Gratipay: Possible user session hijack by invalid HTTPS certificate on domain

ID H1:241892
Type hackerone
Reporter b3nac
Modified 2017-06-21T14:30:21


Good evening team!

This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through is unencrypted.


And every sub directory under


Since the certificate is only valid through * the domain is sending a warning message about MITM attacks. This warning is valid because all data is not being HTTPS encrypted.

The warning is also pretty scary to anyone browsing for information on how to contribute.

Browsers Verified In

  • Chrome
  • Firefox


Add a valid certificate on

Stay classy, you guys rock. Nerd emoji.