| Escalating XSS to Account Takeover |
Aditya Verma (@0cirius0) |
- |
Reflected XSS, Account takeover |
- |
11/22/2020 |
| Weird (im)possible XSS on error page |
Rody Shahnazarian (@Komradz86) |
- |
Reflected XSS |
- |
11/21/2020 |
| 2 Reflected XSS In Razer |
Mostafa |
Razer |
Reflected XSS |
- |
11/21/2020 |
| Turning Blind Error Based SQL Injection into Exploitable Boolean One |
Ozgur Alp (@ozgur_bbh) |
- |
SQL injection |
- |
11/21/2020 |
| Exploiting dynamic rendering engines to take control of web apps |
Vasilii Ermilov (@ermil0v) |
- |
SSRF, Open redirect |
$5,000 |
11/19/2020 |
| Bypassing the Redirect filters with 7 ways |
ElMahdi Mrhassel (@ElMrhassel) |
- |
Open redirect, OAuth flaw |
- |
11/19/2020 |
| Arbitrary File Write On Client By ADB Pull |
Serafina (Sera) Tonin Brocious (@daeken) |
Google |
Arbitrary file write |
$0 |
11/19/2020 |
| Out of Band XXE in an E-commerce IOS app |
Gaurang Bhatnagar (@0xgaurang) |
- |
XXE |
- |
11/19/2020 |
| Server Side Misconfigurartion - A Funny Fix |
Shrey Shah (@ShreySh43332033) |
Basecamp |
Information disclosure |
$100 |
11/18/2020 |
| Tale of 3 vulnerabilities to account takeover! |
Avinash Jain (@logicbomb_1) |
- |
SSRF, Account takeover |
- |
11/17/2020 |
| Firefox: How a website could steal all your cookies |
Pedro Oliveira (@kanytu) |
Mozilla |
Arbitrary file read |
$5,000 |
11/16/2020 |
| Stealing User’s PII info by visiting API endpoint directly |
Kunal pandey (@kunalp94) |
- |
Information disclosure, Logic flaw |
$500 |
11/16/2020 |
| RCE via Server-Side Template Injection |
Gaurav Mishra (@gmishra010) |
- |
SSTI, RCE |
- |
11/15/2020 |
| Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data |
YoKo Kho (@YokoAcc) |
- |
Information disclosure, Broken access control, IDOR, SQL injection |
$4,750 |
11/15/2020 |
| Microsoft Bug Bounty Writeup – Stored XSS Vulnerability |
Pethuraj (@Pethuraj) |
Microsoft |
Stored XSS |
- |
11/15/2020 |
| Weak Cryptography to Account Takeover’s |
letmeslidein (@VasuYadaav) |
- |
Cryptographic issues, Account takeover, IDOR |
- |
11/15/2020 |
| Exploiting API with AuthToken |
Rafi Ahamed (Leonidas D. Ace) |
- |
Token leak, Information disclosure |
- |
11/15/2020 |
| Account takeover through password reset |
Omar Hamdy (@seaman00o) |
- |
Account takeover, Password reset flaw |
$2,000 |
11/14/2020 |
| Theoretically Possible To Practical Account Takeover |
Mukul Lohar (@ironfisto) |
- |
IDOR, Account takeover |
- |
11/14/2020 |
| Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity |
Prakash Panta (@Prakashpanta268) |
Facebook |
Logic flaw |
$500 |
11/13/2020 |
| Smuggling an (Un)exploitable XSS |
Julien Ahrens (@MrTuxracer) |
- |
HTTP Request Smuggling, XSS |
- |
11/13/2020 |
| How I Found The Facebook Messenger Leaking Access Token Of Million Users |
Guhan Raja (@havocgwen) |
Facebook |
Information disclosure |
$16,125 |
11/13/2020 |
| Interesting case of SQLi |
Nik srivastava (@niksthehacker) |
- |
SQL injection |
$3,000 |
11/13/2020 |
| Commenting on a post by opening it via page’s news-feed goes from a wrong actor (i.e. admin’s personal account) |
Samip Aryal |
Facebook |
Information disclosure |
$500 |
11/13/2020 |
| User’s private watched videos/saved videos exposed through a messenger call from a locked smartphone. |
Samip Aryal |
Facebook |
Information disclosure, Authorization flaw |
$500 |
11/13/2020 |
| Evading Filters to perform the Arbitrary URL Redirection Attack |
Harsh Bothra (@harshbothra_) |
- |
Open redirect |
- |
11/12/2020 |
| Bounty $1000 — Critical Business Logic Flaw leads to Account Takeover & Product Order Amount Manipulation |
Muhammad Asim Shahzad (@protector47) |
- |
Logic flaw, Account takeover, Price tampering |
$1,000 |
11/12/2020 |
| Evernote: Universal-XSS, theft of all cookies from all sites, and more |
Oversecured (@OversecuredInc) |
Evernote |
UXSS |
- |
11/12/2020 |
| 31k$ SSRF in Google Cloud Monitoring led to metadata exposure |
David Nechuta (@david_nechuta) |
Google |
SSRF |
$31,337 |
11/10/2020 |
| SSRF (Server Side Request Forgery) worth $4,913 | My Highest Bounty Ever ! |
Sayaan Alam (@ehsayaan) |
Dropbox |
SSRF |
$4,913 |
11/10/2020 |
| Chaining password reset link poisoning, IDOR, and information leakage to achieve account takeover at api.redacted.com |
Jadek Mark (@mase289) |
- |
HTTP header injection |
$0 (Duplicate) |
11/10/2020 |
| Firefox for Android: LAN-Based Intent Triggering |
initstring (@init_string) |
Mozilla |
Insecure intents |
- |
11/10/2020 |
| Facebook iOS address bar spoofing |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Address Bar Spoofing |
$1,500 |
11/10/2020 |
| How i could take over any Account on a USA Department of Defense Website due to a simple IDOR |
Gal Nagli (@lagilgan1) |
U.S. Dept Of Defense |
IDOR, Account takeover |
- |
11/07/2020 |
| Facebook DOM Based XSS using postMessage |
Samm0uda (@samm0uda) |
Facebook |
DOM XSS |
$25,000 |
11/07/2020 |
| Attack of the clones: Git clients remote code execution |
Vitor Fernandes (@Rapt00rVF) & Julio Fort |
GitHub |
RCE |
$0 (Duplicate) |
11/06/2020 |
| Story of a Pre-Account Takeover |
Kushal Dhakal (@dhakal0kushal) |
- |
Account takeover, OAuth flaw |
- |
11/06/2020 |
| 1000$ for Open redirect via unknown technique [BugBounty writeup] |
ruvlol |
GitLab |
Open redirect |
$1,000 |
11/05/2020 |
| How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day |
sickcodes (@sickcodes) |
Brave Software |
Information disclosure |
$100 |
11/05/2020 |
| Delete Any Photos In Facebook |
Lokesh Kumar (@lokeshdlk77) |
Facebook |
Authorization flaw, Logic flaw |
$10,750 |
11/04/2020 |
| From a 500 error to Django admin takeover |
Shashank (@cyberboyIndia) |
- |
Authorization bypass, Account takeover |
$3,000 |
11/03/2020 |
| Forcing for a bounty$$ |
Rafi Ahamed (Leonidas D. Ace) |
- |
Authorization flaw |
$500 |
11/03/2020 |
| Reveal the page admin that uploaded a video on the page in comment section |
Lokesh Kumar (@lokeshdlk77) |
Facebook |
Information disclosure, Logic flaw |
$4,838 |
11/02/2020 |
| An account takeover vulnerability due to response manipulation. |
Avanish Pathak (@avanish46) |
- |
Authentication bypass, Account takeover |
$4,100 |
11/02/2020 |
| Reveal the page admin that uploaded a video on the page in comment section |
Lokesh Kumar (@lokeshdlk77) |
Facebook |
Information disclosure, Logic flaw |
$4,838 |
11/02/2020 |
| CVE-2020-13294 |
Lauritz (@lauritz) |
- |
Authentication flaw, OpenID Connect vulnerability |
- |
11/01/2020 |
| Subdomain Takeover in Azure: making a PoC |
Diego Bernal Adelantado (@secfaults) |
- |
Subdomain takeover |
- |
11/01/2020 |
| Leaked .git folder leads to RCE |
James Clee (@jtcsec) |
- |
RCE |
- |
11/01/2020 |
| CVE-2020-13294 |
Lauritz (@lauritz) |
GitLab |
OAuth misconfiguration |
$0 (Duplicate) |
11/01/2020 |
| An often overlooked Oauth misconfiguration. & Payload |
VipItHunter (@VipItHunter1) |
- |
OAuth misconfiguration |
- |
11/01/2020 |
| How i got 7000$ in Bug-Bounty for my Critical Finding. |
Kishan Kumar / Noobie BoY (@hst_kishan) |
- |
Information disclosure |
$7,000 |
10/31/2020 |
| Abusing ‘Report Abuse’ |
Aseem Shrey (@AseemShrey) |
- |
Logic flaw, Authorization flaw |
$200 |
10/31/2020 |
| Beyond the wall: command injection still alive. |
Ahmed Constant (@a_Constant_) |
- |
Command injection |
- |
10/31/2020 |
| Ability To Backdoor Facebook For Android |
Ash King |
Facebook |
Insecure deeplink |
- |
10/30/2020 |
| Wormable remote code execution in Alien Swarm |
mev |
Valve |
RCE |
- |
10/30/2020 |
| Manual broken link monitoring |
Mohamed Talaat (@T4144t) |
- |
Rale limiting bypass, OTP bypass |
- |
10/30/2020 |
| Manual broken link monitoring |
GrumpinouT (@RVerwilghen) |
- |
Broken link hijacking |
- |
10/29/2020 |
| Story of an interesting bug. |
Vedant Tekale (@_justYnot) |
- |
Lack of rate limiting, DoS |
- |
10/28/2020 |
| Error-Based SQL Injection on a WordPress website and extract more than 150k user details |
Ynoof Alassiri |
- |
SQL injection |
- |
10/27/2020 |
| Automating xss identification with Dalfox & Paramspider |
Paras Arora (@parasarora06) |
- |
Reflected XSS |
- |
10/27/2020 |
| How i got 250$ in 5 munites using my phone |
telaviv_h4x0r |
Basecamp |
HTML injection |
$250 |
10/26/2020 |
| Link Previews: How a Simple Feature Can Have Privacy and Security Risks |
Talal Haj Bakry (@parasarora06) & Tommy Mysk |
Discord, Facebook, Google, LINE, LinkedIn, Slack, Twitter, Zoom |
Information disclosure |
- |
10/25/2020 |
| Perform substring search for emails even if Workplace admin hides email profile field. |
Manas Harsh |
Google |
IDOR |
- |
10/25/2020 |
| Accidental Observation to Critical IDOR |
Harsh Bothra (@harshbothra_) |
- |
IDOR |
- |
10/24/2020 |
| Samsung S20 - RCE via Samsung Galaxy Store App |
F-Secure |
Samsung |
RCE |
$0 |
10/23/2020 |
| 300$ P3 Easy Bug in 30 Seconds |
Omar Hamdy (@seaman00o) |
- |
Lack of authentication, Broken access control |
$300 |
10/22/2020 |
| Perform substring search for emails even if Workplace admin hides email profile field. |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Authorization flaw |
$2,000 |
10/21/2020 |
| Facebook Page Admin Disclosure |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Information disclosure |
$3,000 |
10/21/2020 |
| GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty |
William Bowling / vakzz (@wcbowling) |
GitHub |
RCE, Path traversal |
$25,000 |
10/20/2020 |
| Back to 2019: Disclosure Employers PII and Credentials |
Saneklarek (@wh11tew0lf) |
- |
Information disclosure |
$1,000 |
10/20/2020 |
| GitHub Gist - Account takeover via open redirect - $10,000 Bounty |
William Bowling / vakzz (@wcbowling) |
GitHub |
Open redirect, Account takeover |
$10,000 |
10/19/2020 |
| GitHub - RCE via git option injection (almost) - $20,000 Bounty |
William Bowling / vakzz (@wcbowling) |
GitHub |
RCE |
$20,000 |
10/18/2020 |
| Discord Desktop app RCE |
Masato Kinugawa (@kinugawamasato) |
Discord |
RCE |
$5,000 |
10/17/2020 |
| Weaponizing XSS For Fun & Profit |
Saad Ahmed (@XSaadAhmedX) |
- |
XSS, CSRF |
$2,200 |
10/14/2020 |
| I had fun with this XSS |
yappare (@yappare) |
- |
XSS |
- |
10/13/2020 |
| Blind SSRF - The Hide & Seek Game |
Shrey Shah (@ShreySh43332033) |
- |
Blind SSRF |
$400 |
10/13/2020 |
| How I find my first P1 level Bug. $$$ |
Harsh |
- |
XSS |
- |
10/13/2020 |
| Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account |
Mustafa Ahmed (@mustafa0x2021) |
Facebook |
Information disclosure |
$500 |
10/12/2020 |
| Guest Blog Post: Rollback Attack |
Xiaoyin Liu (@general_nfs) |
Mozilla |
Local Privilege Escalation |
- |
10/12/2020 |
| Unauthorized access to all the user’s account. |
Rahul Naidu |
- |
Account takeover, Authentication bypass, JWT misconfiguration |
- |
10/12/2020 |
| Leveraging XSS to Read Internal Files |
Aditya Dixit (@zombie007o) |
- |
XSS, LFI |
- |
10/09/2020 |
| JS is l0ve ❤️. |
Shivam Kamboj Dattana (@sechunt3r) |
- |
Information disclosure, API key leakage |
$5,000 |
10/09/2020 |
| Weak Password Setting function on practo.com |
dark-haxor |
Practo |
Authorization flaw |
$0 (Won’t fix) |
10/09/2020 |
| CVE-2018–5230 | JIRA Cross Site Scripting |
Paras Arora (@parasarora06) |
- |
Reflected XSS |
- |
10/09/2020 |
| Exploiting Admin Panel Like a Boss |
Shivam Kamboj Dattana (@sechunt3r) |
- |
