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration? Muhammad Asim Shahzad Dropbox AWS flaw $1,500 06/16/2019
Account Takeover Worth $900 Injector Pca / SaadAhmed (@XSaadAhmedX) - Account takeover, CSRF $900 06/16/2019
Stealing Cookies to Login in any Account Osama Avvan (@osamaavvan) - Cookie theft $900 06/16/2019
Bug Bounty - Information Disclosure through error message + WAF Bypass led to Local File Inclusion Λявєη (@spenkkkkk) & Çlirim Emini (@0xcela) - WAF bypass, LFI, Information disclosure - 06/15/2019
Complete Web Server Access Injector Pca / SaadAhmed (@XSaadAhmedX) - Unrestricted file upload, RCE $500 06/15/2019
Fullscreen API Attack’s Revisited and the FaceBook NA Story Circle Ninja (@circleninja) Meta / Facebook Fullscreen API Attack $0 (N/A) 06/15/2019
XSSing Google Employees — Blind XSS on googleplex.com Thomas Orlita (@ThomasOrlita) Google Blind XSS - 06/15/2019
Admin Account total Information Disclosure Nishant Saurav (@inishantsinha) - Source code disclosure, Information disclosure $200 06/15/2019
v1 Instance Metadata Service protections bypass Anthony Weems Google SSRF $5,000 06/14/2019
IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR $500 06/14/2019
How spending our Saturday hacking earned us 20k Matti Bijnens (@MattiBijnens) - IDOR $20,000 06/14/2019
IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR - 06/14/2019
Chaining Improper Authorization To Race Condition To Harvest Credit Card Details : A Bug Bounty Story Mandeep Jadon (@1337tr0lls) - Authorization flaw, Race condition - 06/13/2019
Redstrom Denial Of Service — Write Up Zerb0a - DoS $0, Swag 06/12/2019
Reflected XSS on Error Page Tomi (@noobe_io) - Reflected XSS - 06/11/2019
Facebook Vulnerability: Non-unfriendable user in /hacked workflow Ritish Kumar Singh Meta / Facebook Logic flaw $1,500 06/11/2019
Account takeover using IDOR and the misleading case of error 403. Plenum (@plenumlab) - IDOR - 06/11/2019
IDOR Leads To Project Takeover Hariharan.s (@DJHARIZ1) - IDOR - 06/09/2019
Don’t underestimates the Errors They can provide good $$$ Bounty! Aditya Sharma (@Assass1nmarcos) Mamba Information disclosure, Path disclosure $200 06/07/2019
How I was able to get private ticket response panel and FortiGate web panel via blind XSS Bijan Murmu (@0xBijan) - Blind XSS $1,250 06/06/2019
Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) Nikhil Mittal (@c0d3G33k) Microsoft Browser bug $15,000 06/06/2019
Unicode vs WAF — XSS WAF Bypass Prial Islam Khan (@prial261) - XSS - 06/05/2019
Bypassing CSP with policy injection Gareth Heyes (@garethheyes) Paypal CSP bypass $900 06/05/2019
REMOTE CODE EXECUTION ! 😜 Recon Wins Vishnuraj - RCE - 06/04/2019
Chaining multiple low-impact bugs to arbitrary file read in GitLab Li Rongxi (@nyan_gawa) GitLab Directory traversal - 06/04/2019
Simple PathTraversal bypass fr0stNuLL - Path traversal - 06/03/2019
Missing access control at play store Vishwaraj Bhattrai (@vishwaraj101) Google Authorization flaw - 06/03/2019
The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise Avinash Jain (@logicbomb_1) - RFI, SSRF - 06/02/2019
Story of a uri based xss with some simple google dorking Jatin Aesthetic (@techyfreakk) - XSS - 06/02/2019
Edmodo Account Deactivation Vulnerability Shankar R Edmodo CORS misconfiguration $0 06/01/2019
My First CSRF to Account Takeover worth $750 Nishant Saurav (@inishantsinha) - CSRF, Account takeover $750 05/30/2019
Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty HackerOn2Wheels (@HackerOn2Wheels) - Stored XSS, MIME sniffing - 05/30/2019
Stored XSS on Edmodo Rohit Verma (@rv0x00) Edmodo Stored XSS - 05/28/2019
Source Code disclose Vulnerability Mohamed R. Serwah (@mohamedrserwah) - Source code disclosure - 05/27/2019
An unexploited CORS misconfiguration reflecting further issues. Smaran Chand (@smaranchand) - CORS misconfiguration - 05/27/2019
How did I bypass a Custom Brute Force protection and why that solution is not a good idea? dortz - Bruteforce, Authentication flaw - 05/25/2019
Disclose files content from Facebook internal CDNs Samm0uda (@samm0uda) Meta / Facebook Weak encryption $12,500 05/25/2019 Archived page
Google bug bounty: LFI on production servers in “springboard.google.Com” — $13,337 USD VulnerabilityLabs Google LFI $13,337 05/24/2019
Multiple API issues due to Fixed Authorization token. Mustafa Khan (@by6153) - Authorization flaw - 05/24/2019
From file upload to email:pass fr0stNuLL - Unrestricted file upload - 05/24/2019
Security assessment on the staging domains Tutorgeeks (@tutorgeeks) - Lack of authentication - 05/24/2019
