Attacker Can Access to any Ticket Support on https://www.devicelock.com/support/

👉 https://hackerone.com/reports/1124974

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 9:10am (UTC)

Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com

👉 https://hackerone.com/reports/1018790

🔹 Severity: High
🔹 Reported To: Acronis
🔹 Reported By: #ashmek
🔹 State: 🔴 N/A
🔹 Disclosed: February 8, 2022, 9:12am (UTC)

Stored Cross-site Scripting on devicelock.com/forum/

👉 https://hackerone.com/reports/1122513

🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 10:49am (UTC)

Cross-site Scripting (XSS) - Stored | forum.acronis.com

👉 https://hackerone.com/reports/1161241

🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #quadrant
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 1:52pm (UTC)

Reflected xss on ads.tiktok.com using `from` parameter.

👉 https://hackerone.com/reports/1452375

🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 1:12am (UTC)

Race condition in User comments Likes

👉 https://hackerone.com/reports/1409913

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Zomato
🔹 Reported By: #0xdexter
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 9:42am (UTC)

staffOrderNotificationSubnoscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission

👉 https://hackerone.com/reports/1102652

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:58pm (UTC)

staffOrderNotificationSubnoscriptionDelete Could Be Used By Staff Member With Settings Permission

👉 https://hackerone.com/reports/1102660

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:59pm (UTC)

Is the Google Bucket Meant To Be Publicly Listable? https://cdn.shopify.com/shop-assets/

👉 https://hackerone.com/reports/1102546

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:59pm (UTC)

Node.js Certificate Verification Bypass via String Injection

👉 https://hackerone.com/reports/1429694

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #bengl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 1:26am (UTC)

Installing Gitlab runner with Docker-In-Docker allows root access

👉 https://hackerone.com/reports/1417211

🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: GitLab
🔹 Reported By: #jafarakhondali
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 9:13am (UTC)

Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances

👉 https://hackerone.com/reports/970869

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #iwis
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 2:46pm (UTC)

Critically Sensitive Spring Boot Endpoints Exposed

👉 https://hackerone.com/reports/1022048

🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Semrush
🔹 Reported By: #a_d_a_m
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 4:10pm (UTC)

Orders full read for a staff with only `Customers` permissions.

👉 https://hackerone.com/reports/1392032

🔹 Severity: Low | 💰 800 USD
🔹 Reported To: Shopify
🔹 Reported By: #scaramouche31
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:34pm (UTC)

Password reset token leak via "Host header" on third party website

👉 https://hackerone.com/reports/1092831

🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:41pm (UTC)

Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store

👉 https://hackerone.com/reports/1015283

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:42pm (UTC)

[h1-2102] Information disclosure - ShopifyPlus add user displays existing Shopify ID fullname

👉 https://hackerone.com/reports/1083922

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #francisbeaudoin
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:45pm (UTC)

Information Exposure Through Directory Listing vulnerability

👉 https://hackerone.com/reports/1476709

🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #technorat
🔹 State: ⚪️ Informative
🔹 Disclosed: February 11, 2022, 8:05am (UTC)

Able to detect if a user is FetLife supporter although this user hides their support badge in fetlife.com/conversations/{id} JSON response

👉 https://hackerone.com/reports/1423704

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: FetLife
🔹 Reported By: #trieulieuf9
🔹 State: 🟢 Resolved
🔹 Disclosed: February 11, 2022, 11:43am (UTC)

Discoverability by phone number/email restriction bypass

👉 https://hackerone.com/reports/1439026

🔹 Severity: High | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #zhirinovskiy
🔹 State: 🟢 Resolved
🔹 Disclosed: February 11, 2022, 5:00pm (UTC)

Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data

👉 https://hackerone.com/reports/1369674

🔹 Severity: Critical | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #iambouali
🔹 State: 🟢 Resolved
🔹 Disclosed: February 12, 2022, 6:32am (UTC)