Authorization bypass, Weak credentials |
$1,500 |
10/08/2020 |
| ATO via Host Header Poisoning |
Shivam Kamboj Dattana (@sechunt3r) |
- |
Host header injection, Account takeover, Password reset flaw |
$2,000 |
10/08/2020 |
| Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure |
Intezer |
Microsoft |
Privilege escalation, RCE |
- |
10/08/2020 |
| SVE-2020-18025: Unauthorised access to Samsung secure folder files |
Rahul Kankrale (@RahulKankrale) |
Samsung |
Authorization flow |
$3,750 |
10/07/2020 |
| Research: The mass CSRFing of .google.com/ products. |
Missoum Said (@missoum1307) |
Google |
CSRF |
$30,000 |
10/07/2020 |
| 6k$ Worth Account Takeover via IDOR in Starbucks Singapore |
Kamil Onur Özkaleli (@ko2sec) |
Starbucks |
IDOR, Account takeover |
$6,000 |
10/07/2020 |
| Sensitive Info Leak in Curve App [Bug Bounty] |
ΡRΛSΞUDΟ ® (@praseudo) |
Curve |
Information disclosure |
$1,500 |
10/07/2020 |
| Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program |
McAfee Advanced Threat Research (ATR) |
Microsoft |
Local privilege escalation, RCE, Security Feature bypass |
$160,000 |
10/06/2020 |
| 90 days, 16 bugs, and an Azure Sphere Challenge |
Cisco Talos |
Microsoft |
Local privilege escalation, RCE, DoS, Information disclosure |
- |
10/06/2020 |
| Watch your requests! Open redirect to a complete account takeover |
ninetynine (@ninetyn1ne_) |
- |
Path traversal, Open redirect, SSRF, Account takeover |
- |
10/05/2020 |
| Easy wins : verbose error worth Facebook HOF |
Mukul Lohar (@ironfisto) |
Facebook |
Information disclosure |
$500 |
10/05/2020 |
| Leveraging LFI to RCE in a website with +20000 users |
Kleitonx00 |
- |
LFI, RCE |
- |
10/04/2020 |
| Spend more time doing recon, you’ll find more BUGS. |
Vedant Tekale (@_justYnot) |
- |
Reflected XSS, Information disclosure |
- |
10/03/2020 |
| Exploiting Payment Gateways |
letmeslidein (@VasuYadaav) |
- |
Payment tampering |
- |
10/03/2020 |
| Journey Of My First Bug Bounty (Nov 2018) |
Harsh Tyagi (@harshtya9i) |
Samsung |
Authentication bypass |
$200 |
10/02/2020 |
| Arbitrary code execution on Facebook for Android through download feature |
Sayed Abdelhafiz (@dPhoeniixx) |
Facebook |
Arbitrary code execution |
$10,000 |
10/02/2020 |
| The Powerful HTTP Request Smuggling 💪 |
Ricardo Iramar dos Santos (@ricardo_iramar) |
- |
HTTP Request Smuggling |
$17,050 |
10/01/2020 |
| Write Up – Google Bug Bounty: XSS To Cloud Shell Instance Takeover (Rce As Root) – $5,000 USD |
@omespino |
Google |
XSS, RCE |
$5,000 |
10/01/2020 |
| Story of a weird vulnerability I found on Facebook |
Amine Aboud (@amineaboud) |
Facebook |
Authentication bypass, Information disclosure |
- |
09/30/2020 |
| The Art of IDOR: 7 IDORs in Edm0d0 |
Pratyush Anjan Sarangi |
Edmodo |
IDOR |
- |
09/29/2020 |
| Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts |
Thomas Orlita (@ThomasOrlita) |
Google |
GCP bucket misconfiguration, Information disclosure |
- |
09/29/2020 |
| Taking down the SSO, Account Takeover in the Websites of Kolesa due to Insecure JSONP Call |
Yasho (@YShahinzadeh) |
- |
Account takeover |
- |
09/28/2020 |
| 5 Ways to do Account Takeover in a Single Website |
letmeslidein (@VasuYadaav) |
- |
Account takeover, OAuth misconfiguration, Lack of rate limiting, OTP bypass, IDOR, JWT misconfiguration |
- |
09/27/2020 |
| Chains on Chains: Chaining multiple low-level vulns into a Critical. |
Daniel Marte (@Masonhck3571) |
- |
Blind XSS, CSP bypass, Lack of rate limiting, Exposed JWT generation endpoint |
- |
09/26/2020 |
| Hacking the Medium partner program |
Mohammad-Ali Bandzar |
Medium |
Logic flaw |
- |
09/26/2020 |
| Parameter Tampering ₹→$ |
SuneetSingh |
- |
Parameter tampering |
- |
09/26/2020 |
| Advisory: security issues in AWS KMS and AWS Encryption SDKs |
Thai Duong (@XorNinja) |
Amazon |
Cryptographic issues, Information disclosure |
- |
09/25/2020 |
| PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover |
Pradeep Kumar (@Killer007p) |
- |
IDOR, Information disclosure |
- |
09/25/2020 |
| Dangling DNS: AWS EC2 |
Mohamed Elbadry (@_melbadry9) |
- |
Dangling DNS records, Subdomain takeover |
$2,900 |
09/24/2020 |
| VMware Workstation: Attack surface through Virtual Printer |
Lê Hữu Quang Linh (@linhlhq) |
VMWare |
Memory corruption bug, Integer overflow |
- |
09/23/2020 |
| #Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$ |
ganiganesh (@ganiganeshss79) |
- |
IDOR, Information disclosure |
$800 |
09/22/2020 |
| Fun with Header and Forget Password |
Vuk Ivanovic |
- |
HTTP Header Injection |
- |
09/22/2020 |
| suPHP - The vulnerable ghost in your shell🎯Business Logic Flaw in Google Acquisition! (Hall Of Fame)🎯 |
Ritesh Gohil (@RiteshG37659480) |
Google |
Logic flaw |
- |
09/21/2020 |
| suPHP - The vulnerable ghost in your shell |
Maxime (@punkeel) & (@swapgs) |
- |
Local privilege escalation |
- |
09/21/2020 |
| Unauthenticated File upload Vulnerability on Synology Sub-domain |
Touhid Shaikh |
Synology |
Unrestricted file upload |
$2,000 |
09/20/2020 |
| How I earned $500 from Google - Flaw in Authentication |
Hemant Patidar (@HemantSolo) |
Google |
Authentication flaw |
$500 |
09/20/2020 |
| $25K Instagram Almost XSS Filter Link — Facebook Bug Bounty |
Andres Alonso |
Facebook |
OTP bypass, 2FA bypass |
$200 |
09/20/2020 |
| How I By-pass the login page and 2FA authentication….. |
Harsh |
- |
Authentication bypass, OTP bypass, 2FA bypass |
- |
09/20/2020 |
| Emoji error handling |
shesha sai_c (@Cyb3r_4ss4s1n) |
- |
ssss |
- |
09/19/2020 |
| CVE-2020-9964 - An iOS infoleak |
Muirey03 (@Muirey03) |
Apple |
Memory initialisation issue |
- |
09/19/2020 |
| Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$) |
Muhammed Eren Uygun (@erenuyguun) |
NodeBB |
IDOR, Account takeover |
$512 |
09/19/2020 |
| Reflected XSS via a hidden parameter on Dutch Gov. website |
Supras (@LdrTom) |
Dutch Government |
Reflected XSS |
$0 (VDP), Swag |
09/19/2020 |
| My First Bug Bounty From Bug Bounty Platform redstorm.io |
Novan Aziz Ramadhan (@novan_rmd) |
RedStorm |
CSRF |
- |
09/17/2020 |
| Dropbox Escalation of Privileges to SYSTEM on Windows |
Teresa Alberto |
Dropbox |
Local privilege escalation |
$0 (Duplicate) |
09/17/2020 |
| Res-block: Extension Resources Block Attack on Chrome’s Incognito Mode |
Piyush Raj (@0x48piraj) |
Google |
Browser bug |
- |
09/16/2020 |
| How I Accidentally Got My First Bounty From Facebook |
Bishal Shrestha (@bishal0x01) |
Facebook |
Logic flaw |
- |
09/15/2020 |
| Account takeover by OTP bypass |
Bhavarth Kandoria/td>
<td markdown="span">- |
OTP bypass |
- |
09/13/2020 |
| Business logic vulnerabilities — Low-level logic flaw |
Harry D |
- |
Logic flaw |
- |
09/13/2020 |
| SQL Injection & Remote Code Execution - Double P1 |
Shrey Shah (@ShreySh43332033) |
- |
SQL injection, RCE |
$0 (VDP) |
09/13/2020 |
| How I hacked redbus [An online bus-ticketing application] |
Sangeetha Rajesh S(@rajesh_sangi12) |
redBus |
LFI, SSRF/td>
<td markdown="span">- |
09/12/2020 |
| How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM |
Orange Tsai (@orange_8361) |
Facebook |
RCE, JNDI Injection |
- |
09/12/2020 |
| Universal XSS in Android WebView (CVE-2020-6506) |
Alesandro Ortiz (@AlesandroOrtizR) |
Google, Microsoft, Twitter |
UXSS |
$15,560+ |
09/10/2020 |
| Unintended Behaviour of domain got me P4 |
Takester (@dhiraj_ramteke) |
- |
Logic flaw |
- |
09/10/2020 |
| How often do we overlook vulnerabilities? |
Baibhav Anand (@SpongeBhav) |
HackerOne |
IDOR, Information disclosure |
- |
09/09/2020 |
| CVE-2020-8150 – Remote Code Execution as SYSTEM/root via Backblaze |
Jason Geffner (@JasonGeffner) |
Backblaze |
RCE, Elevation of Privilege |
- |
09/09/2020 |
| XSS->Fix->Bypass: 10000$ bounty in Google Maps |
Zohar Shachar |
Google |
XSS |
$10,000 |
09/07/2020 |
| From Android Static Analysis to RCE on Prod |
Aditya Dixit (@zombie007o) |
- |
RCE, Directory listing, Lack of authentication |
- |
09/07/2020 |
| My first bug in google and how i got CSRF token for victim account rather than bypass it ($1337)! |
Oday Alhalbe |
Google |
CSRF |
$1,337 |
09/07/2020 |
| Never Give Up, The Story Behind a Dupe-To-Triaged |
Alan Brian (@soyelmago) |
- |
XSS, OAuth flaw, Account takeover |
- |
09/06/2020 |
| XSS that can pay your Bills :) |
Smile Hacker (@smile_hacker) |
- |
Reflected XSS |
€500 |
09/05/2020 |
| How_i_was_able_to_pawned_website_via_escilating_webcache deception to rce |
mohit (@mohit29295572) |
- |
Web Cache Deception, SSRF, RCE |
- |
09/05/2020 |
| Account Takeover via IDOR |
Roma Ramazanoff (@r0hack) |
- |
IDOR, Account takeover |
$25,000 |
09/04/2020 |
| Stop scratching the surface, and hack the dependencies |
Rotem Reiss (@rotem_reiss) |
- |
Stored XSS |
- |
08/31/2020 |
| Page shops with a hidden Product in “Featured product section” which could be controlled by attacker (Ex Editor). |
Rohit kumar (@rohitcoder) |
Facebook |
Logic flaw |
$0 (Informative) |
08/31/2020 |
| Unhiding the hidden |
I am Broot |
- |
Client-side enforcement of server-side security, Authorization flaw, CSRF |
$530 |
08/30/2020 |
| The Importance of keeping up to date, or how I found an interesting bug thanks to a tweet |
Vuk Ivanovic |
- |
Stored XSS |
- |
08/29/2020 |
| Oversecured automatically discovers persistent code execution in the Google Play Core Library |
Oversecured |
Google |
Arbitrary code execution in Android app |
- |
08/28/2020 |
| My Hacking Adventures With Safari Reader Mode |
Nikhil Mittal (@c0d3G33k) |
Apple |
CSP bypass, SOP bypass |
- |
08/27/2020 |
| Accessing the website directly through its IP address, a case of a poorly hidden sql injection |
Vuk Ivanovic |
- |
SQL injection |
- |
08/27/2020 |
| Auth bypass: Leaking Google Cloud service accounts and projects |
Ezequiel Pereira (@epereiralopez) |
Google |
Authentication bypass |
- |
08/26/2020 |
| Stealing local files using Safari Web Share API |
Pawel Wylecial (@h0wlu) |
Apple |
Browser bug |
$0 |
08/24/2020 |
| Bug Bounty Failsx101[4] |
ArcherL (@realArcherL) |
- |
2FA bypass |
$0 (Informative) |
08/26/2020 |
| Waze: How I Tracked Your Mother |
Peter Gasper (@malgregator) |
Waze |
Logic flaw, Information disclosure |
$1,337 |
08/25/2020 |
| Account Takeover For The Win 🏆 |
Ricardo Iramar dos Santos (@ricardo_iramar) |
- |
Account takeover, Authentication flaw, Password reset flaw |
$2,225 |
08/24/2020 |
| How I was able to find easy P1 just by doing Recon |
Kirtan Patel (@kirtanpatel9111) |
- |
LFI |
- |
08/22/2020 |
| The Short tale of two bugs on Google Cloud Product— Google VRP [Resolved] |
Sriram Kesavan (@sriramoffcl) |
Google |
IDOR, Privilege of escalation |
- |
08/22/2020 |
| Upload to the future |
Vuk Ivanovic |
- |
IDOR |
- |
08/22/2020 |
| How I Found My First Bug Stored Xss and Earned My First Bounty 1000$ |
Nazmul Haque (@0xnazmul) |
Badoo |
Stored XSS |
$1,000 |
08/21/2020 |
| (Shopify.com) Blind Stored XSS Via Staff Name \(\) |
Rio Mulyadi (@riomulyadi_) |
Shopify |
Stored XSS |
$0 (Out of scope) |
08/19/2020 |
| The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer |
Allison Husain (@ezhes_) |
Google |
Email spoofing |
$0 (Out of scope) |
08/19/2020 |
| A perfect duplicate or how to send an email with a spoofed invoice’s content |
Mateusz Olejarka (@molejarka) |
- |
Email spoofing, Open mail relay, Lack of authentication |
$0 (Duplicate) |
08/19/2020 |