Instagram GitHub Token with public_scope found In Travis CI Build Logs Philippe Harewood (@phwd) Meta / Facebook Information disclosure $0 (Informative) 05/24/2019
How I acquired $XXX bounty by investing 99 cents Smaran Chand (@smaranchand) - Logic flaw - 05/24/2019
Escalating subdomain takeovers to steal cookies by abusing document.domain Ameya (@iamTakeMyHand) Postmates Subdomain takeover - 05/23/2019
Determine a Facebook user from an email address Philippe Harewood (@phwd) Meta / Facebook Information disclosure $1,000 05/22/2019
Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts Family guy Google Privilege escalation, Authorization flaw - 05/21/2019
Local File Inclusion in peering.google.com Jafar Abo Nada (@Jafar_Abo_Nada) Google LFI $3,133.7 05/21/2019
Leaking OpenID tokens with “ — the bug right infront of you Zseano (@zseano) - OpenID flaw - 05/21/2019 Alternative link
WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD Omar Espino (@omespino) Google LFI $13,337 05/21/2019
Open-redirect to Account Takeover. Rishabh (@__cypher__) - Open redirect, Account takeover - 05/19/2019
A base64 encoded parameter. Navneet (@na5n33t) - HTML injection $75 05/19/2019
XSSed my way to 1000$ Gaurav Narwani (@gauravnarwani97) - XSS $1,100 05/17/2019
Stealing Downloads from Slack Users David Wells Slack CSRF - 05/17/2019
Bypassing Instagram’s stories restriction Baibhav Anand (@iBaibhavJha) Meta / Facebook Logic flaw $500 05/17/2019
‘Try-Harder’ for XSS Frans Hendrik Botes (@initroott) - Reflected XSS - 05/17/2019
From parameter pollution to XSS Mo’men Basel - Parameter pollution, XSS - 05/16/2019
You do not need to run 80 reconnaissance tools to get access to user accounts Stefano Vettorazzi (@stefanohablando) - Open redirect - 05/15/2019
Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties] Komodo Security Google Stored XSS, MIME sniffing - 05/15/2019
Think Outside the Scope: Advanced CORS Exploitation Techniques Ayoub (@sandh0t) - CORS misconfiguration $1,500 05/14/2019
Stored XSS on Techprofile Microsoft Mohammad Ali Syarief Microsoft Stored XSS - 05/09/2019
BLIND SSRF in *.stripe.com due to Sentry Misconfiguration Oktavandi (@0ktavandi) Stripe Blind SSRF - 05/09/2019
4x CSRFs Chained For Company Account Takeover A Bug’z Life (@abugzlife1) - CSRF, Account takeover $3,000 05/08/2019
pcextreme.nl fake bug bounty Daniel Maksimovic pcextreme.nl SSRF, XSS $0 (150€ + 150€ platform credit promised but not delivered) 05/08/2019
SQL injection through User-Agent fr0stNuLL - SQL injection - 05/08/2019
Subdomain takeover [Awarded $200] Friendly (@SkeletorKeys) ownCloud Subdomain takeover $200 05/07/2019
Server Side Request Forgery(SSRF){port issue hidden approch } Deepak Holani (@w_hat_boy) - SSRF - 05/03/2019
Tale of a Wormable Twitter XSS @0xSobky Twitter XSS $2,940 05/02/2019
Why You Shouldn’t Use a Password Manager For Your Linode Account @0xSobky Linode Account takeover, Information disclosure - 05/02/2019
XSS attacks on Googlebot allow search index manipulation Tom Anthony (@TomAnthonySEO) Google Logic flaw - 05/01/2019
Remote code execution On Microsoft edge using URL Protocol Matt harr0ey (@harr0ey) Microsoft RCE $0 (N/A) 05/01/2019
From NA to $3000 : Facebook’s URL spoofing vulnerability Rahul Kankrale (@RahulKankrale) Meta / Facebook URL spoofing $3,000 04/30/2019
Reply To Instagram Stories where privacy of who can reply is set to ‘Nobody’. Baibhav Anand (@SpongeBhav) Meta / Facebook Authorization flaw $500 04/30/2019
From Reflected XSS to Account Takeover — Showing XSS Impact A Bug’z Life (@abugzlife1) - Reflected XSS, Account takeover - 04/30/2019
Don’t Follow The Masses: Bug Hunting in JavaScript Engines Dimitri Fourny (@dimitrifourny) Google Buffer overflow $7,500 04/29/2019
Two-Factor Authentication Bypass Gaurav Narwani (@gauravnarwani97) - 2FA bypass - 04/29/2019
Broken Access: Posting to Google private groups through any user in the group Elber Andre (@Elber333) Google Autorization flaw $0 (N/A) 04/27/2019
“CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter EdOverflow (@EdOverflow), Justin Gardner (@Rhynorater), Corben Leo (@hacker_),Karim Rahal (@KarimPwnz), streaak (@streaak), d0nut (@d0nutptr) & BBAC - Information disclosure, CI/CD bug - 04/26/2019
Denial of Service using Cookie Bombing Ronak Patel (@ronak_9889) - DoS, Cookie bomb $350 04/26/2019
How to bypass a 2FA with a HTTP header Yumi - 2FA bypass - 04/26/2019
for PayPal security team,“get user balances and transaction details” is not a vulnerability! Todaro (@tod4ro) Paypal Information disclosure $0 (N/A) 04/26/2019
