HackerOne’s 100K CTF Writeup
👉 https://hackerone.com/reports/1218708
🔹 Severity: Critical | 💰 100 USD
🔹 Reported To: h1-ctf
🔹 Reported By: #rykkard
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2021, 9:51pm (UTC)
👉 https://hackerone.com/reports/1218708
🔹 Severity: Critical | 💰 100 USD
🔹 Reported To: h1-ctf
🔹 Reported By: #rykkard
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2021, 9:51pm (UTC)
internal path disclosure via error message
👉 https://hackerone.com/reports/1191534
🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #ali-h-hasan
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 9:08am (UTC)
👉 https://hackerone.com/reports/1191534
🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #ali-h-hasan
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 9:08am (UTC)
CSRF + XSS leads to ATO
👉 https://hackerone.com/reports/1081148
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 9:11am (UTC)
👉 https://hackerone.com/reports/1081148
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 9:11am (UTC)
[mcs.mail.ru] Пользователь с ролью наблюдателя может создавать ключи доступа для очереди сообщений (sqs.mcs.mail.ru)
👉 https://hackerone.com/reports/1177451
🔹 Severity: Medium | 💰 15,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #mrd0x1
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 12:55pm (UTC)
👉 https://hackerone.com/reports/1177451
🔹 Severity: Medium | 💰 15,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #mrd0x1
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 12:55pm (UTC)
[com.icq.mobile.client] Любое стороннее приложение может угнать сессию, а также другие файлы приложения
👉 https://hackerone.com/reports/1029457
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #igorpyan
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 12:55pm (UTC)
👉 https://hackerone.com/reports/1029457
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #igorpyan
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 12:55pm (UTC)
Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress
👉 https://hackerone.com/reports/935503
🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #cabelo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 12:56pm (UTC)
👉 https://hackerone.com/reports/935503
🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #cabelo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 12:56pm (UTC)
Local File Disclosure /Delete On [us-az-vpn.acronis.com]
👉 https://hackerone.com/reports/924407
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #10nf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 2:47pm (UTC)
👉 https://hackerone.com/reports/924407
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #10nf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 2:47pm (UTC)
Reflected XSS on my.acronis.com
👉 https://hackerone.com/reports/1168962
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 4:35pm (UTC)
👉 https://hackerone.com/reports/1168962
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 4:35pm (UTC)
SQL injection on admin.acronis.host development web service
👉 https://hackerone.com/reports/923020
🔹 Severity: High | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #stealthy
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 6:12pm (UTC)
👉 https://hackerone.com/reports/923020
🔹 Severity: High | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #stealthy
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 6:12pm (UTC)
[GO]: CWE-326: Insufficient key size
👉 https://hackerone.com/reports/1212272
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #edvraa
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 10:59pm (UTC)
👉 https://hackerone.com/reports/1212272
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #edvraa
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 10:59pm (UTC)
[Python] CWE-090: LDAP Injection
👉 https://hackerone.com/reports/1212273
🔹 Severity: High | 💰 4,500 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jorgectf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 10:59pm (UTC)
👉 https://hackerone.com/reports/1212273
🔹 Severity: High | 💰 4,500 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jorgectf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 10:59pm (UTC)
[JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass
👉 https://hackerone.com/reports/1212274
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1212274
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
Python: Add support of clickhouse-driver package
👉 https://hackerone.com/reports/1217143
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #japroc
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1217143
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #japroc
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
ihsinme:CPP Add query for CWE-415 Double Free
👉 https://hackerone.com/reports/1219491
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1219491
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
[Java]: CWE-730 Regex injection
👉 https://hackerone.com/reports/1219492
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #edvraa
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1219492
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #edvraa
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:00pm (UTC)
[Java] CWE-295 - Incorrect Hostname Verification - MitM
👉 https://hackerone.com/reports/1219493
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:01pm (UTC)
👉 https://hackerone.com/reports/1219493
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:01pm (UTC)
ihsinme: CPP Add query for CWE-1126: Declaration of Variable with Unnecessarily Wide Scope
👉 https://hackerone.com/reports/1219494
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:01pm (UTC)
👉 https://hackerone.com/reports/1219494
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:01pm (UTC)
[Java] BeanShell Injection
👉 https://hackerone.com/reports/1241574
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:01pm (UTC)
👉 https://hackerone.com/reports/1241574
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:01pm (UTC)
[Java]: CWE-502 Add UnsafeDeserialization sinks
👉 https://hackerone.com/reports/1241575
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:02pm (UTC)
👉 https://hackerone.com/reports/1241575
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:02pm (UTC)
[GO] CWE-1004: Sensitive cookie without HttpOnly
👉 https://hackerone.com/reports/1241576
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:02pm (UTC)
👉 https://hackerone.com/reports/1241576
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:02pm (UTC)
[JavaScript]: CWE-1004: Sensitive cookie without HttpOnly
👉 https://hackerone.com/reports/1241577
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:02pm (UTC)
👉 https://hackerone.com/reports/1241577
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2021, 11:02pm (UTC)