| Django debug mode to RCE in Microsoft acquisition |
Syed Abuthahir (@writerabu) |
Microsoft |
Information disclosure, RCE |
- |
08/19/2020 |
| Escalating a GitHub leak to takeover entire organization |
Shashank (@cyberboyIndia) |
- |
Information disclosure |
$4,000 |
08/18/2020 |
| Fun with header and forget password, with a twist: |
Vuk Ivanovic |
- |
Password reset flaw, Host header injection |
- |
08/18/2020 |
| How to contact Google SRE: Dropping a shell in cloud SQL |
[email protected] (@wtm_offensi) & Ezequiel Pereira (@epereiralopez) |
Google |
SQL injection, Privilege escalation, Parameter injection, RCE |
- |
08/18/2020 |
| How could I Tag Photo to any user’s Scrapbook on Facebook |
Raja Sudhakar (@Rajasudhakar) |
Facebook |
Authorization flaw |
- |
08/18/2020 |
| From SQL Injection to Hall Of Fame |
Jadek Mark (@mase289) |
- |
SQL injection |
$0 (VDP) |
08/18/2020 |
| Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488 |
ACTIVELabs |
Microsoft |
Local privilege escalation |
- |
08/18/2020 |
| Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties |
Abss (@absshax) |
Google, [Undisclosed programs] |
Hardcoded API keys, Information disclosure |
$30,000+ |
08/17/2020 |
| Account Takeover Using Re-Register [ Bug Bounty ] |
Myo Min Thu (@myominthu1337) |
- |
Account takeover |
$2,048 |
08/17/2020 |
| Stealing your data using XSS |
Viren Pawar (@VirenPawar_) |
- |
XSS |
- |
08/17/2020 |
| Witnet Network Bug Bounty: DOS Bug from Harsh Jain |
Harsh Jain |
Witnet |
DoS |
- |
08/17/2020 |
| InfluxDB Access at redact.8x8.com |
Myo Min Thu (@myominthu1337) |
8x8 |
Lack of authentication |
- |
08/16/2020 |
| How I got 450$ just in one Google search (SQLi + RXSS)? |
Zhenwar Hawlery |
- |
XSS, SQL injection |
$450 |
08/16/2020 |
| Disclosing wifi password via content provider injection in Xiaomi |
Vishwaraj Bhattrai (@vishwaraj101) |
Xiaomi |
Content provider injection |
- |
08/16/2020 |
| How I was able to send Authentic Emails as others — Google VRP [Resolved] |
Sriram Kesavan (@sriramoffcl) |
Google |
Logic flaw, HTML injection, Email spoofing, Open mail relay |
- |
08/15/2020 |
| How recon helped me to find an interesting bug… |
Vedant Tekale (@_justYnot) |
- |
Open redirect |
$0 (VDP) |
08/15/2020 |
| Open Sesame: Escalating Open Redirect to RCE with Electron Code Review |
spaceraccoon (@spaceraccoonsec) |
- |
Open redirect, RCE |
- |
08/14/2020 |
| Crowdsource Success Story: From an Out-of-Scope Open Redirect to CVE-2020-1323 |
Ozgur Alp (@ozgur_bbh) |
Microsoft |
Open redirect |
- |
08/14/2020 |
| Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020 |
Saugat Pokharel (@saugatpk5) |
Facebook |
Logic flaw, Privacy issue |
$6,000 |
08/14/2020 |
| Improper Implementation of My Status video time limit in WhatsApp |
Vishal Ranjan |
Facebook |
Logic flaw, Privacy issue |
$0 |
08/14/2020 |
| False2True, Match and Replace bug hunting — A cautionary tale |
Vuk Ivanovic |
- |
Privilege escalation |
- |
08/14/2020 |
| From Copy&Paste XSS To Full Account Takeover! |
be1807v (@BE1807V) |
- |
CSRF, Account takeover, XSS |
- |
08/13/2020 |
| Leaking AWS Metadata - The Unusual Way |
Shubham Garg (@nullb0t) |
- |
Information disclosure, RCE |
- |
08/13/2020 |
| Journey to my First Bug Hunt\(\) |
Bala Praneeth (@Begin_hunt) |
- |
CSRF |
$900 |
08/13/2020 |
| Blind OS Command Injection |
Ashik B |
- |
Command injection |
- |
08/12/2020 |
| Cache poisoning of wget |
Vuk Ivanovic |
- |
Web cache poisoning |
$0 |
08/12/2020 |
| Cracking the 2FA |
Rushikesh Gaikwad (@rsg_1212) |
- |
2FA bypass |
- |
08/12/2020 |
| How I made $2000 with URL REDIRECTION? |
Simran Singh |
- |
Open redirect, SQL injection |
$2,000 |
08/12/2020 |
| CVE-2020-1337 – PrintDemon is dead, long live PrintDemon! |
Paolo Stagno (@Void_Sec) |
Microsoft |
Local privilege escalation |
- |
08/11/2020 |
| How I was able to find page/personal account disclosure on Instagram |
Ajay Gautam (@evilboyajay) |
Facebook |
Information disclosure |
$2,000 |
08/11/2020 |
| Group Admin Can’t Able to Moderate Comments When Posted Through Page : Facebook Bug Bounty 2020 |
Prakash Panta (@Prakashpanta268) |
Facebook |
Logic flaw |
- |
08/11/2020 |
| CVE-2020-11518: how I bruteforced my way into your Active Directory |
Pieter Hiele (@honoki) |
- |
RCE, Insecure deserialization, Arbitrary file upload, Bruteforce |
- |
08/10/2020 |
| CSP Bypass Vulnerability in Google Chrome Discovered - Almost Every Website In The World Was At Risk |
Gal Weizman (@WeizmanGal) |
Google |
CSP bypass |
$3,000 |
08/10/2020 |
| My 2nd 4digit Bug Bounty From Facebook |
Sudip Shah |
Facebook |
Logic flaw, Information disclosure |
- |
08/10/2020 |
| Bypassing 403 |
Michael Hyndman (@michaelhyndman) |
- |
Authentication bypass |
- |
08/09/2020 |
| Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom |
Mazin Ahmed (@mazen160) |
Zoom |
Information disclosure, RCE, Memory leak |
$0 |
08/08/2020 |
| Bypassing Google Maps API Key Restrictions |
Aditya Dixit (@zombie007o) |
Google |
Logic flaw |
$0 |
08/08/2020 |
| Bug Hunting with Param Miner: Cache poisoning with XSS, a peculiar case |
Vuk Ivanovic |
- |
XSS, Web cache poisoning |
- |
08/08/2020 |
| Reflected XSS in Facebook’s mirror websites |
Sudhanshu Rajbhar (@sudhanshur705) |
Facebook |
Reflected XSS |
$500 |
08/08/2020 |
| The feature works as intended, but what’s in the source? |
Zseano (@zseano) |
- |
Information disclosure |
- |
08/08/2020 |
| How Our Co-Founder Earned $10.6K in just 10 Hours |
Tensecure Systems |
- |
Information disclosure |
$10,600 |
08/07/2020 |
| Exploiting JWT - Lack of Signature Verification |
Aditya Dixit (@zombie007o) |
- |
Account takeover |
- |
08/07/2020 |
| Smear phishing: a new Android vulnerability |
Jim Fisher (@MrJamesFisher) |
Google |
Smear phishing/td>
<td markdown="span">$0 |
08/06/2020 |
| Reflected XSS at fotoservice.hema.nl |
Jonathan Bouman (@JonathanBouman) |
Hema |
Reflected XSS, Open redirect |
- |
08/06/2020 |
| Blind SQL Injection at fasteditor.hema.com |
Jonathan Bouman (@JonathanBouman) |
Hema |
SQL injection |
- |
08/06/2020 |
| Stored XSS on Slack, Bug Bounty |
Tommysuriel |
Slack |
Stored XSS |
$4,875 |
08/06/2020 |
| Apache Example Servlet leads to \(\) |
Debangshu Kundu (@debangshu_kundu) |
- |
Clickjacking |
- |
08/06/2020 |
| CSRF PoC mistake that broke crucial functions for the end user/victim |
Vuk Ivanovic |
- |
Logic flaw |
- |
08/05/2020 |
| I want all these features |
Mohamed Ayad |
- |
Logic flaw, Payment tampering |
- |
08/05/2020 |
| How I was able to do Mass Account Takeover[Bug Bounty] |
Not Rickyy (@RickyyNot) |
- |
Password reset flaw |
- |
08/05/2020 |
| Vulnerability in new TouchID feature put iCloud accounts at risk of being breached |
Thijs Alkemade (@xnyhps) |
Apple |
OAuth flaw, Account takeover |
- |
08/03/2020 |
| Rare Race Condition — P3 |
Mohammed Ehssan (@alone_Wwolf) |
- |
Race condition |
$0 (Duplicate) |
08/03/2020 |
| Account takeover in cups.mail.ru |
kminthein / weev3 (@kyawminthein99) |
Mail.ru |
Logic flaw, Password reset flaw, Account takeover |
$1,500 |
08/03/2020 |
| Banning users Race condition |
Saddam Hussain (@wisdomfreak1) |
- |
Race condition |
- |
08/02/2020 |
| Multi-factor Auth Bypass with Password Reset Function |
Vaibhav Joshi (@vj0shii) |
- |
Password reset flaw, Account takeover |
- |
08/02/2020 |
| Refocusing in bug hunting, Bonus: An interestingly simple to test CSRF bypass |
Vuk Ivanovic |
- |
CSRF |
- |
08/01/2020 |
| CVE-2020-13379 Unauthenticated Full-Read SSRF in Grafana |
Justin Gardner (@Rhynorater) |
- |
SSRF, Open redirect |
- |
08/01/2020 |
| CVE-2020–9854: “Unauthd” - (three) logic bugs ftw! |
Ilias Morad (@A2nkF_) |
Apple |
Local Privilege Escalation, Logic flaw |
- |
08/01/2020 |
| Unauthd - Logic bugs FTW |
Ilias Morad (@A2nkF_) |
Apple |
Logic flaws |
- |
07/31/2020 |
| Bypassing OTP via reset password |
Ahmed Cj (@0x0Cj) |
- |
OTP bypass |
- |
07/30/2020 |
| Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code |
Zseano (@zseano) |
- |
Information disclosure |
- |
07/30/2020 |
| New features means new bugs |
Zseano (@zseano) |
- |
Logic flaw, Authorization flaw, Payment bypass |
- |
07/30/2020 |
| Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook |
Ashok Chapagai (@ashokcpg) |
Facebook |
Logic flaw |
- |
07/30/2020 |
| Exploiting Business Logic — Wallet Money |
Keshav Malik (@g0t_rOoT_) |
- |
Payment tampering, Logic flaw |
- |
07/30/2020 |
| One Click to Compromise – Fun With ClickOnce Deployment Manifests |
Dave Cossa (@G0ldenGunSec) |
Microsoft |
NTLMv2 hash disclosure, One-click execution of arbitrary .Net assemblies |
$0 |
07/30/2020 |
| Zoom Security Exploit – Cracking private meeting passwords |
Tom Anthony (@TomAnthonySEO) |
Zoom |
CSRF, Lack of rate limiting |
$0 |
07/29/2020 |
| THE NOOB WAY OF TAKING OVER ACCOUNTS |
Mudassir Sharief |
- |
Authorization flaw, Account takeover, Homograph attack |
$955 |
07/29/2020 |
| Stealing your Paytm information using XSS |
Viren Pawar (@VirenPawar_) |
Paymt |
XSS |
INR 94,700 (~ $1,261) |
07/29/2020 |
| XSS, RCE & HTML File Upload in same endpoint |
TariKul IsLam (@sa1tama0) |
- |
XSS, RCE, Unrestricted file upload |
$1,200 |
07/29/2020 |
| FFUF and my first bounty |
Suryansh Mansharamani |
- |
Information disclosure |
$300 |
07/29/2020 |
| Authorization bypass in Google’s ticketing system (Google-GUTS) |
Zohar Shachar |
Google |
Authorization flaw |
$1,337 |
07/28/2020 |
| Authentication_token_bypass Leads Too_idor |
mohit (@mohit29295572) |
- |
Authentication bypass |
- |
07/28/2020 |
| Pre-Access to Victim’s Account via Facebook Signup |
Akshansh Jaiswal (@Akshanshjaiswl) |
- |
OAuth flaw, Account takeover |
$500 |
07/28/2020 |
| Bug HTML Injection On Tokopedia ! |
jowi |
Tokopedia |
HTML injection |
- |
07/28/2020 |
| CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data |
Matt Shockley(@mattshockl) |
Apple |
MacOS privilege escalation, Authorization flaw |
- |
07/27/2020 |
| Exploiting popular macOS apps with a single “.terminal” file. |
Vladimir Metnew (@vladimir_metnew) |
Slack, Keybase, Telegram |
File Quarantine bypass |
- |
07/27/2020 |
| An unreproducable bug due to the load balancer, an unusual Open Redirect bug |
tololovejoi (@tolo7010) |
- |
Open redirect |
- |
07/27/2020 |
| How I bypassed 2fa in a 3 years old private program! |
Shivangx01b (@shivangx01b) |
- |
2FA bypass, Bruteforce, Lack of rate limiting |
- |
07/26/2020 |
| Obtained a bunch of sensitive data in just few steps — Hacking |
Airlangga Visnhu Murthi |
- |
AWS misconfiguration, Information disclosure |
$550 |
07/26/2020 |
| A Simple IDOR which should not be missed on dating site ;) |
neelam |
- |
IDOR, Information disclosure |
- |
07/26/2020 |
| DNS Rebinding, The treacherous attack it can be |
Vuk Ivanovic |
- |
DNS Rebinding |
$0 (OOS) |
07/25/2020 |
| A $5000 Account Takeover |
neelam |
- |
Account takeover, Password reset flaw |
$5,000 |
07/25/2020 |
| Hunting Android Application Bugs Using Android Studio. |
Tarek Mohammed (@Conan0x3) |
- |
Authorization flaw, Client-side enforcement of server-side security, Information disclosure |
$3,000 |
07/24/2020 |
| HTTP Parameter Pollution - It’s Contaminated |
Shrey Shah (@ShreySh43332033) |
- |
HTTP parameter pollution |
- |
07/24/2020 |
| Disclose content of internal Facebook javascript modules ( Revisited ) |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure, Authorization flaw |