Missing Authorization check while deleting App Review for Marketing API Family guy Meta / Facebook Authorization flaw - 04/25/2019
Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) - Stored XSS, Account takeover $800 04/25/2019
The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! Avinash Jain (@logicbomb_1) - LFI, SSRF, Cloudflare bypass - 04/25/2019
CSRF Attack can lead to Stored XSS Mohamed Sayed (@FlEx0Geek) - CSRF, Stored XSS - 04/25/2019
A picture that steals data Sergey Kashatov (@iframe0x01) - Information disclosure - 04/24/2019
Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos Ruby Nealon (@_ruby) Zendesk Information disclosure $3,000 04/23/2019
Facebook’s Burglary Shopping List John Moss (@x41x41x41) Meta / Facebook Information disclosure $5,000 04/23/2019
The neglected bug that can infect All Facebook users who pay for leads ads. Hesham Watany Meta / Facebook CSV injection $0 (Out of scope) 04/23/2019
Yet Other Examples of Abusing CSRF in Logout Soroush Dalili (@irsdl) - CSRF - 04/23/2019
[XSS] Reflected XSS Bypass Filter Mohamed Sayed (@FlEx0Geek) - Reflected XSS - 04/23/2019
Disclose the content of internal Facebook Javascript modules. Samm0uda (@samm0uda) Meta / Facebook Authorization flaw - 04/22/2019 Archived page
Ssrf to Read Local Files and Abusing the AWS metadata Pratik Yadav (@PratikY9967) - SSRF - 04/21/2019
[CONFIRMATION BYPASS ] Navneet (@na5n33t) - Email confirmation bypass, Information disclosure N/A (VDP) 04/21/2019
Twitter - protected tweets exposure terjanq (@terjanq) Twitter Information disclosure $560 04/19/2019
Responsible disclosure: improper access control in Gitlab private project. Riccardo Padovani (@rpadovani93) GitLab Authorization flaw $2,000 04/19/2019
Scary Tickets😨 Uranium238 (@uraniumhacker) - Ticket Trick - 04/19/2019
PDFReacter SSRF to ROOT Level Local File Read which led to RCE Armaan Pathan (@armaancrockroax) - SSRF, RCE - 04/18/2019
Code execution - Evernote Dhiraj (@mishradhiraj_) Evernote RCE, Path traversal - 04/17/2019
How I was able to Bypass XSS Protection on HackerOne’s Private Program Security Executions Code BugHunter - XSS - 04/16/2019
Banner Grabbing to DoS and Memory Corruption Daniel V. (@d4niel_v) - DoS, Information disclosure - 04/16/2019
A $5000 IDOR… Mr.Hacker (@mr_hacker0007) - IDOR $5,000 04/16/2019
How i found credential enriched redis dump Ashish Kunwar (@D0rkerDevil) - File disclosure, Information disclosure $0 04/16/2019
Just 5 minute to get my 2nd stored XSS on Edmodo.com ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS $0, Swag 04/15/2019
How I hacked Vending Machine Valeriy Shevchenko (@Krevetk0Valeriy) - Violation of secure design principles €300 gift card 04/15/2019
Google Groups Authorization Bypass Daniel Marad Google Authorization flaw $500 04/15/2019
The Outlook Winner is Dash marcan2020 (@marcan2020) Microsoft Authorization flaw $0 (N/A) 04/15/2019
How I gained access to revenue and traffic data of thousands of Shopify stores Ayoub Fathi (@ayoubfathi) Shopify IDOR $0 (Policy violation) 04/15/2019
Web Cache Deception to API endpoint attack using cached token header Kunal pandey (@kunalp94) - Web cache deception $250 04/13/2019
[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638) Mohamed Haron (@m7mdharon) - RCE $2,250 04/12/2019
Unauthenticated Account Takeover Through HTTP Leak Nik srivastava (@niksthehacker) - HTML injection, HTTP Leak, Account takeover - 04/11/2019
Account Takeover by chaining two vulnerabilities. Sheraz Khalid - CSRF, Open redirect, Account takeover - 04/10/2019
Multiple xss in *.skype.com & Multiple xss in *.skype.com (2) Jayateertha Guruprasad (@JayateerthaG) Microsoft XSS $0, HoF 04/10/2019
Spokeo Bug bounty Experience Nur A Alam Dipu Spokeo XSS $0 (Can’t reproduce) 04/10/2019
Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652 Julien Ahrens (@MrTuxracer) Dropbox (Dell KACE vendor) RCE - 04/09/2019
SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central Elber Andre (@Elber333) Microsoft SSRF, XSPA - 04/09/2019
Obtaining XSS Using Moodle Features and Minor Bugs Daniel Thatcher Moodle Login CSRF, XSS - 04/09/2019
Obtaining XSS Using Moodle Features and Minor Bugs Daniel Thatcher - CSRF - 04/09/2019
XSS “403 forbidden” bypass (Akamai Security )write up Security Executions Code BugHunter - XSS - 04/08/2019
How I got a trip to amsterdam through bug bounty Ninad Mathpati (@ninad_mathpati) - Bruteforce - 04/07/2019
Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice Ron Chan (@ngalongc) Uber SSRF, Path traversal, Account takeover - 04/07/2019
Email content spoofing at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea Email content spoofing $50 04/06/2019
