████ api key exposed in github.com/███/███
👉 https://hackerone.com/reports/1454965
🔹 Severity: High
🔹 Reported To: 8x8
🔹 Reported By: #adnanmalikinfo
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:19am (UTC)
👉 https://hackerone.com/reports/1454965
🔹 Severity: High
🔹 Reported To: 8x8
🔹 Reported By: #adnanmalikinfo
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:19am (UTC)
😢2💩1
Claiming the listing of a non-delivery restaurant through OTP manipulation
👉 https://hackerone.com/reports/1330529
🔹 Severity: Critical | 💰 3,250 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 8:51am (UTC)
👉 https://hackerone.com/reports/1330529
🔹 Severity: Critical | 💰 3,250 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 8:51am (UTC)
🔥2🥰1
FULL SSRF
👉 https://hackerone.com/reports/1241149
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 9:09am (UTC)
👉 https://hackerone.com/reports/1241149
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 9:09am (UTC)
🔥1
broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up)
👉 https://hackerone.com/reports/1401891
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #uddeshaya
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 2:28pm (UTC)
👉 https://hackerone.com/reports/1401891
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #uddeshaya
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 2:28pm (UTC)
👍1😁1
IDOR in "external status check" API leaks data about any status check on the instance
👉 https://hackerone.com/reports/1372216
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:48pm (UTC)
👉 https://hackerone.com/reports/1372216
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:48pm (UTC)
Incorrect authorization to the intelbot service leading to ticket information
👉 https://hackerone.com/reports/1328546
🔹 Severity: Critical | 💰 15,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #johnstone
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:09am (UTC)
👉 https://hackerone.com/reports/1328546
🔹 Severity: Critical | 💰 15,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #johnstone
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:09am (UTC)
🔥3
Add upto 10K rupees to a wallet by paying an arbitrary amount
👉 https://hackerone.com/reports/1408782
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:19pm (UTC)
👉 https://hackerone.com/reports/1408782
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:19pm (UTC)
Deliviry Club Courier app (v. 3.9.25.0); Disclosure phone number of client.
👉 https://hackerone.com/reports/1382570
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #388
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 1:01pm (UTC)
👉 https://hackerone.com/reports/1382570
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #388
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 1:01pm (UTC)
Hackerone open redirect security alert bypass via view report as PDF
👉 https://hackerone.com/reports/1386277
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #iamr0000t
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:06pm (UTC)
👉 https://hackerone.com/reports/1386277
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #iamr0000t
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:06pm (UTC)
[Android] Directory traversal leading to stealing auth tokens
👉 https://hackerone.com/reports/1378889
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #danielllewellyn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:07pm (UTC)
👉 https://hackerone.com/reports/1378889
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #danielllewellyn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:07pm (UTC)
[AWC-Pune] - User can download files deleted by Admin using shortcuts
👉 https://hackerone.com/reports/1463028
🔹 Severity: Medium | 💰 550 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #prateek_thakare
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 7:56pm (UTC)
👉 https://hackerone.com/reports/1463028
🔹 Severity: Medium | 💰 550 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #prateek_thakare
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 7:56pm (UTC)
Bypass Email Verification in Customer Portal
👉 https://hackerone.com/reports/1443211
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #odx09
🔹 State: 🟢 Resolved
🔹 Disclosed: February 26, 2022, 8:20am (UTC)
👉 https://hackerone.com/reports/1443211
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #odx09
🔹 State: 🟢 Resolved
🔹 Disclosed: February 26, 2022, 8:20am (UTC)
Session Fixation on Acronis
👉 https://hackerone.com/reports/1486341
🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #hatnare
🔹 State: 🔴 N/A
🔹 Disclosed: March 1, 2022, 9:09am (UTC)
👉 https://hackerone.com/reports/1486341
🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #hatnare
🔹 State: 🔴 N/A
🔹 Disclosed: March 1, 2022, 9:09am (UTC)
Reflected XSS on www.pornhub.com and www.pornhubpremium.com
👉 https://hackerone.com/reports/1354161
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Pornhub
🔹 Reported By: #wh0ru
🔹 State: 🟢 Resolved
🔹 Disclosed: March 2, 2022, 12:30pm (UTC)
👉 https://hackerone.com/reports/1354161
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Pornhub
🔹 Reported By: #wh0ru
🔹 State: 🟢 Resolved
🔹 Disclosed: March 2, 2022, 12:30pm (UTC)
Open Redirect TO Stealing aadvid
👉 https://hackerone.com/reports/1378533
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: March 2, 2022, 9:13pm (UTC)
👉 https://hackerone.com/reports/1378533
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: March 2, 2022, 9:13pm (UTC)
IDOR delete any Tickets on ads.tiktok.com
👉 https://hackerone.com/reports/1475520
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: March 2, 2022, 9:15pm (UTC)
👉 https://hackerone.com/reports/1475520
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: March 2, 2022, 9:15pm (UTC)
👍1
stand.pw.mail.ru xss
👉 https://hackerone.com/reports/1400197
🔹 Severity: Low
🔹 Reported To: Mail.ru
🔹 Reported By: #smallyu
🔹 State: 🟢 Resolved
🔹 Disclosed: March 3, 2022, 2:47am (UTC)
👉 https://hackerone.com/reports/1400197
🔹 Severity: Low
🔹 Reported To: Mail.ru
🔹 Reported By: #smallyu
🔹 State: 🟢 Resolved
🔹 Disclosed: March 3, 2022, 2:47am (UTC)
Subdomain Takeover at https://new.rubyonrails.org/
👉 https://hackerone.com/reports/1429148
🔹 Severity: High
🔹 Reported To: Ruby on Rails
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: March 3, 2022, 9:12pm (UTC)
👉 https://hackerone.com/reports/1429148
🔹 Severity: High
🔹 Reported To: Ruby on Rails
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: March 3, 2022, 9:12pm (UTC)
Uber Test Report 20220301
👉 https://hackerone.com/reports/1496297
🔹 Severity: Medium
🔹 Reported To: Uber
🔹 Reported By: #johnzilla313
🔹 State: 🟢 Resolved
🔹 Disclosed: March 3, 2022, 9:13pm (UTC)
👉 https://hackerone.com/reports/1496297
🔹 Severity: Medium
🔹 Reported To: Uber
🔹 Reported By: #johnzilla313
🔹 State: 🟢 Resolved
🔹 Disclosed: March 3, 2022, 9:13pm (UTC)