- |
07/23/2020 |
| Hack Till Your Last Breath |
mechboy / m.u.h.e (@Muhe76355002) |
- |
IDOR |
$200 |
07/21/2020 |
| Increasing reward points N number of time |
Saddam Hussain (@wisdomfreak1) |
- |
Logic flaw |
- |
07/21/2020 |
| Denial of Service(DoS) By Regex |
Ashik B |
- |
DoS |
- |
07/20/2020 |
| The $1,000 worth cookie |
Jadek Mark (@mase289) |
Mail.ru |
XSS |
$1,000 |
07/19/2020 |
| DOS over wep application |
Mohamed Ayad |
- |
DoS |
- |
07/19/2020 |
| Chaining rate limiting for account lockout |
Sandip Oli |
- |
Lack of rate limiting |
- |
07/19/2020 |
| bypass user-restriction registration |
Mohamed Ayad |
- |
Logic flaw, Payment tampering |
- |
07/18/2020 |
| How I landed on my first bounty : No SPF / DMARC Record Found leading to Social Engineering Attack |
Fardeen Ahmed |
Lululemon |
No valid SPF records, No DMARC records |
$250 |
07/18/2020 |
| Unique Case for Price Manipulation | BugBounty | VAPT |
Harshit Sengar (@sengarharshit1) |
- |
Payment tampering |
- |
07/18/2020 |
| Creative Android pin bypass with Race conditon |
Baluz (@t3chman) |
- |
Race conditon, Authentication bypass |
- |
07/18/2020 |
| Android pin bypass with rate limiting |
Baluz (@t3chman) |
- |
Lack of rate limiting, Authentication bypass |
- |
07/18/2020 |
| Idor in google product |
Baluz (@t3chman) |
Google |
IDOR |
$5,000 |
07/17/2020 |
| How I lost my followers on Medium |
Florian (@fh4ntke) |
Medium |
GraphQL bug, Authorization flaw |
- |
07/17/2020 |
| The Story of My first 4 digit bounty from Facebook |
Sudip Shah |
Facebook |
Logic flaw, Information disclosure |
- |
07/17/2020 |
| I am able to see user’s sensitive data through JSON file. |
Saurabh siddharam sanmane (@saurabhsanmane2) |
- |
Information disclosure, Authorization flaw |
$150 |
07/17/2020 |
| The 3 Day Account Takeover |
Mr. Beast (@mr_beast) |
- |
Logic flaw, Password reset flaw, Account takeover, Bruteforce, Lack of rate limiting |
- |
07/17/2020 |
| Exploiting Imported Libraries to Bypass WAF |
Greg Gibson |
- |
Reflected XSS |
- |
07/14/2020 |
| SSRF in import file function |
Rafael Silva |
- |
SSRF |
- |
07/14/2020 |
| How An API Misconfiguration Can Lead To Your Internal Company Data |
Me9187 (@Me9187) |
- |
Information disclosure |
- |
07/12/2020 |
| Self stored xss to full account takeover |
Jatin Aesthetic (@techyfreakk) |
- |
XSS, Account takeover |
- |
07/12/2020 |
| Bug Bounty Experience: Unvalidated Redirection Vulnerability |
Simply Secure |
- |
Open redirect |
- |
07/12/2020 |
| How I was able to change victim’s password using IDN Homograph Attack |
Abhishek Karle (@AbhishekKarle3) |
- |
IDN homograph attack |
$600 |
07/11/2020 |
| A tale of critical account take over |
Shivam Pandey (@shivam31200) |
- |
Account takeover, Exposed JWT generation endpoint |
- |
07/10/2020 |
| Phone number validation bypass through url path manipulation . |
ben aymen (@ben_aymen_182) |
- |
OTP bypass |
$0 (Duplicate) |
07/10/2020 |
| Don’t stop at one bug \(\) |
Dheeraj Madhukar (@Dheerajmadhukar) |
- |
Open redirect, XSS, LFI |
- |
07/10/2020 |
| See whether a Hackercup Facebook participant allows recruitment contact |
Philippe Harewood (@phwd) |
Facebook |
Information disclosure, Logic flaw |
- |
07/09/2020 |
| Remote Denial-of-Service with Chrome |
Dan Lyton |
Google |
DoS |
$0 (OOS) |
07/09/2020 |
| Exploiting Application Logic to Referral Code Disclosure |
Vaibhav Joshi (@vj0shii) |
- |
Logic flaw, Information disclosure |
- |
07/09/2020 |
| Global grant uri in Android 8.0-9.0 (2018 year) |
Dzmitry Lukyanenka (@vulnano) |
Google |
Authorization flaw |
$0 (Duplicate) |
07/09/2020 |
| From N/A to Resolved For BackBlaze Android App[Hackerone Platform] Bucket Takeover |
Sahil Tikoo (@viperbluff) |
BackBlaze |
Hardcoded credentials, Information disclosure |
- |
07/09/2020 |
| Journey from low to critical bug $$$ |
Dheeraj Madhukar (@Dheerajmadhukar) |
- |
IDOR |
- |
07/09/2020 |
| From . in regex to SSRF — part 3 |
Niemiec Marcin (@xvnpw) |
- |
SSRF |
$400 |
07/07/2020 |
| How I found 10 Remote Code Execution in 10 minutes CVE-2020–5902 |
Saransh Srivastav (@malfuncti0n_) |
- |
RCE |
- |
07/07/2020 |
| XSS in Zoom.us Signup Flow |
Eduardo Vela (@sirdarckcat) |
Zoom |
XSS |
- |
07/07/2020 |
| Free blockchain storage – Tale of a bug in Substrate’s FRAME runtime |
Mudit Gupta (@Mudit__Gupta) |
Parity Technologies |
Blockchain bug |
$250 |
07/07/2020 |
| How i was able to bypass Email Confirm — P4 |
Mohammed Ehssan (@alone_Wwolf) |
- |
Information disclosure |
- |
07/06/2020 |
| Issue 1040755: Security: Another “universal” XSS via copy&paste |
Michał Bentkowski (@SecurityMB) |
Google |
Universal XSS, Browser bug |
$2,000 |
07/06/2020 |
| My First Bug: Blind SSRF Through Profile Picture Upload |
swaysthinking (@swaysThinking) |
- |
SSRF |
- |
07/05/2020 |
| RCE via image upload functionality |
Adwaith KS |
- |
Unrestricted file upload, RCE |
- |
07/05/2020 |
| Case Study I - Browser Anomaly with Facebook Apps -1500$ |
easySIEM (@easySIEM) |
Facebook |
Authorization flaw |
$1,500 |
07/05/2020 |
| Taking Over Files in a chat —IDOR in Microsoft Teams |
Aly Anwar (@alyanwarr) |
Microsoft |
IDOR |
$0 (N/A) |
07/05/2020 |
| From Host Header injection to SQL injection |
Daoud Youssef / smacker dodi (@daoud_youssef) |
- |
Host header injection, SQL injection |
- |
07/05/2020 |
| Why I paid 3.5K to become a TLD registrar reseller when doing bug bounty |
hg_real (@hgreal1) |
- |
XXE |
$7,500 |
07/05/2020 |
| BBC Bug Bounty Write-up | XSS Vulnerability |
Pethuraj (@Pethuraj) |
BBC |
Reflected XSS |
$0, Swag |
07/05/2020 |
| EN | Account Takeover and Sensitive Data Leakage via CORS Misconfiguration |
Lütfü Mert Ceylan (@lutfumertceylan) |
- |
CORS misconfiguration, CSRF, Account takeover |
- |
07/04/2020 |
| Bug bounty write-up: From SSRF to $4000 & Video |
thehackerish (@thehackerish) |
- |
SSRF, RCE |
$4,000 |
07/03/2020 |
| [Writeup][Bug Bounty][Tokopedia] Manipulate Other User’s Cart and Wishlist on Tokopedia [EN] |
Muhammad Thomas Fadhila Yahya (@fadhilthomas) |
Tokopedia |
IDOR |
$135 |
07/03/2020 |
| Breaking Business Logic via Coupons — The Story of my 1st Valid Bug Bounty |
Dominic Ifediri (@Edi4all) |
- |
Payment tampering, Logic flaw |
- |
07/03/2020 |
| How i got 200$ with an out of the box open redirect vulnerability |
Tarek Galleze |
- |
Open redirect, Token theft |
$200 |
07/03/2020 |
| Price Tampering due to Improper checks on applying Coupon |
Vaibhav Joshi (@vj0shii) |
- |
Payment tampering, Logic flaw |
- |
07/03/2020 |
| Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page. |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure |
$5,500 |
07/02/2020 |
| Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text |
Yasho (@YShahinzadeh) |
Virgool |
SSRF |
$2,500 |
07/02/2020 |
| How I made $1500 dollars using base64 decoder :) |
Dilip (@dilip_spartn) |
- |
Information disclosure |
$1,500 |
07/02/2020 |
| Misconfigured S3 Bucket Access Controls to Critical Vulnerability |
Harsh Bothra (@harshbothra_) |
- |
AWS misconfiguration |
- |
07/02/2020 |
| Blast from the past: Cross Site Scripting on the AWS Console |
Johann Rehberger (wunderwuzzi23) |
Amazon |
DOM XSS |
- |
07/01/2020 |
| Art of bug bounty: a way from JS file analysis to XSS |
Jakub Żoczek (@zoczus) |
Verizon Media, Tumblr |
XSS |
$1,000 |
07/01/2020 |
| ZombieVPN, Breaking That Internet Security |
0xSha (@0xsha) |
Bitdefender, AnchorFree |
RCE, Deserialization |
- |
07/01/2020 |
| Stored XSS with Password Recovery Page |
Lütfü Mert Ceylan (@lutfumertceylan) |
- |
Stored XSS |
- |
07/01/2020 |
| Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run |
CertiK (@certik_io) |
Symbol |
XSS, RCE |
- |
07/01/2020 |
| Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS |
kminthein / weev3 (@kyawminthein99) |
Mail.ru |
Stored XSS |
$1,000 |
06/30/2020 |
| Using Inspect Element to Bypass Security restrictions | Bug Bounty POC |
Muhammad Khizer Javed (@khizer_javed47) |
- |
Client-side enforcement of server-side security |
- |
06/30/2020 |
| Patched Zoom Exploit: Altering Camera Settings via Remote SQL Injection |
Keegan Ryan (@inf_0_) |
Zoom |
SQL injection |
$2,000 |
06/29/2020 |
| API Endpoint leads to Account Takeover In Android Application |
Adesh Nandkishor kolte (@AdeshKolte) |
- |
Exposed token generation endpoint, Information disclosure |
- |
06/28/2020 |
| Taking over Azure DevOps Accounts with 1 Click |
Sean Yeoh (@seanyeoh) |
Microsoft |
Subdomain takeover, Account takeover |
$3,000 |
06/28/2020 |
| How I hacked a bank their application using it for hacking another bank company — 10K XSS |
hg_real (@hgreal1) |
- |
XSS |
$10,000 |
06/28/2020 |
| How I was able to take over any account via the Password Reset Functionality. |
Firas Fatnassi (@Fatnass1F1ras) |
- |
Password reset flaw, Account takeover |
- |
06/28/2020 |
| How I Bypassed open redirect and i have get reward from yandex |
Mino Metidji (@minometidjii) |
Yandex |
Open redirect |
$100 |
06/27/2020 |
| How i hacked worldwide ZOOM users |
s3c (@s3c_krd) |
Zoom |
OAuth flaw, Account takeover |
- |
06/27/2020 |
| Create hidden comment by blocking an Admin: Facebook Bug Bounty 2020 |
Saugat Pokharel (@saugatpk5) |
Facebook |
Logic flaw |
- |
06/25/2020 |
| Bug Bounty in Lockdown (SQLi and Business Logic) |
Abhishek Yadav (@abhishake100) |
- |
SQL injection, Logic flaw |
- |
06/24/2020 |
| All About Getting First Bounty with IDOR |
Mukul Trivedi (@M0hn1sh) |
- |
IDOR |
- |
06/23/2020 |
| Exploiting Bitdefender Antivirus: RCE from any website |
Wladimir Palant (@WPalant) |
Bitdefender |
RCE, Information disclosure |
$0 (Declined by bug hunter) |
06/22/2020 |
| A tale of my first ever full SSRF bug |
Jadek Mark (@mase289) |
- |
SSRF |
$1,000 |
06/22/2020 |
| Leveraging an SSRF to leak a secret API key |
Julien Cretel (@jub0bs) |
- |
SSRF |
$1,000 |
06/22/2020 |
| API Token Hijacking Through Clickjacking |
DarkLotus (@darklotuskdb) |
- |
Clickjacking |
- |
06/22/2020 |
| How i was able to chain bugs and gain access to internal okta instance |
Mmohammed Eldeeb (@malcolmx0x) |
- |
Lack of authentication |
- |
06/22/2020 |
| It took me only 5 minutes to find an RCE on Bentley |
Divyansh Sharma |
Bentley |
RCE, Weak credentials |
$300 |
06/21/2020 |
| Simple story of some complicated XSS on Facebook |
Bipin Jitiya (@win3zz) |
Facebook |
Reflected XSS |
- |
06/21/2020 |
| Bypass 2FA like a Boss |
Seqrity (@seQrity) |
- |
Lack of rate limiting, Bruteforce |
$0 (Duplicate) |
06/20/2020 |
| How did i find information Disclosure on Facebook-Writeup |
Alaa Abdulridha (@Madrid89001310) |
Facebook |
Information disclosure |
$1,500 |
06/20/2020 |
| An Interesting Account Takeover Vulnerability |
Avanish Pathak (@avanish46) |
- |
IDOR, Account takeover |
- |
06/20/2020 |
| Hacking Starbucks and Accessing Nearly 100 Million Customer Records |
Sam Curry (@samwcyo) |
Starbucks |
Path traversal |
$4,000 |
06/20/2020 |
| From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration |
YoKo Kho (@YokoAcc) |
- |
Information disclosure, MFA bypass |
$500 |
06/19/2020 |
| One Token to leak them all : The story of a $8000 NPM_TOKEN |
Aseem Shrey (@AseemShrey) |
Google |
Information disclosure |
$8,000 |
06/19/2020 |
| Replying on LiveStream leading to Page Admin Disclosure: Facebook Bug Bounty |