Edmodo — IDOR to view private files of any class Rohan Pagey (@rohan_x3) Edmodo IDOR - 04/06/2019
Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers Armaan Pathan (@armaancrockroax) PortSwigger MiTM - 04/06/2019
Google Ads — Information Disclosure via null pointer exception Valerio brussani (@val_brux) Google Information disclosure - 04/04/2019
Handlebars template injection and RCE in a Shopify app Mahmoud Gamal (@Zombiehelp54) Shopify SSTI, RCE 10,000 04/04/2019
Leaked Salesforce API access token at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea Information disclosure $250 04/04/2019
DownNotifier SSRF _m_q_t (@_m_q_t) DownNotifier SSRF - 04/04/2019
How I am able to hijack you. terjanq (@terjanq) Google Logic flaw - 04/03/2019
Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow Ritish Kumar Singh Meta / Facebook Logic flaw $1,000 04/02/2019
FileZilla Untrusted Search Path & FileZilla ‘fzsftp’ Untrusted Search Path Chris Lyne (@lynerc) FileZilla (EU-FOSSA 2) RCE - 04/02/2019
How I was able to get your facebook private friend list [Responsible Disclosure] Raja Sekar Durairaj Meta / Facebook Information disclosure $10,000 04/01/2019
EdM0d0 IDOR Vulnerabilities Pratyush Anjan Sarangi Edmodo IDOR $0, Swag 04/01/2019
Comma is forbidden! No worries!! Inject in insert/update queries without it Ahmed Sultan (@0x4148) - SQL injection $10,000 03/31/2019
Recon in 2 minutes and got $250 easy Cryptographer (@justluthra) Snapchat Missing secure flag $250 03/31/2019
How I was able to turn self xss into reflected xss Hein Thant Zin (@H3Lowr) - Reflected XSS $300 03/31/2019
alert(“A tale of 3 XSS!”) Gaurav Narwani (@gauravnarwani97) - XSS - 03/29/2019
My very first bug: a dreaded dupe and then an IDOR jackpot! John H4X00R (@JohnH4X00R) Yahoo IDOR $5,000 03/28/2019
How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup) Yash Sodha (@y_sodha) Google CSRF $3,133.70 03/26/2019
An Unusual Bug 🐛 on Braintree [PayPal] PRince CHaddha (@princechaddha) Paypal DoS $3,200 03/25/2019
Twitter Denial of Service bug or How i could prevent all followers from reading or accessing literally ANY tweets! Seif Elsallamy Twitter DoS $1,120 03/25/2019
Stored (XSS) on [google.com] Security Executions Code BugHunter Google Stored XSS - 03/25/2019
Stored XSS in the guide’s GameplayVersion (www.dota2.com) Security Executions Code BugHunter Dota 2 Stored XSS $750 03/25/2019
Self (XSS) on [komunitas.bukalapak.com] Security Executions Code BugHunter Bukalapak Self XSS $50 03/25/2019
Reflected (XSS)on [alibabacloud.com] Security Executions Code BugHunter Alibaba Reflected XSS - 03/25/2019
Self (XSS) on [komunitas.bukalapak.com] Komodo Security Google Authorization flaw $500 03/25/2019
Facebook Marketing Confidential Call Transcript Philippe Harewood (@phwd) Meta / Facebook Information disclosure $500 03/24/2019
Google Books X-Hacking terjanq (@terjanq) Google XS-Search $1,337 03/21/2019
How to hunt for Malvertising ads on Android Kyle (@B3nac) - Android flaw - 03/21/2019
A real XSS in OLX Bug Bounty Paulo Choupina (@PauloChoupina) OLX Reflected XSS N/A (VDP) 03/21/2019
Slack announcement-only channel post restriction bypass Rodney Beede Slack Authorization flaw, Logic flaw $0, Out of scope 03/20/2019
Disclose private/scheduled streams of any Livestream user due to open .m3u8 endpoint Abss TBH @abss_tbh Livestream Information disclosure $1,000 03/20/2019
Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560) Kevin Backhouse (@kevin_backhouse) Meta / Facebook Integer overflow $10,000 03/19/2019
Discovering a zero day and getting code execution on Mozilla’s AWS Network Shubham Shah (@infosec_au) & Mathias Karlsson (@avlidienbrunn) Mozilla RCE $500 03/19/2019
DoS Across Facebook Endpoints Max Pasqua Meta / Facebook DoS $750 03/19/2019
From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin Heige (@80vul) Microsoft DOM XSS $0 03/19/2019
Should you be concerned about LastPass uploading your passwords to its server? Wladimir Palant (@WPalant) LastPass Information disclosure, Logic flaw - 03/18/2019
Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) OLX Reflected XSS $0, HoF 03/17/2019
Disclosure of Pending Roles for any Facebook Page Avinash Kumar (@itsavinash_) Meta / Facebook IDOR $4,000 03/16/2019
Target Finds Cross-Site Scripting in Microsoft SharePoint Target Microsoft XSS - 03/15/2019
How I was able to pwned 30000+ user’s webhook gujjuboy10x00 (@vis_hacker) - IDOR - 03/14/2019
Privilege escalation on private program. Imran Parray (@CreedHackers) - Privilege escalation, Information disclosure - 03/14/2019
User Account Takeover [Password Change]— Nice Catch! Rohit kumar (@rohitcoder) - Account takeover, Password reset flaw - 03/14/2019
Write up – $1,000 usd in 5 minutes, xss stored in outlook.com (ios browsers) Omar Espino (@omespino) Microsoft Stored XSS $1,000 03/14/2019
WordPress 5.1 CSRF to Remote Code Execution Simon Scannell (@scannell_simon) WordPress CSRF, RCE, HTML injection $950 03/13/2019
OLX Bug Bounty: Reflected XSS Mukhammad Akbar (@abaykandotcom) OLX Reflected XSS - 03/13/2019
My First Stored XSS on Edmodo.com ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS - 03/13/2019
Hack Your Form-New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) - Blind XSS, Stored XSS $800 03/13/2019
How I found Blind XSS Vulnerability in redacted.com ssid (@newp_th) - Blind XSS - /27/2019
Inserting malware into anyone’s Google Earth Projects Archive Thomas Orlita (@ThomasOrlita) Google IDOR, XSS, Authorization flaw $0 03/29/2019
Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. Armaan Pathan (@armaancrockroax) - CSRF, Bruteforce - 03/12/2019
Escalating SSRF to RCE Youssef A. Mohamed (@GeneralEG64) - SSRF, RCE - 03/12/2019
CVE-2018-16794 on fs.thefacebook.com Philippe Harewood (@phwd) Meta / Facebook SSRF $1,000 03/11/2019
SQL injection for $50 bounty, but still worth reading!! Ronaldo Messi - SQL injection $50 03/10/2019
Account Takeover Using Cross-Site WebSocket Hijacking (CSWH) Sharan Panegav (@PanegavSharan) - Cross-Site WebSocket Hijacking (CSWH), Account takeover - 03/09/2019
Vimeo SSRF with code execution potential. Harsh Jaiswal (@rootxharsh) Vimeo SSRF $5,000 03/08/2019
Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack Ron Masas Meta / Facebook Side-channel attack, Cross-Site Frame Leakage (CSFL) - 03/07/2019
Facebook Messenger server random memory exposure through corrupted GIF image Dzmitry Lukyanenka (@vulnano) Meta / Facebook Information disclosure $10,000 03/06/2019
3 XSS in ProtonMail for iOS Vladimir Metnew (@vladimir_metnew) Apple XSS $1,000 03/06/2019
Fixed : Register any email address on Facebook Account Sameer Rao Meta / Facebook Authorization flow - 03/05/2019
Fixed : Brute-force Instagram account’s passwords Sameer Rao Meta / Facebook Bruteforce, Rate limiting bypass - 03/05/2019
Facebook exploit – Confirm website visitor identities Tom Anthony (@TomAnthonySEO) Meta / Facebook Information disclosure, IDOR $1,000 03/04/2019
Auditing GitHub Repo Wikis for Fun and Profit Smeege (@SmeegeSec) - Misconfigured Github wiki $500 03/04/2019
XSS in Edmodo within 5 Minute (My First Bug Bounty) Vala Keyur (@valakeyur) Edmodo Reflected XSS - 03/04/2019
A simple Account takeover misusing JWT late expiration Scalar (@mrprajapati_360) - Authorization flaw, Logic flaw - 03/03/2019
Bypassing a restrictive JS sandbox Licencia para Hackear Private program, static-eval library JS sandbox breakout, RCE - 03/01/2019
Yet Another (unexpected) Hack for Bounty Pumudu Ruhunage Sli.do Information disclosure $150 03/01/2019
Horizontal Privilege Escalation on Quora which can compromise all users on Quora SpyD3r (@TarunkantG) Quora Privilege escalation - 02/26/2019
[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com Mohamed Haron (@m7mdharon) Yahoo Reflected XSS - 02/26/2019
How I alert(1) in Azure DevOps SpyD3r (@TarunkantG) Microsoft XSS, CSP bypass - 02/26/2019
Web Cache Deception Attack leads to user info disclosure Kunal pandey (@kunalp94) - Web cache deception, Information disclosure $300 02/25/2019
Chain of hacks leading to Database Compromise! Avinash Jain (@logicbomb_1) - LFI, SSRF - 02/23/2019
Bug Bounty 101 — Always Check The Source Code Mohamed Haron (@m7mdharon) - Lack of rate limiting, Information disclosure - 02/23/2019
Download any organisation Data — S3 amazonaws Misconfiguration Chand Singh (@Chand_42) - Authorization flaw $2,500 02/22/2019
Subdomain Misconfiguration lead to AWS S3 Buckets Reader Mohamed Haron (@m7mdharon) - Subdomain takeover $800 02/22/2019
Exploiting Google Calendars Rojan Rijal (@uraniumhacker) & Brandon Nguyen (@cmdrsnuggle) Uber, Shopify, Netflix Authorization flaw, Information disclosure - 02/22/2019
Swiss_E-Voting_Publications setuid0 (@setuid0) Swiss E-Voting XSS, XXE, RCE, Lack of authentication, Authentication flaw, Hardcoded credentials - 02/21/2019
Abusing autoresponders and email bounces Inti De Ceukelaire (@securinti) Google, Intigriti Information disclosure, Logic flaw - 02/21/2019
Reflected XSS at https://photos.shopify.com/ Ahamed Morad (@Modam3r5 Shopify Reflected XSS $0, Out of scope 02/21/2019
How I Registered Multiple Accounts in PrivateInternetAccess VPN Service for FREE Spade PrivateInternetAccess VPN Logic flaw $1,000 02/20/2019