Saugat Pokharel (@saugatpk5) |
Facebook |
Information disclosure |
- |
06/18/2020 |
| Hackerone Bug Bounty Report: Hinge |
Tyle Butler (@tbutler0x90) |
Hinge |
Information disclosure |
$250 |
06/18/2020 |
| A subtle stored-XSS in WordPress core |
Sam Thomas (@_s_n_t) |
Wordpress |
Stored XSS, RCE |
- |
06/17/2020 |
| Bug bounty bout report 0x01 - WebRTC edition |
Enable Security (@enablesecurity) |
- |
Outdated component with a known vulnerability, DoS, RCE, Default credentials, SSRF |
- |
06/16/2020 |
| How I made more than $30K with Jolokia CVEs |
Patrik Fehrenbach (@ITSecurityguard) |
- |
Reflected XSS, RCE, Information disclosure |
$33,500 |
06/16/2020 |
| How I managed to Escalate privilege as admin |
Abisheik Magesh (@AbisheikMagesh) |
- |
Lack of rate limiting, Bruteforce, Weak credentials |
- |
06/16/2020 |
| How I was able to buy t-shirt for €1 — Payment Price Manipulation |
Muztahidul Tanim (@TheMuztahidul) |
- |
Payment tampering |
$2,000 |
06/16/2020 |
| All *.intercom.help subdomains vulnerable to Subdomain Takeover from intercom Service |
Mohamed Haron (@m7mdharon) |
Intercom |
Subdomain takeover |
$0 (N/A) |
06/16/2020 |
| Tail of IDOR |
Saddam Hussain (@wisdomfreak1) |
- |
IDOR |
$300 |
06/16/2020 |
| SMTP Injection in Gsuite |
Zohar Shachar |
Google |
SMTP injection |
$3,133.7 |
06/15/2020 |
| Reflected User Input == XSS! |
Silent Bronco (@silentbronco) |
- |
Reflected XSS |
$50 |
06/15/2020 |
| Business logic flaw in the invitation system allows to Takeover any account at a private company |
Daniel V. (@d4niel_v) |
- |
Account takeover, IDOR |
- |
06/15/2020 |
| Another “Fappening” on the Horizon? |
Sociosploit |
Apple |
Account takeover, Phishing |
- |
06/15/2020 |
| How to Secure AWS ServerLess Lambda from ReDoS(Regular Expression Denial-of-Service) & Resultant Financial Impact |
Ddigvijay (@itsdig) |
- |
ReDoS |
- |
06/14/2020 |
| Privilege escalation in Partners Portal to Admin access |
Samm0uda (@samm0uda) |
Facebook |
Privilege escalation |
- |
06/14/2020 |
| Disclose internal files related to testing of some Facebook tools |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure |
- |
06/14/2020 |
| Disclose the Instagram account linked to a Facebook user account or page |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure |
- |
06/14/2020 |
| Internal directories enumeration in www |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure, Internal directories enumeration |
- |
06/14/2020 |
| From . in regex to SSRF — part 1 & From . in regex to SSRF — part 2 |
Niemiec Marcin (@xvnpw) |
- |
SSRF |
- |
06/14/2020 |
| RACE Condition vulnerability found in bug-bounty program |
Pravinrp |
- |
Race condition |
- |
06/13/2020 |
| Account Takeover via OTP Bruteforce (Apigee API) |
Vishnuraj KV |
- |
OTP bypass, Bruteforce, Lack of rate limiting |
- |
06/13/2020 |
| DoS and BugBounties :A series of DoS attacks on HackerOne |
Ninad Mishra (@iamr000t) |
- |
DoS |
$500 |
06/12/2020 |
| Let’s Bypass CSRF Protection & Password Confirmation to Takeover Victim Accounts :D |
Harsh Bothra (@harshbothra_) |
- |
CSRF |
- |
06/12/2020 |
| Race Conditions - Exploring the Possibilities |
Milind Purswani (@MilindPurswani) |
Reddit, [Private programs] |
Race condition |
- |
06/11/2020 |
| HUNT for SQL Injection- The Smart Way! |
Mudassir Sharief |
- |
SQL injection |
- |
06/11/2020 |
| The Frustrating XSS |
Mr. Beast (@mr_beast) |
- |
XSS |
- |
06/11/2020 |
| Guest Blog: From File Upload to RCE |
Lukasz Wierzbicki (@v13rs8a) |
- |
Unrestricted file upload, RCE |
- |
06/10/2020 |
| Privilege Escalation by Changing HTTP Response (Admin Access) |
Bachrudin Ashari Pujakusuma (@Bachrudinashari) |
- |
Privilege Escalation |
IDR 8.000.000 (~ $563) |
06/10/2020 |
| Utilizing Lockdown: Blind Sqli leads to Account Takeover & Data Extraction |
Shakti Mohanty |
- |
Blind SQL injection, Account takeover |
$1,400 |
06/10/2020 |
| The “P5” Link Injection Story |
Silent Bronco (@silentbronco) |
- |
Link injection |
- |
06/10/2020 |
| Abusing Microsoft Teams rate limiting for DDoS |
Omayr Zanata (@omayrzanata) |
Microsoft |
DoS |
$0 (Informative) |
06/10/2020 |
| The Accidental RCE |
Mr. Beast (@mr_beast) |
- |
Unrestricted file upload |
$4,800 |
06/09/2020 |
| This is fine 🐶 |
Ricardo Iramar dos Santos (@ricardo_iramar) |
- |
Information disclosure |
$0 (Informative, Won’t fix) |
06/08/2020 |
| How i earned $500 from google by change one character . |
Oday Alhalbe |
Google |
CSRF |
$500 |
06/06/2020 |
| XSS to Database Credential Leakage & Database Access — Story of total luck! |
Harsh Bothra (@harshbothra_) |
- |
Reflected XSS, Information disclosure |
- |
06/06/2020 |
| From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response |
YoKo Kho (@YokoAcc) |
- |
Privilege Escalation |
$1,000 |
06/06/2020 |
| Multiple Information exposed due to misconfigured Service-now ITSM instances |
Th3G3nt3lman |
- |
Lack of authentication, Information disclosure |
$30,000 |
06/05/2020 |
| Account takeover via postMessage |
socket (@yxw21) |
- |
Account takeover |
$1,500 |
06/05/2020 |
| Local file read via XSS using PDF generate functionality |
Sanjay Singh Jhala (@lordjerry0x01) |
- |
XSS, LFI |
- |
06/05/2020 |
| Story of Blind SQL with a typo error. |
Amyrahm (@Amyrahm11) |
- |
SQL injection |
- |
06/05/2020 |
| [IDOR] Delete saved credit cards from any Business Manager Account — Facebook Bug Bounty |
Rohit kumar (@rohitcoder) |
Facebook |
IDOR |
- |
06/05/2020 |
| Another image removal vulnerability on Facebook |
Pouya Darabi (@Pouyadarabi) |
Facebook |
IDOR |
$10,000 |
06/04/2020 |
| Privilege Escalation in Google Cloud Platform’s OS Login |
Chris Moberly (@init_string) |
Google |
Privilege escalation |
- |
06/04/2020 |
| How I got my first big bounty payout with Tesla |
CJ Fairhead (@xyantix) |
Tesla |
Information disclosure |
$5,000 |
06/04/2020 |
| From CRLF to Account Takeover |
Valeriy Shevchenko |
- |
CRLF, HTTP response splitting, Reflected XSS, Account takeover |
- |
06/03/2020 |
| The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers |
Michał Bentkowski (@securitymb) |
Google, Mozilla |
XSS |
$30,000 |
06/02/2020 |
| Double URL-encoded XSS |
vict0ni (@vict0ni) |
- |
Reflected XSS |
- |
06/02/2020 |
| When it’s not only about a Kubernetes CVE… |
Reever Zax (@ReeverZax) & Hach (@_hach) |
Microsoft |
SSRF |
+$40,000 |
06/02/2020 |
| Information disclosure and reflected XSS on Tokopedia |
wis4nggeni |
Tokopedia |
Reflected XSS, Information disclosure |
- |
06/01/2020 |
| How I leveraged an interesting CSRF vulnerability to turn self XSS into a persistent attack? |
Akash Methani (@0xAkash) |
- |
Self XSS, CSRF |
- |
06/01/2020 |
| How I made $31500 by submitting a bug to Facebook |
Bipin Jitiya (@win3zz) |
Facebook |
SSRF |
$31,500 |
05/31/2020 |
| h1{Error based XXE - bug bounty writeup} |
f4d3 (@f4d3_cl) |
- |
XXE |
- |
05/31/2020 |
| Hunting on ASPX Application For P1’s [Unauthenticated SOAP,RCE, Info Disclosure] |
ElMahdi Mrhassel (@ElMrhassel) |
- |
RCE, Information disclosure, IDOR |
- |
05/31/2020 |
| Weird “Subdomain Take Over” pattern of Amazon S3 |
Simgamsetti Manikanta (@zaheckmania) |
- |
Subdomain takeover |
- |
05/31/2020 |
| The story of My First $xxx Bug Bounty From Facebook |
Sudip Shah |
Facebook |
Logic flaw, Information disclosure |
- |
05/31/2020 |
| Cross-site scripting: The power of the hidden parameters. |
Kassih Mouhssine (@KassihMouhssine) |
Sony |
Reflected XSS |
- |
05/30/2020 |
| Zero-day in Sign in with Apple |
Bhavuk Jain (@bhavukjain1) |
Apple |
Account takeover |
$100,000 |
05/30/2020 |
| Microsoft’s first bug |
Lê Hữu Quang Linh (@linhlhq) |
Microsoft |
File format vulnerability |
- |
05/30/2020 |
| Weak Cryptography Leads To Open Redirect |
DarkLotus (@darklotuskdb) |
- |
Open redirect |
- |
05/30/2020 |
| Analysis of CVE-2020-13693 |
Raphael Karger (@aptNum) |
Wordpress |
Privilege escalation |
- |
05/29/2020 |
| My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft |
Ben Sadeghipour (@nahamsec) & Serafina (Sera) Tonin Brocious (@daeken) |
Lyft |
SSRF |
- |
05/29/2020 |
| IDOR in session cookie leading to Mass Account Takeover |
Zonduhackerone (@zonduu1) |
- |
IDOR, Account takeover |
$2,000 |
05/29/2020 |
| XSS Stored On Messages In [ Outlook Web — Outlook Android App ] |
ElMahdi Mrhassel (@ElMrhassel) |
Microsoft |
Stored XSS |
- |
05/28/2020 |
| Bypassing WAF to perform XSS |
Kleitonx00 |
- |
XSS |
- |
05/28/2020 |
| How I was able to see Private Video Uploader Via Facebook Rights Manager.[Responsible Disclosure] |
Kishore TK (@kishoretk_off) |
Facebook |
Information disclosure |
- |
05/28/2020 |
| A Long Overdue Write-up: How I got into the Oppo Hall of Fame |
Shibin B. Shaji (@shibinbshaji06) |
Oppo |
Login screen bypass, Authentication bypass |
10,000 INR (~ $133) |
05/28/2020 |
| Clickjacking to Account Takeover |
Abhishek Yadav (@abhishake100) |
- |
Clickjacking |
- |
05/28/2020 |
| iOS Outlook Stored XSS Write-Up($3000) |
kminthein (@kyawminthein99) |
Microsoft |
XSS |
$3,000 |
05/28/2020 |
| Stored XSS in Microsoft outlook |
kminthein (@kyawminthein99) |
Microsoft |
Stored XSS |
- |
05/28/2020 |
| Stored XSS in Yahoo mail IOS app($3500) |
kminthein (@kyawminthein99) |
Yahoo |
Stored XSS |
$3,500 |
05/28/2020 |
| Android : SOP Bypass to steal system files. |
Rahul Kankrale (@RahulKankrale) |
- |
SOP bypass |
- |
05/28/2020 |
| Bug Hunting Stories: Schneider Electric & The Andover Continuum Web.Client |
Niv Levy (@restr1ct3d) |
Uber |
XXE, Reflected XSS |
- |
05/27/2020 |
| No-Rate and Input limitations on password reset page chained into Denial Of Service attack on one of US Dept of Defense website. |
Gal Nagli (@lagilgan1) |
U.S. Dept Of Defense |
Password reset flaw, DoS, Lack of rate limiting |
- |
05/27/2020 |
| Chaining an IDOR with a business-logic error to achieve critical impact |
Julien Cretel (@jub0bs) |
- |
IDOR, Logic flaw |
- |
05/26/2020 |
| How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber |
Andrey Abakumov (@andrewaeva) |
Uber |
HTTP request splitting, SSRF, CRLF, RCE |
- |
05/25/2020 |
| Story About OTP Bypass To Stored XSS |
PJ Borah (@PJBorah1) |
- |
OTP bypass, Stored XSS |
- |
05/23/2020 |
| Using P3 Bug to escalate other P4 to P3 |
Saddam Hussain (@wisdomfreak1) |
- |
Information disclosure |
- |
05/22/2020 |
| How Source code reading helped me find an IDOR |
Sanjay Verdu (@codersanjay) |
- |
IDOR, Information disclosure |
$0 (Swag) |
05/22/2020 |
| My First Bug Bounty — 2 Factor Authentication Bypass |
Talatmehmood |
- |
OTP bypass |
$100 |
05/22/2020 |
| Parsing the DOM elements of Other pages via XSS: A Bug Bounty Story |
Mandeep Jadon (@1337tr0lls) |
- |
XSS, Information disclosure |
- |
05/22/2020 |
| RCE in Google Cloud Deployment Manager |
Ezequiel Pereira (@epereiralopez) |
Google |
SSRF, RCE |
$31,337.00 |
05/21/2020 |
| Bypassing Message Request inbox |
Abdellah Yaala (@yaalaab) |
Facebook |
Authorization flaw, Logic flaw |
- |
05/21/2020 |
| Change any link at https://fbwat.ch/ |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw, Logic flaw |
$1,000 |
05/20/2020 |
| Become member of close & public group |
abdellah yaala |
Facebook |
Authorization flaw, Logic flaw |
$7,500 |
05/20/2020 |
| Easy bounties with subdomain discovery - Using Project Sonar for bug bounty |
Torben Capiau (@TorbenCapiau) |