Bug Writeup: FBCTF IDOR George Osterweil Meta / Facebook IDOR $0, Duplicate 02/20/2019
Leakage of Client Secret, Server tokens of all Uber developer applications Anand Prakash (@sehacure) Uber Information disclosure $5,000 02/19/2019
Multiple Stored XSS On Tokopedia Apapedulimu (@Apapedulimu) Tokopedia Stored XSS, Blind XSS - 02/19/2019
Using URI to pop shells via the Discord Client RagSec (@rag_sec) Discord URI abuse, Social engineering $0 (OOS) 02/18/2019
DoS on WAF Protected Sites by Abusing Cookie Anas Mahmood (@AnasIsHere) Upwork DoS $400 02/18/2019
2 Subdomains Takeover via Unbounce in a Private Program Mohamed Haron (@m7mdharon) - Subdomain takeover $0 (Duplicate) 02/18/2019
Stored XSS on Edmodo Rohit kumar (@rohitcoder) Edmodo Stored XSS $0 (Duplicate) 02/18/2019
$1.000 SSRF in Slack Elber Andre (@Elber333) Slack SSRF $1,000 02/17/2019
Bypass password confirmation in Facebook “DYI” feature Samm0uda (@samm0uda) Meta / Facebook Authorization flaw, IDOR - 02/16/2019 Archived page
Facebook/Workplace Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk Rohit kumar (@rohitcoder) Meta / Facebook Information disclosure $1,000 02/16/2019
Subdomain Takeover via Wufoo Service in a Private Program Mohamed Haron (@m7mdharon) - Subdomain takeover - 02/16/2019
Open Redirect in SLACK Mukhammad Akbar (@abaykandotcom) Slack Open redirect $0 (N/A) 02/16/2019
Bypassing rate limit abusing misconfiguration rules Daniel V. (@d4niel_v) - Rate limiting bypass - 02/15/2019
Subdomain Takeover via HubSpot Mohamed Haron (@m7mdharon) - Subdomain takeover - 02/15/2019
Souq.com Subdomain Takeover via jazzhr.com service Mohamed Haron (@m7mdharon) Souq.com Subdomain takeover $0 (Informative) 02/15/2019
Never Stop at Banner Grabbing Gaurav Narwani (@gauravnarwani97) - Information disclosure $241.93 02/14/2019
Third Party Android App Storing Facebook Data Insecurely (Facebook Data Abuse Program) Nightwatch Cybersecurity (@nightwatchcyber) Meta / Facebook Information disclosure, Lack of authentication - 02/14/2019
[SSRF] Server Side Request Forgery in a private Program developers.example.com Mohamed Haron (@m7mdharon) - SSRF $200 02/14/2019
Disclose private attachments in Facebook Messenger Infrastructure - 15,000$ Sarmad Hassan (@JubaBaghdad) Meta / Facebook IDOR $15,000 02/13/2019
Facebook CSRF protection bypass which leads to Account Takeover Samm0uda (@samm0uda) Meta / Facebook CSRF $25,000 02/12/2019 Archived page
Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google IDOR - 02/12/2019
Export Facebook audience network reports of any business Samm0uda (@samm0uda) Meta / Facebook Authorization flaw - 02/12/2019 Archived page
I Found Clickjacking on Google CSE. Is This Important? Mukhammad Akbar (@abaykandotcom) Google Clickjacking $0 02/10/2019
Csrf Bypass Using Cross Frame Scripting Mr.Hacker (@mr_hacker0007) - CSRF - 02/10/2019
How I hacked ASUS? Mustafa Kemal Can (@muskecan) Asus RCE, Unrestricted file upload - 02/09/2019
Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. Sahil Tikoo (@viperbluff) - Information disclosure - 02/09/2019
Design Flaws - Scenario One and Fix Alli-Balogun Faruq (@node_shack) - Logic flaw - 02/08/2019
Paypal’s Security Check Bypassed Anees Khan (@AneesEthical) Paypal Logic flaw $0 (N/A) 02/08/2019
Internal paths disclosure due to improper exception handling Samm0uda (@samm0uda) Meta / Facebook Information disclosure - 02/07/2019 Archived page
Leak of private/in-development app ids, names and translation requests Samm0uda (@samm0uda) Meta / Facebook IDOR - 02/07/2019 Archived page
LFI To 10 Servers Pwn Nirmal Dahal (@TheNittam) - LFI, RCE - 02/07/2019
How i was able to dump SqlDB | Simple bug clever idi0t - Directory listing, SQL injection, Authentication bypass - 02/07/2019
Cache Deception: How I discovered a vulnerability in Medium and helped them fix it Yuval Shprinz Medium Cache deception $100, Swag 02/06/2019
Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard Lee Christensen (@tifkin_) Microsoft Path traversal, RCE - 02/06/2019
Jumping Over The Fence Shahar Albeck - Open redirect - 02/05/2019
How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com) Vartul Goyal (@hackvartul) Microsoft 2FA bypass $0 02/05/2019
Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages Paul (@padannewitz) - Mass assignment $5,000 02/05/2019
Reverse RDP Attack: Code Execution on RDP Clients Eyal Itkin Microsoft Path traversal $0 02/05/2019
A Unique XSS Scenario in SmartSheet || $1000 bounty Rohan Chavan (@rohanchavan1918) Smartsheet Stored XSS $1,000 02/03/2019
How I was able to Extract Information of Other Users- Exploiting IDOR Rupika Luhach (@Rup_Ki_Rani) Knowyourmeds.com IDOR $0 (Duplicate) 02/02/2019
LFI in Apigee portals [email protected] (@wtm_offensi) Google LFI - 01/31/2019
How I found a simple bug in Facebook without any Test Sarmad Hassan (@JubaBaghdad) Meta / Facebook Authorization flaw - 01/31/2019
$7.5k Google Cloud Platform organization issue Ezequiel Pereira (@epereiralopez) Google Logic flaw $7,500 01/30/2019
How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds. Piyush Raj (@0x48piraj) WeeQuizz Information disclosure $0 (No response) 01/30/2019
Publish tweets by any other user Kedrisec (@kedrisec) Twitter IDOR $7,560 01/30/2019
Guest blog: Eray Mitrani - Hacking isn’t an exact science Eray Mitrani (@ErayMitrani) - Authorization flaw - 01/29/2019
Protonmail XSS — Stored Chand Singh (@Chand_42) Protonmail Stored XSS, Bruteforce - 01/29/2019
Unsecured access to personal data of a million Leo Express users Thomas Orlita (@ThomasOrlita) Leo Express Authorization flaw, XSS - 01/29/2019
Hijacking accounts by retrieving JWT tokens via unvalidated redirects Shawar Khan (@ShawarkOFFICIAL) - Open redirect, Token theft - 01/27/2019
A short tale of Account verification bypass Satyendra Kumar - Email verification bypass, Authorization flaw - 01/27/2019
Chaining Tricky OAuth Exploitation To Stored XSS Rohan aggarwal (@nahoragg) - Stored XSS, OAuth flaw - 01/27/2019
Misconfiguration-Whatsapp Messenger Pratheesh P Narayanan Meta / Facebook Logic flaw $0 (Informative) 01/26/2019
AntiHack IDOR on Create Submission Syahrul Akbar Rohmani (@sahruldotid) AntiHack.me IDOR $0, Swag 01/26/2019
Facebook Change Product Availability as a PageAnalyst onehackzero Meta / Facebook Logic flaw, Authorization flaw - 01/25/2019
How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc) Luke Berner Google, Microsoft, Meta / Facebook Logic flaw, Authentication flaw - 01/25/2019
Magento – RCE & Local File Read with low privilege admin rights Daniel Le Gall (@Blaklis_) Magento LFI, RCE, Path traversal - 01/24/2019
Antihack.me Blind XSS To PHP File Upload Vulnerability SayCure (@SaycureIO) AntiHack.me Blind XSS - 01/24/2019
Privilege Escalation to Highest Admin Privileges Gaurav Narwani (@gauravnarwani97) - IDOR, Privilege escalation - 01/23/2019
Frappé Technologies ERPNext Server Side Template Injection Brian Hyde ERPNext SSTI $0 01/23/2019
Enroll in Facebook Ad-break program without Facebook approval Samm0uda (@samm0uda) Meta / Facebook Logic flaw, Authorization flaw - 01/22/2019 Archived page
Disclose page’s admins and its Monetization payout details Samm0uda (@samm0uda) Meta / Facebook IDOR, Information disclosure - 01/22/2019 Archived page
Disclose page violations and its eligibility to use Ad-breaks Samm0uda (@samm0uda) Meta / Facebook IDOR, Information disclosure - 01/22/2019 Archived page
Disclose Instagram business account linked to a Facebook page Samm0uda (@samm0uda) Meta / Facebook IDOR, Information disclosure - 01/22/2019 Archived page
Change payment account of any Facebook commerce page Samm0uda (@samm0uda) Meta / Facebook Logic flaw, Authorization flaw - 01/22/2019 Archived page
Expose business email and payment account balance of any Facebook commerce page. Samm0uda (@Samm0uda) Meta / Facebook IDOR, Information disclosure - 01/22/2019
Reveal if a Facebook merchant page has pending or completed orders. Samm0uda (@Samm0uda) Meta / Facebook IDOR, Information disclosure - 01/22/2019
Bruteforce Instagram account’s passwords (lack of rate limiting protection). Samm0uda (@samm0uda) Meta / Facebook Bruteforce, Lack of rate limiting - 01/22/2019
Generate Access Tokens for any Facebook user Samm0uda (@samm0uda) Meta / Facebook IDOR - 01/22/2019
Modify users profiles of techprep.fb.com Samm0uda (@samm0uda) Meta / Facebook Authorization flaw - 01/22/2019
Uploading files to api.techprep.fb.com Samm0uda (@samm0uda) Meta / Facebook File upload XSS - 01/22/2019
Reflected XSS in Zomato Sudhanshu Rajbhar (@sudhanshur705) Zomato Reflected XSS $250 01/21/2019
How I Found and Reporting Vulnerabilities to AntiHack.me by Tomi Tomi (@nahoragg) AntiHack.me IDOR, LFI $0, Swag 01/20/2019
A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram Rohan aggarwal (@nahoragg) - CORS miconfiguration - 01/20/2019
Oauth Misconfiguration lead to complete account takeover Jackson kv (@Jacksonkv22) - CSRF, OAuth flaw, Account takeover - 01/20/2019
XSS Through SWF file! Friendly (@SkeletorKeys) - SWF XSS $200 01/18/2019
Bypass Content Security Policy framing restriction rule - OLX Taha Ibrahim Draidia OLX CSP bypass - 01/17/2019