Bpost |
Broken access control, Authorization flaw |
$100 |
05/20/2020 |
| How I got 200$ in 5 minutes – Sensitive data leak |
Sanjay Verdu (@codersanjay) |
- |
Information disclosure |
$200 |
05/19/2020 |
| How I was Able To Bypass Email Verification |
Saddam Hussain (@wisdomfreak1) |
- |
Email verification bypass |
$0 (Duplicate) |
05/19/2020 |
| Teradici and CVE-2020-10965: An issue of routing. |
Benjamin Heald (@heald_ben) |
Teradici, [Private program] |
Lack of authentication |
$1,350 |
05/18/2020 |
| FB & Messenger for iOS : Address Bar spoofing using data uri |
Rahul Kankrale (@RahulKankrale) |
Facebook |
Address Bar Spoofing, URL spoofing |
$3,000 |
05/18/2020 |
| CVE-2020–1088 — Yet another arbitrary delete EoP |
Søren Fritzbøger (@fritzboger) |
Microsoft |
Windows privilege escalation |
- |
05/18/2020 |
| Multiple flaws leads to Account Takeover within an Application |
Harshit Sengar (@sengarharshit1) |
- |
Account takeover, Password reset flaw, Sign-up flaw |
- |
05/18/2020 |
| My first 10k bdt bounty from an e-commerce site |
Md Saikat |
- |
IDOR |
10,000 BDT (~ $117) |
05/18/2020 |
| Tale of Account Takeovers (Part-2) |
Vijaysimha Reddy Bathini (@fatratfatrat) |
- |
Account takeover |
- |
05/17/2020 |
| Stored XSS Leads to Plaintext Password Disclosure |
bad5ect0r (@bad5ect0r) |
- |
Stored XSS, Information disclosure, Unrestricted file upload |
- |
05/17/2020 |
| One Param => $10k |
Bilal Khan (@bilalmerokhel) |
- |
IDOR, XSS, Account takeover |
$10,000 |
05/17/2020 |
| Account takeover CSRF Misconfiguration |
Saddam Hussain (@wisdomfreak1) |
- |
CSRF, Account takeover |
- |
05/17/2020 |
| Logical Bug which let me stop Users from Creating Ads at a Website |
Merbin Russel (e_23_e) |
- |
Logic flaw, DoS |
- |
05/17/2020 |
| Vulnerability – Account takeover using OAuth Misconfiguration |
Saddam Hussain (@wisdomfreak1) |
- |
OAuth misconfiguration, Account takeover, CSRF |
$300 |
05/16/2020 |
| How I was able to make users loss of money on Google Pay |
santuySec (@santuySec) |
Google |
Clickjacking |
$0 (Duplicate) |
05/16/2020 |
| Chained Bugs [ Account TakeOver ] |
Bilal Khan (@bilalmerokhel) |
- |
IDOR, XSS, Account takeover |
$1,050 |
05/16/2020 |
| Password Reset Poisoning leading to Account Takeover |
Swapnil Maurya (@swapmaurya20) |
- |
Password reset flaw, Account takeover |
- |
05/16/2020 |
| How I got my first swag on Edmodo with a simple XSS. |
Sanjay Verdu (@codersanjay) |
Edmodo |
Stored XSS |
$0 (Swag) |
05/16/2020 |
| Weak Cryptography in Password Reset to Full Account Takeover |
Harsh Bothra (@harshbothra_) |
- |
Account takeover, Password reset flaw, Cryptographic issues |
- |
05/15/2020 |
| Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability |
Talatmehmood |
- |
Payment tampering |
- |
05/14/2020 |
| $3000 Bug Bounty Award from Mozilla for a successful targeted Credential Hunt |
Johann Rehberger (wunderwuzzi23) |
- |
Information disclosure |
$3,000 |
05/13/2020 |
| Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click |
Merbin Russel (e_23_e) |
- |
SQL injection |
- |
05/13/2020 |
| Change the profanity filter for any Facebook page |
Philippe Harewood (@phwd) |
Facebook |
Authorization flaw, Logic flaw |
$750 |
05/12/2020 |
| Magic of the Back Slash |
Anil Tom (mr_4nk) |
- |
Path traversal |
$2,100 |
05/11/2020 |
| How I made $10K in bug bounties from GitHub secret leaks |
Tillson Galloway (tillson_) |
- |
Information disclosure |
$10,000 |
05/10/2020 |
| Bypass XSS filter using HTML Escape |
Syahri Ramadan (@adonkidz7) |
Google |
XSS |
$4,133.70 |
05/08/2020 |
| $20000 Facebook DOM XSS |
Vinoth Kumar (@vinodsparrow) |
Facebook |
DOM XSS |
$20,000 |
05/07/2020 |
| I Found XSS Security Flaws in Rails – Here’s What Happened. |
Jesse Campos |
Ruby on Rails |
XSS |
$500 |
05/07/2020 |
| DOM-Based XSS at accounts.google.com by Google Voice Extension. |
missoum1307 (@missoum1307) |
Google |
DOM XSS |
$3,133.7 |
05/07/2020 |
| How we Hijacked 26+ Subdomains |
Aishwarya Kendle (@aish_kendle) |
- |
Subdomain takeover |
- |
05/07/2020 |
| DOM XSS Walkthrough |
Youssef Lahouifi (@YLahouifi) |
- |
DOM XSS |
- |
05/06/2020 |
| Google Acquisition XSS (Apigee) |
TnMch (@TnMch_) |
Google |
XSS |
- |
05/06/2020 |
| A tale of verbose error message and a JWT token |
Marek Geleta (@marek_geleta) |
- |
Information disclosure, Authorization flaw |
- |
05/05/2020 |
| Cool paste jacking attack earned me $$$ |
Aman Rawat (@theamanrawat) |
- |
Paste jacking |
- |
05/04/2020 |
| DOM XSS in Gmail with a little help from Chrome |
Enguerran Gillier (@opnsec) |
Google |
DOM XSS |
$5,000 |
05/03/2020 |
| #BugBounty — Adding Money Using Response Modification |
Line_no 6 |
- |
Payment tampering, Logic flaw |
- |
05/03/2020 |
| Private Dashboards were accessible by other Admins in Analytics Dashboard |
Rohit kumar (@rohitcoder) |
Facebook |
Authorization flaw |
- |
05/02/2020 |
| Reflected XSS on Microsoft.com via Angular Js template injection |
Pratik Dabhi (@impratikdabhi) |
Microsoft |
CSTI, XSS |
- |
05/02/2020 |
| Blind SSRF on coda.io |
Kleitonx00 |
Coda |
SSRF |
$0 (OOS) |
05/02/2020 |
| Exposure of Facebook object type by knowing the object ID |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure |
- |
05/02/2020 |
| Add draft subtitles to any Facebook video and Full Path Disclosure |
Samm0uda (@samm0uda) |
Facebook |
Information disclosure |
- |
05/02/2020 |
| Ok Google! bypass ‘flag_secure’ |
Pankaj Upadhyay (@_pupadhyay) |
Google |
Authorization flaw |
- |
05/01/2020 |
| The Story of Blind SSRF leads to internal Host discovery. |
kaustubh padwad (@s3curityb3ast) |
- |
SSRF |
$0 (OOS) |
05/01/2020 |
| Hacking Razer Pay Ewallet App |
Richard Tan (@sambal0x) |
Razer |
IDOR |
$6,000 |
04/30/2020 |
| Researching Polymorphic Images for XSS on Google Scholar |
Lorenzo Stella (@lorenzostella) |
Google |
Stored XSS |
$9,401.1 |
04/30/2020 |
| [Bug Bounty Writeups] Exploiting SQL Injection Vulnerability |
Ahmed ElTijani |
- |
SQL injection |
$2,000 |
04/30/2020 |
| Account taken over in style !!! |
kishore hariram (@kishorehariram) |
- |
Logic flaw, CSRF, Account takeover |
- |
04/30/2020 |
| Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin |
Florian Courtial (@theflofly) |
Trello |
XSS |
$3,600 |
04/29/2020 |
| Indirect UXSS issue on a private Android target app |
Kunal pandey (@kunalp94) |
- |
UXSS |
$1,000 |
04/29/2020 |
| Recon to Sensitive Information Disclosure in Minutes |
Harsh Bothra (@harshbothra_) |
- |
Information disclosure, Outdated component with a known vulnerability |
- |
04/28/2020 |
| Private giant chat app – Send message to victim while sender blocked |
Rahul Kankrale (@RahulKankrale) |
- |
Authorization flaw, Logic flaw |
- |
04/28/2020 |
| Piercing the Veal: Short Stories to Read with Friends |
d0nut |
DuckDuckGo, [Private programs] |
SSRF |
$4,800 |
04/27/2020 |
| Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams |
Omer Tsarfati (@OmerTsarfati) |
Microsoft |
Account takeover, Subdomain takeover |
- |
04/27/2020 |
| Bitrix WAF bypass |
Roma Ramazanoff (@r0hack) |
Mail.ru |
Reflected XSS |
$300 |
04/27/2020 |
| 1-click RCE on Keybase |
smaury (@smaury92) |
Keybase |
RCE |
$0 (Duplicate) |
04/27/2020 |
| Fun With CORS Misconfiguration — II |
Aman Gupta (@gupt4j1) |
- |
CORS misconfiguration, XSS |
- |
04/25/2020 |
| Web Cache Poisoning in Postmates [$1500] |
Aung Pyae Ko Ko (@BlcKVRtuL1) |
Postmates |
Web cache poisoning |
$1,500 |
04/24/2020 |
| From Recon to P1 (Critical) — An Easy Win |
Harsh Bothra (@harshbothra_) |
- |
Exposed registration page |
- |
04/24/2020 |
| Two Factor Authentication Bypass [ $50 ] |
Aung Pyae Ko Ko (@BlcKVRtuL1) |
- |
2FA bypass |
$50 |
04/24/2020 |
| Messenger Rooms Bug Bounty Write-up |
Jane Manchun Wong (@wongmjane) |
Facebook |
Privilege escalation, Authorization flaw |
- |
04/24/2020 |
| Misconfigured WordPress takeover to Remote Code Execution |
Smaran Chand (@smaranchand) |
- |
Wordpress takeover, RCE, Security misconfiguration |
- |
04/22/2020 |
| From P5 to P2, from nothing to 1000+$ |
Mohamed Daher (@DaherMohamed4) |
- |
Race condition, Self-XSS, Blind XSS |
> $1,000 |
04/22/2020 |
| The Secret sauce of bug bounty |
Mohamed Slamat (@oxxy37) |
- |
CSTI, Stored XSS, CORS policy bypass |
- |
04/22/2020 |
| Exploiting a Race Condition Vulnerability |
Vivek Kumar Singh (@v7nc3nz) |
- |
Race condition |
- |
04/22/2020 |
| CORS bug on GOOGLE’s 404 page REWARDED!!! |
Jayateertha Guruprasad (@JayateerthaG) |
Google |
CORS misconfiguration |
- |
04/21/2020 |
| DOM based open redirect to the leak of a JWT token |
Adolphoramirez |
- |
Open redirect, DOM-based open redirect, OAuth token theft |
- |
04/20/2020 |
| Google Maps API (Not the Key) Bugs That I Found Over the Years |
Ozgur Alp (@ozgur_bbh) |
Google |
Logic flaws |
- |
04/19/2020 |
| Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts |
Sam Curry (@samwcyo) |
Rocket League |
HTTP cache poisoning, Open redirect |
$0 (VDP) |
04/19/2020 |
| How was i able to find privilege escalation. |
Akshar Tank (@Akshar__tank) |
- |
IDOR, Authorization flaw |
- |
04/18/2020 |
| Here is the Non Technical write-up on Technical Bug for My Second Bounty of $xxxx From Facebook |
Ashok Chapagai (@ashokcpg) |
Facebook |
Logic flaw, Privacy issue |
- |
04/17/2020 |
| Strange Redirect (Fixed but no bounty) |
Abhishek Yadav (@abhishake100) |
- |
Open redirect |
- |
04/17/2020 |
| OTP Verification Bypass |
Kanhaiya Kumar Singh |
- |
OTP bypass |
- |
04/17/2020 |
| [Writeup][Bug Bounty][Instagram] Instagram Still Send New DMs and Video Calls to Device After Logout [ID][EN] |
Muhammad Thomas Fadhila Yahya (@fadhilthomas) |
Facebook (Instagram) |
Session management flaw |
$750 |
04/16/2020 |
| Tricky Oracle SQL Injection Situation |
yappare (@yappare) |
- |
SQL injection |
- |
04/16/2020 |
| Netflix Party — XSS Vulnerabilities |
kr-b (@pirxcy) |
Netflix |
XSS |
- |
04/14/2020 |
| $55,000 Facebook token leak vs Funny Airline token leak. |
MasterSEC (@MasterSEC_AR) |
- |
XSS |
$0, 50,000 miles |
04/14/2020 |
| Business Logic Errors - A New Look |
Shrey Shah (@ShreySh43332033) |
- |
Logic flaw |
- |
04/14/2020 |
| Bounty Tip !! Easiest way to bypass API’s Rate Limit. |
Shaurya Sharma (@ShauryaSharma05) |
- |
Rate limiting bypass |
- |
04/14/2020 |
| Hacking a Telecommunication company(MTN) |
Afolic |
MTN Group |
OTP bruteforce |
- |
04/13/2020 |
| How i Unlocked the blocked accounts? |
Maria Zulfiqar |
- |
Password reset flaw, HTTP parameter pollution, IDOR |
- |
04/11/2020 |
| The story of a fuzzing integration reward |
Andrea Brancaleoni (@nJoyneer) |
Google |
Memory corruption bugs |
$10,000 bounty |
04/08/2020 |
| Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs |
Thomas Orlita (@ThomasOrlita) |
Google |
IDOR |
- |
04/07/2020 |
| Unrestricted CV File Upload |
vict0ni (@vict0ni) |
- |
Unrestricted file upload |
- |
04/07/2020 |
| Stored XSS in Google Nest |
Harikrishnan Chandraganesan (@hari_cybex) |
Google |
Stored XSS |
- |
04/07/2020 |
| $3K Bounty For Elastic-Search Takeover |
Ashish Kunwar (@D0rkerDevil) |
- |
Elastic-Search Takeover |
$3,000 |
04/06/2020 |
| How we abused Slack’s TURN servers to gain access to internal services |
Sandro Gauci (@sandrogauci) |
Slack |
SSRF |
$3,500 |
04/06/2020 |
| How a Simple CSRF Attack Turned into a P1 Level Bug |
Lady Secspeare (@bejuveria_) |