Command Injection PoC NoGe - Command injection - 01/15/2019
Facebook Vulnerability: Unremovable facebook group admin Ritish Kumar Singh Meta / Facebook Logic flaw $500 01/15/2019
#BugBounty How I Hack Billion $ Company Sadiq West - Directory listing $500 01/15/2019
Abusing MySQL clients to get LFI from the server/client Jarkko Vesiluoma (@jvesiluoma) - LFI - 01/15/2019
Gaining access to Uber’s user data through AMPScript evaluation Shubham Shah (@infosec_au) Uber AMPScript injection $23,000 01/14/2019
Turning Self XSS to good XSS via access control Yusuf Yazir (@Hacklad) - Stored XSS, Self XSS - 01/13/2019
Hack Your Form – New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) Meta / Facebook Blind XSS $800 01/13/2019
Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty Ajay Gautam (@evilboyajay) Meta / Facebook IDOR - 01/11/2019
Facebook PageAnalyst Could Add oneself as Moderator on Group onehackzero Meta / Facebook Authorization flaw - 01/11/2019
AntiHack.me Multiple Vulnerabilities Tomi AntiHack.me LFI, IDOR $0, Swag 01/11/2019
View the contact list for a Messenger Kid as a parent-approved contact Philippe Harewood (@phwd) Meta / Facebook Authorization flaw - 01/08/2019
Tips for bug bounty beginners from a real life experience Renaud Martinet (@karouf) YNAB XSS, SQL injection $1,500 01/08/2019
When Cookie Hijacking + HTML Injection become dangerous Daniel V. (@d4niel_v) - Cookie Hijacking, HTML Injection - 01/07/2019
Reflected XSS ON ASUS. Thejus Krishnan Asus Reflected XSS $0, HoF 01/06/2019
Stored XSS Via Alternate Text At Zendesk Support Hariharan.s (@DJHARIZ1) Zendesk Stored XSS - 01/06/2019
How I hacked Altervista.org Jacopo Tediosi (@jacopotediosi) Altervista Open redirect $0, HoF 01/05/2019
Facebook Android Application Ashley King (@AshleyKingUK) Meta / Facebook Authorization flaw $750 01/05/2019
How I could have taken over any Pinterest account Arnold Anthony (@armold9anthony) Pinterest CSRF, Account takeover $2,400 01/05/2019
How I stumbled upon a Stored XSS(My first bug bounty story). Parth Shah Edmodo Stored XSS - 01/04/2019
Cookie Based Self-XSS to Good XSS Brian Hyde - XSS $616 01/04/2019
Stealing Side-Channel Attack Tokens in Facebook Account Switcher Max Pasqua Meta / Facebook Token theft $1,000 01/04/2019
Yes I can see your OTP Vulnerables - IDOR - 01/03/2019
A Tricky Open Redirect Anas Mahmood (@AnasIsHere) - Open Redirect $200 01/03/2019
How I was able to Harvest other Vine users IP address Prial Islam Khan (@prial261) Vine IDOR $5,040 01/02/2019
How i found web shell on AntiHack.me and Awarded Gold Coin And SWAG Rudra Sarkar (@rudr4_sarkar) AntiHack.me RCE - 01/01/2019
A Curious Case From Little To Complete Email Verification Bypass Megaman (@N0_M3ga_Hacks) - Email validation bypass, Authorization flaw - 01/01/2019

Bug bounty writeups published in 2018

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date Link 2 / Archived page
Tale of a Misconfiguration in Password Reset Shuaib Oladigbolu (@_sawzeeyy) - Password reset flaw - 12/30/2018
Bypassing Access Control in a Program on Hackerone !! Sahil Tikoo (@viperbluff) Hackerone Authorization flaw - 12/30/2018
How I was able to delete Google Gallery Data [IDOR] Yogesh Tantak Google IDOR - 12/30/2018
Abusing ACL Permissions to Overwrite other User’s Uploaded Files/Videos on s3 Bucket Armaan Pathan (@armaancrockroax) - Unrestricted file upload, Authorization flaw - 12/30/2018
How I Takeover Wordpress Admin fiiipay.my Syahrul Akbar Rohmani (@sahruldotid) FiiiPay Account takeover, Default CMS files S$ 300 (~ $408) 12/28/2018
How I Was Able To Takeover All User Account And Admin Panel Dipak kumar Das (@d1pakdas) - IDOR, Account takeover $1,500 12/28/2018
Reflected XSS on ws-na.amazon-adsystem.com(Amazon) ssid (@newp_th) Amazon Reflected XSS - 12/27/2018
From Hunting for a Laptop to Hunting down Remote Code Execution Anil Tom (mr_4nk) Asus RCE, WebDAV flaw $0, HoF 12/27/2018
RCE in nokia.com Sampanna Chimoriya Nokia RCE N/A (VDP) 12/27/2018
Unauthenticated user can upload an attachment at HackerOne Ahamed Morad (@Modam3r5 Hackerone Authorization flaw $0 (Duplicate) 12/24/2018
Tokopedia Account Takeover Bug Worth 8 Million IDR Mukul Lohar (@ironfisto) Tokopedia Password reset flaw, Account takeover - 12/24/2018
Server-side Request Forgery in OpenID support Putra Adhari Liberapay SSRF - 12/24/2018
Client side validation strikes again: PIN code bypass ! Davy (@RandoriSec) Netflix, Linxo Client-side validation bypass, Authentication bypass, Authorization flaw - 12/22/2018
How I accidentally found a clickjacking “feature” in Facebook