- |
CSRF, Account takeover |
- |
04/05/2020 |
| Page Admin Disclosure: Facebook Bug Bounty 2020 |
Saugat Pokharel (@saugatpk5) |
Facebook |
Information disclosure, Logic flaw |
- |
04/04/2020 |
| Cannot Delete Post on Facebook Group: Facebook Bug Bounty |
Saugat Pokharel (@saugatpk5) |
Facebook |
Logic flaw |
- |
04/04/2020 |
| Playing with JSON Web Tokens for Fun and Profit |
Muhammad Qasim Munir (@MeetAn0nym0us) |
- |
Password reset flaw, Email confirmation bypass |
- |
04/04/2020 |
| Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps |
Sahil Tikoo (@viperbluff) |
Evernote, Dropbox |
Authentication bypass |
- |
04/03/2020 |
| iPhone Camera Hack |
Ryan Pickren |
Apple |
Zero-Click Unauthorized Access to Sensitive Data |
$75,000 |
04/02/2020 |
| Hundreds of internal servicedesks exposed due to COVID-19 |
Inti De Ceukelaire (@securinti) |
- |
Security misconfiguration |
>$10,000 |
04/02/2020 |
| Always escalate! From Self-XSS to Persistent XSS on Login Portal |
Phuriphat Boontanon (@zanezenzane) |
- |
Self XSS, CSRF |
$650 |
04/02/2020 |
| Account Take Over without user Interaction |
Ravilla Bharath |
- |
Password reset flaw, Information disclosure, Account takeover |
$0 (Duplicate) |
04/02/2020 |
| Privilege Escalation - Hello Admin |
Shrey Shah (@ShreySh43332033) |
- |
Privilege escalation |
- |
04/02/2020 |
| The story of my first ever, 1500$, bounty from Facebook. |
Ashok Chapagai (@ashokcpg) |
Facebook |
Logic flaw |
$1,500 |
04/01/2020 |
| $3133.7 Google Bug Bounty Writeup- XSS Vulnerability! |
Pethuraj (@Pethuraj) |
Google |
Reflected XSS |
$3,133.7 |
04/01/2020 |
| Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Microsoft |
RCE |
$0 |
03/31/2020 |
| Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability |
Duc Nguyen (@ducnt_) |
- |
SQL injection |
- |
03/31/2020 |
| Hacking makes me forget my pain |
Abida Fahd |
- |
SQL injection |
- |
03/31/2020 |
| Limited freemarker ssti to arbitrary liql query and manage lithium cms |
Mert (@mertistaken) & F. Celal Erdik (@celalerdik) |
- |
SSTI |
- |
03/30/2020 |
| Restriction is not a promise : Privilege escalation on Google. |
Hariharan.s (@DJHARIZ1) |
Google |
Privilege escalation, Authorization flaw |
$500 |
03/30/2020 |
| CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS |
cliqz (@cliqz) |
Mozilla, Brave |
Universal XSS |
- |
03/30/2020 |
| OTP Bruteforce- Account Takeover |
Ranjit Kumar |
- |
OTP bruteforce, Account takeover |
- |
03/29/2020 |
|
| Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study |
Abdulrahman Nour (@aboodnour) |
Bitdefender |
RCE |
$5,000 |
03/28/2020 |
|
| Executing scripts in Safari Reader Mode to CSP Bypass |
Nikhil Mittal (@c0d3G33k) |
Apple |
XSS, CSP bypass |
- |
03/28/2020 |
| I Want that Cookie !!! |
Adnan Malik (@infoadnanmalik) |
- |
Logic flaw |
- |
03/27/2020 |
| Exploiting magic links, critical bugs are one line away |
0xSha (@0xsha) |
Razer |
Information disclosure, Lack of authentication |
$0 (Duplicate) |
03/27/2020 |
| 1st Bug Bounty Write-Up — Open Redirect Vulnerability on Login Page |
Phuriphat Boontanon (@zanezenzane) |
- |
Open redirect |
$250 |
03/27/2020 |
| Getting lucky in bug bounty — shamelessly profiting off of other’s work |
Jeppe Bonde Weikop |
- |
Authentication bypass, Lack of rate limiting, Credentials sent over unencrypted channel |
$3,200 |
03/26/2020 |
| Account Takeover Flow In Mail.ru ‘s Ext.A Domain [ $150 ] |
Myo Min Thu (@myominthu1337) |
- |
Logic flaw, Account takeover |
$150 |
03/26/2020 |
| Exploitation of the CVE-2018-15961 – Unrestricted File Upload in Adobe ColdFusion |
Supras (@LdrTom) |
- |
Unrestricted file upload |
- |
03/26/2020 |
| XSS WAF & Character limitation bypass like a boss |
Prial Islam Khan (@prial261) |
- |
XSS |
- |
03/25/2020 |
| Self XSS to Account Takeover |
Ch3ckM4te |
- |
Account takeover, XSS, CSRF |
- |
03/24/2020 |
| Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image) |
Muhammad R. Maulana |
- |
RCE, Unrestricted file upload |
- |
03/21/2020 |
| API DOCS takeover on Readme.io |
Oktavandi (@0ktavandi) |
- |
Subdomain takeover |
- |
03/19/2020 |
| EN | Administrator level Privilege Escalation story |
Samet Sahin (@sametsahinnet) |
- |
Privilege escalation |
$0 (Duplicate) |
03/19/2020 |
| Reflected XSS on microsoft.com subdomains |
Raimonds Liepins (@lv_linkers) |
Microsoft |
Reflected XSS |
$0 |
03/19/2020 |
| Hacking — Always Check the Cross-domain Policy |
Jack |
Starbucks |
SOP bypass, CSRF |
$750 |
03/19/2020 |
| XXE-scape through the front door: circumventing the firewall with HTTP request smuggling |
Pieter Hiele (@honoki) |
- |
XXE |
- |
03/18/2020 |
| Where is my Train : Tracking to Hacking ! |
Anil Tom (mr_4nk) |
Google |
Reflected XSS, SQL injection |
- |
03/17/2020 |
| How I was able to verify any contact number for my account? |
Paras Arora (@parasarora06) |
- |
OTP bypass, 2FA bypass |
- |
03/17/2020 |
| Razer mobile PIN verification bypass $1k Bug |
Sourav Sahana (@kernel_rider) |
Razer |
OTP bypass, 2FA bypass |
$1,000 |
03/17/2020 |
| How I Earned $1750 at Shopify Bug Bounty Program |
Ashish Dhone |
Shopify |
XSS, Open redirect |
$1,750 |
03/16/2020 |
| Weak session validation bug let you login even after changing the session IDs and logging out from the accounts |
Manasjha (@manas_hunter) |
viator.com |
Logic flaw, Session management flaw |
- |
03/16/2020 |
| Using Vulnerability Analytics Feature Like a Boss |
Ozgur Alp (@ozgur_bbh) |
- |
SSRF, Reflected XSS, Authentication bypass |
$8,600 |
03/15/2020 |
| How I earned $800 for Host Header Injection Vulnerability |
Pethuraj (@Pethuraj) |
- |
Host header injection, Password reset flaw |
$800 |
03/15/2020 |
| My Weirdest Bug Bounty — Getting PII from O365. |
Omaid Faizyar (@rulesofthetrade) |
Microsoft |
Subdomain takeover |
$1,000 |
03/14/2020 |
| Blocked User Can Send Notification Due to Logical Bug in Instagram | First Instagram Bug |
Divyanshu Shukla |
Facebook |
Logic flaw |
$0 (Duplicate) |
03/14/2020 |
| What is your GCP infra worth?…about ~$700 [Bugbounty] |
Chris Gates (@carnal0wnage) |
Tokopedia |
Information disclosure |
$700 (Never paid) |
03/13/2020 |
| User’s email disclosure via invalid password reset link [$250] |
Myo Min Thu (@myominthu1337) |
- |
Password reset flaw, Information disclosure |
$250 |
03/13/2020 |
| API secret key Leakage leads to disclosure of Employee’s Information |
Ace Candelario (@phspades) |
- |
Information disclosure |
$2,000 |
03/13/2020 |
| Generate valid signatures for FBCDN urls |
Philippe Harewood (@phwd) |
Facebook |
Logic flaw, Authorization flaw |
- |
03/13/2020 |
| How I got access to critical data of a Company in no time ? |
Kaustubh Kale |
- |
Information disclosure, Lack of rate limiting, Bruteforce |
- |
03/12/2020 |
| [Bug Bounty] Email Content Injection |
Navneet (@na5n33t) |
- |
Email content injection |
$25 |
03/12/2020 |
| Generate valid signatures for files hosted in Facebook CDNs |
Samm0uda (@samm0uda) |
Facebook |
Authorization flaw, Logic flaw |
- |
03/11/2020 |
| Ability to bruteforce Instagram account’s password due to lack of rate limitation protection |
Samm0uda (@samm0uda) |
Facebook |
Lack of rate limiting, Bruteforce |
$3,000 |
03/11/2020 |
| How I was able to bypass the current password? |
Ninad Mathpati (@ninad_mathpati) |
- |
Account takeover, CSRF |
- |
03/11/2020 |
| OTP Bypass - Developer’s Check |
Shrey Shah (@ShreySh43332033) |
- |
OTP bypass |
- |
03/11/2020 |
| Finding a P1 in one minute with Shodan.io (RCE) |
sw33tLie (@sw33tLie) |
- |
RCE |
- |
03/11/2020 |
| Got Easiest Bounty with HTML injection via email confirmation! |
Shaurya Sharma (@ShauryaSharma05) |
- |
HTML injection |
- |
03/11/2020 |
| Vulnerable design leads to personal data leakage- yet another case of an inter-application vulnerability… |
Marcin Szydlowski (@SecurityKsl) |
- |
Logic flaw |
- |
03/09/2020 |
| Broke limited scope with a chain of bugs (tips for every rider CORS) |
Valeriy Shevchenko |
- |
CORS misconfiguration, RCE |
- |
03/09/2020 |
| The unexpected Google wide domain check bypass |
David Schütz (@xdavidhu) |
Google |
Logic flaw |
$6,000 |
03/08/2020 |
| Breaking the Competition (Bug Bounty Write-up) |
George O (@georgeomnet) |
- |
Race condition, DoS, Logic flaw, Session management flaw |
$0, Swag |
03/08/2020 |
| $5,005 worth vulnerability Duplicated, How I loose $5,005 in a day? Denial of Service - Billion LAUGH Attack (XXE) |
Muhammad Asim Shahzad |
- |
DoS, XXE |
$0 (Duplicate) |
03/08/2020 |
| Google Ads Self-XSS & Html Injection $5000 |
Syahri Ramadan (@adonkidz7) |
Google |
Self XSS, HTML injection |
$5,000 |
03/07/2020 |
| How I exploit the JSON CSRF with method override technique |
Simgamsetti Manikanta (@zaheckmania) |
- |
CSRF |
- |
03/07/2020 |
| Google Bug Bounty: Clickjacking on Google Payment (1337$) |
santuySec (@santuySec) |
Google |
Clickjacking |
$1,337 |
03/06/2020 |
| Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision ! |
Shaurya Sharma (@ShauryaSharma05) |
- |
Account takeover |
- |
03/05/2020 |
| Bug Bounty catches part -1 |
Bijan Murmu (@0xBijan) |
- |
Lack of authentication, Information disclosure, Authorization flaw |
- |
03/04/2020 |
| Abusing Slack for Offensive Operations |
Cody Thomas (@its_a_feature_) |
Slack |
Logic flaw |
$0 (Informative) |
03/04/2020 |
| SOP Bypass |
Kenan (@kenanistaken) |
- |
SOP Bypass |
- |
03/03/2020 |
| Exploiting an SSRF: Trials and Tribulations |
A Bug’z Life (@abugzlife1) |
- |
SSRF |
$0 (Duplicate) |
03/03/2020 |
| ManageEngine ServiceDesk Plus: Arbitrary File Upload |
Duc Anh Bui |
- |
Arbitrary file upload, RCE |
- |
03/03/2020 |
| How I CSRF’d My First Bounty! |
Rajesh Ranjan (@rajesh_ranjan4) |
- |
CSRF |
$500 |
03/03/2020 |
| SQL Injection Via Stopping the redirection to a login page |
Abde Ouabala (@4mgh0z) |
- |
SQL injection, Authorization flaw |
- |
03/03/2020 |
| SSRF on PDF generator. |
John Michael (@michan2514) |
- |
SSRF |
- |
03/02/2020 |
| Discord embed spoofing |
DarkMatterMatt |
Discord |
Phishing |
$0 |
03/02/2020 |
| Facebook OAuth Framework Vulnerability |
Amol Baikar (@AmolBaikar) |
Facebook |
OAuth flaw |
$55,000 |
03/01/2020 |
| A mysterious bug in the firmware of Google’s Titan M chip (CVE-2019-9465) |
Alexander Bakker |
Google |
Cryptographic issues |
- |
02/29/2020 |
| Account Hijack using Authorization bypass \(\) |
Bhavesh Thakur (@Bhavesh_Thakur_) |
- |
Account takeover, Authorization flaw |
- |
02/28/2020 |
| Page Admin Disclosure via an Upgraded Page Post |
Dan Fabro (@0x61_) |
Facebook |
Authorization flaw, Information disclosure |
$3,000 |
02/28/2020 |
| The Tricky XSS |
Smaran Chand (@smaranchand) |
- |
XSS |
$0 (Won’t fix) |
02/28/2020 |
| Facebook CSRF bug which lead to Instagram Partial account takeover. |
Samm0uda (@samm0uda) |
Facebook |
CSRF, OAuth flaw |
$12,500 |
02/28/2020 |
| RCE via Apache Struts2 - Still out there. |
Abhishek (@abhishake100) |
- |
RCE |
- |
02/27/2020 |
| Write-up: AWS Document Signing Security Control Bypass |
Ozgur Alp (@ozgur_bbh) |
- |
AWS flaw |
$1,000 |
02/26/2020 |
| Long String DoS |
Shrey Shah (@ShreySh43332033) |
- |
DoS |
$100 |
02/26/2020 |
| How I Get my first P1 (Sensitive Information Disclosure) using WPScan |
Harrmahar (@harrmahar) |
- |
Information disclosure |
- |
02/26/2020 |
| How i found 3 SSRF in one day on different bug bounty targets |
Damanpreet Singh (@MrDamanSingh) |
- |
SSRF |
- |
02/25/2020 |
| Mail.Ru Ext.B Scope Account Takeover [ $1500 ] |
Myo Min Thu (@myominthu1337) |
Mail.ru |
Account takeover, OAuth flaw |
$1,500 |
02/25/2020 |
| Stored-XSS-on-groups-google-com |
Alessandro Rumampuk (@Rando02355205) |
Google |
Stored XSS |
$0 (Won’t fix) |
02/25/2020 |
| Discord DoS with a single message |
DarkMatterMatt |
Discord |
DoS |
$0 |
02/24/2020 |
| Reflected XSS In AT&T |
Myo Min Thu (@myominthu1337) |
AT&T |
Reflected XSS |
- |
02/23/202c0 |
| Tale of Account Takeovers (Part-1) |
Vijaysimha Reddy Bathini (@fatratfatrat) |
- |
Account takeover, HTTP Parameter pollution, Password reset flaw, OTP bypass |
$5,000 |
02/22/2020 |
| Hunting Tesla Model Y Secrets in the Parts Catalog |
Evan Connelly (@Evan_Connelly) |
Tesla |
Authorization flaw |
- |
02/22/2020 |
| Exploiting Jira for Host Discovery |
Alex Peña |
Atlassian |
CSRF |
- |
02/20/2020 |
| Hacking SMS API Service Provider of a Company |Android App Static Security Analysis | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
- |
Information disclosure, Hardcoded credentials |
- |
02/19/2020 |
| A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell |
spaceraccoon (@spaceraccoonsec) |
- |
XXE, RCE |
- |
02/18/2020 |
| From Recon to Optimizing RCE Results - Simple Story with One of the Biggest ICT Company in the World |
YoKo Kho (@YokoAcc) |
- |
Information disclosure, RCE |
- |
02/18/2020 |
| My First Bounty From Google. |
Syahri Ramadan (@adonkidz7) |
Google |
Self XSS, HTML injection |
$5,000 |
02/18/2020 |
| How We Found Another XSS in Google with Acunetix |
Andrey Leonov (@4lemon) |
Google |
XSS |
$5,000 |
02/17/2020 |
| Plan Change Logic in Google Fiber (Webpass) |
Craig Arendt (@signalchaos) |
Google |
Logic flaw, Payment tampering |
- |
02/17/2020 |
| Exploiting WebSocket [Application Wide XSS / CSRF] |
Osama Avvan (@osamaavvan) |
- |
XSS, CSRF |
- |
02/17/2020 |
| How I Gain Unrestricted File Upload Remote Code Execution Bug Bounty |
Shay Grant (@kidshay) |
- |
Unrestricted file upload |
- |
02/17/2020 |
| Uploading Backdoor For Fun And Profit. |
Mohammed Abdul Raheem (@mohdaltaf163) |
- |
Unrestricted file upload, RCE |
- |
02/17/2020 |
| How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties |
Red Timmy Security (@redtimmysec) |
- |
RCE |
- |
02/16/2020 |
| Open-redirect Vulnerability on Facebook |
dw1 |
Facebook |
Open redirect |
$500 |
02/16/2020 |
| Blind IDOR in LinkedIn iOS application |
Hailstorm (@hailstorm1422) |
LinkedIn |
IDOR |
$0 |
02/16/2020 |
| A Simple IDOR to Account Takeover |
Swapnil Maurya (@swapmaurya20) |
- |
IDOR, Account takeover |
$4,500 |
02/11/2020 |
| Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches |
Ozgur Alp (@ozgur_bbh) |
- |
Information disclosure |
$1,500 |
02/11/2020 |
| A step-by-step walk-through of an Invalid Endpoint |
Mohammed Israil (@mdisrail2468) |
- |
Information disclosure |
- |
02/09/2020 |
| External XML Entity via File Upload (SVG) |
Atul (@0xatul) |
- |
XXE, Unrestricted file upload |
- |
02/08/2020 |
| Determine users with detailed role model on behalf of any Facebook Application |
Amol Baikar (@AmolBaikar) |
Facebook |
IDOR |
- |
02/08/2020 |
| IDOR leads to Data leakage and Profile Update |
vict0ni (@vict0ni) |
- |
IDOR, Bruteforce |
- |
02/07/2020 |
| How Inspect Element Got me a Bounty |
Aditya Soni (@hetroublemakr) |
- |
Client-side enforcement of server-side security |
- |
02/06/2020 |
| Simple Remote Code Execution Vulnerability Examples for Beginners |
Ozgur Alp (@ozgur_bbh) |
- |
RCE, Unrestricted file upload |
$15,000 |
02/05/2020 |
| Google APIS ClickJacking ( $1337) |
Myo Min Thu (@myominthu1337) |
Google |
Clickjacking |
$1,337 |
02/05/2020 |
| Site wide CSRF on a popular program |
Ajinkya Pathare (@fellchase) |
- |
CSRF |
- |
02/05/2020 |
| How I Made $600 in Bug Bounty in 15 Minutes with Contrast CE – CVE- 2019-8442 |
David Lindner (@golfhackerdave) |
Atlassian (Jira) |
Information disclosure |
$600 |
02/05/2020 |
| Using CSRF I Got Weird Account Takeover |
Mohamed Sayed (@FlEx0Geek) |
- |
CSRF, Account takeover |
- |
02/05/2020 |
| An Unexpected Bounty — Email Bounce Issues |
Keshav Malik (@g0t_rOoT_) |
- |
DoS, Email Bounce Issue |
- |
02/05/2020 |
| Hijacking shared report links in Google Data Studio |
sushiwushi (@sushiwushi2) |
Google |
Authorization flaw |
- |
02/05/2020 |
| How, I dumped crypto data by chaining directory listing to open S3 Bucket |
Ddigvijay |
- |
AWS misconfiguration, Directory listing, Information disclosure |
- |
02/05/2020 |
| Arbitary File Upload too Stored XSS - Bug Bounty |
m0chan (@m0chan98) |
- |
Arbitrary file upload, Stored XSS |
- |
02/04/2020 |
| Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access |
Gal Weizman (@WeizmanGal) |
Facebook (WhatsApp) |
Stored XSS, CSP bypass, Open redirect, RCE |
$12,500 |
02/04/2020 |
| Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE |
Jatin Dhankhar (@jatindhankhar_) |
HackerEarth |
RCE |
- |
02/04/2020 |
| Exploiting Insecure Firebase Database! |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
- |
Insecure Firebase database |
- |
02/04/2020 |
| Easily leaking passenger information on an Airline |
Zseano (@zseano) |
- |
IDOR |
- |
02/04/2020 |
| CSRF CSRF CSRF… |
Navneet (@na5n33t) |
- |
CSRF |
$50 |
02/03/2020 |
| Tumblr Bug Bounty ( $200) |
Myo Min Thu (@myominthu1337) |
Automattic (Tumblr) |
Unrestricted file upload, XSS, Authorization flaw |
$200 |
02/02/2020 |
| Disclose Full Admin List of any Facebook Applications |
Amol Baikar (@AmolBaikar) |
Facebook |
IDOR |
- |
02/02/2020 |
| OK Google: bypass the authentication! |
Mattia Vinci |
Google |
Authentication bypass |
$0 (Wontfix) |
01/31/2020 |
| 2FA Bypass via Logical Rate Limiting Bypass |
Jeppe Bonde Weikop |
- |
2FA bypass, Logic flaw |
$500 |
01/30/2020 |
| How I was able to takeover the company’s LinkedIn Page |
Vijaysimha Reddy Bathini (@fatratfatrat) |
- |
Broken Link Hijacking |
$500 |
01/29/2020 |
| How I get my first SWAG from SIDN (Sensitive Data Expose) |
Mehedi Hasan Remon (@mehedi1194) |
SIDN |
Broken access control, Information disclosure |
$0, Swag |
01/29/2020 |
| Vimeo Livestream Bug Bounty WriteUp |
Mohamed Slamat (@oxxy37) |
Livestream |
IDOR, Parameter tampering |
- |
01/29/2020 |
| Hyperlink Injection - Easy Money (sometimes) |
Abhishek Yadav (@abhishake100) |
- |
Hyperlink injection |
$450 |
01/28/2020 |
| Tale of a Misconfiguration in Password Reset |
Naveenroy |
- |
Password reset flaw, Information disclosure |
- |
01/27/2020 |
| Escalating reflected XSS with HTTP Smuggling |
Hazana (@HazanaSec) |
- |
Reflected XSS, HTTP Request Smuggling |
- |
01/27/2020 |
| XSS on Facebook-Instagram CDN Server bypassing signature protection |
Amol Baikar (@AmolBaikar) |
Facebook |
XSS |
- |
01/26/2020 |
| Disclose Facebook Business Account ID |
Amol Baikar (@AmolBaikar) |
Facebook |
Information disclosure |
$1,500 |
01/26/2020 |
| XSS on Facebook’s acquisition Oculus CDN Server |
Amol Baikar (@AmolBaikar) |
Facebook |
XSS |
- |
01/26/2020 |
| Improper Input Validation | Add Custom Text and URLs In SMS send by Snapchat | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Facebook (Snapshat) |
Parameter tampering |
$1,000 |
01/26/2020 |
| Accidental IDOR that Deleted Admin Account. |
Sayaan Alam (@ehsayaan) |
- |
IDOR |
$325 |
01/25/2020 |
| The unexpected bounty: A story of Zendesk takeover on REDACTED.com |
wis4nggeni |
- |
Subdomain takeover |
- |
01/25/2020 |
| Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover |
Samm0uda (@samm0uda) |
Facebook |
Cross-Site Websocket Hijacking, Account takeover |
$12,500 |
01/23/2020 |
| How I was able to take over any users account with host header injection |
Ajay Gautam (@evilboyajay) |
- |
Host header injection |
$900 |
01/23/2020 |
| CORS Misconfiguration leading to Private Information Disclosure |
Virus0X01 (@Virus0X01) |
- |
CORS misconfiguration |
- |
01/23/2020 |
| A Less Known Attack Vector, Second Order IDOR Attacks |
Ozgur Alp (@ozgur_bbh) |
- |
IDOR |
- |
01/22/2020 |
| Password Reset Token Leak Via Referrer |
Shrey Shah (@ShreySh43332033) |
- |
Password reset flaw, Information disclosure |
- |
01/22/2020 |
| Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic |
Ritish Kumar Singh |
Facebook |
Logic flaw |
$500 |
01/22/2020 |
| User Account Takeover via Signup Feature | Bug Bounty POC |
Muzammil Kayani (@muzammilabbas2) |
- |
Account takeover, Logic flaw, Authorization flaw |
- |
01/22/2020 |
| Google Bug Bounty: CSRF in learndigital.withgoogle.com |
santuySec (@santuySec) |
Google |
CSRF |
$0 (Duplicate) |
01/21/2020 |
| Cross Site Request Forgery vulnerability Leads to User Profile Change in Microsoft Express Logic |
Adesh Nandkishor kolte (@AdeshKolte) |
Microsoft |
CSRF |
- |
01/21/2020 |
| How i bought my way to subdomain takeover on Tokopedia |
wis4nggeni |
Tokopedia |
Subdomain takeover |
- |
01/20/2020 |
| GGvulnz — How I hacked hundreds of companies through Google Groups |
Milan Magyar |
Google |
Logic flaw |
- |
01/20/2020 |
| How I accidentally found Bug in Google Search Console |
Tomi (@noobe_io) |
Google |
Logic flaw, Authorization flaw |
$1,337 |
01/18/2020 |
| Adding a malicious notebook to be treated like a trusted notebook in Google Colab — 1337$ |
Raushan Raj (@raushan_rajj) |
Google |
Authorization flaw, Logic flaw |
$1,337 |
01/17/2020 |
| How I discovered an interesting account takeover flaw? |
Akash Methani (@0xAkash) |
- |
Account takeover, Password reset flaw, Lack of rate limiting |
- |
01/14/2020 |
| No Rate Limit - 2K Bounty |
Shrey Shah (@ShreySh43332033) |
Yahoo |
Lack of rate limiting |
$2,000 |
01/12/2020 |
| How I earn $500 from Razer open S3 bucket |
Sourav Sahana (@kernel_rider) |
Razer |
AWS misconfiguration |
$500 |
01/12/2020 |
| My First RCE (Stressed Employee gets me 2x bounty) |
Abhishek Yadav (@abhishake100) |
- |
RCE, Unrestricted file upload |
$900 |
01/10/2020 |
| Hunting Good Bugs with only <HTML> |
Ak1T4 (@akita_zen) |
- |
Open redirect, HTML injection, SSRF |
- |
01/10/2020 |
| Google Chrome display locking fuzzing |
Pawel Wylecial (@h0wlu) |
Google |
Heap Use-After-Free |
$5,000 |
01/08/2020 |
| The Bug That Exposed Your PayPal Password |
Alex Birsan |
Paypal |
XSSI |
$15,300 |
01/08/2020 |
| Update: Want to take over the Java ecosystem? All you need is a MITM! |
Jonathan Leitschuh (@jlleitschuh) |
Github |
Insecure communications |
$2,300 |
01/08/2020 |
| HTML Injection(Unique Exploitation) |
Pratik Yadav (@PratikY9967) |
- |
HTML injection |
$250 |
01/07/2020 |
| Saying Goodbye to my Favorite 5 Minute P1 |
Allyson O’Malley (@ally_o_malley) |
Microsoft |
Information disclosure |
- |
01/06/2020 |
| How I found a Privilege Escalation Bug in a private Ecommerce? |
Baibhav Anand (@SpongeBhav) |
- |
Privilege escalation |
- |
01/06/2020 |
| XSS on Sony subdomain |
Gökhan Güzelkokar (@gkhck_) |
Sony |
Reflected XSS |
- |
01/06/2020 |
| Account takeover via HTTP Request Smuggling |
hipotermia (@hipotermia) |
- |
HTTP request smuggling, Account takeover, Open redirect, Internal header disclosure |
- |
01/03/2020 |
| Bypass 2FA in a website |
Sourav Sahana (@kernel_rider) |
- |
2FA bypass |
- |
01/01/2020 |
| Bypass Mobile PIN Verification |
Sourav Sahana (@kernel_rider) |
- |
Authentication bypass |
$100 |
01/01/2020 |
