Malicious code in cosmos-tokens-badoo-mobile (npm)

The package cosmos-tokens-badoo-mobile was found to contain malicious code. --- -= Per source details. Do not edit below this line.=-...

MAL-2025-17628 Malicious code in cosmos-tokens-badoo-mobile (npm)

The package cosmos-tokens-badoo-mobile was found to contain malicious code. --- -= Per source details. Do not edit below this line.=-...

MAL-2025-4302 Malicious code in badoo-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f34bcbd01ca161f63d72e98370e08614774ebfcc25c4b90ac0ec79d6825baff7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in badoo-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f34bcbd01ca161f63d72e98370e08614774ebfcc25c4b90ac0ec79d6825baff7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Bumble: Race Condition on "Get free Badoo Premium" which allows to get more days of free premium for Free.

Summary: On Badoo when a user wants to delete his account it prompts for a Free 3 days premium or the user can proceed to delete his account. But when user choose to get free 3 day premium he can click Get free Badoo Premium and can enjoy free premium for three days, Here i found a race condition...

Bumble: SSO through odnoklassniki uses http rather than https

SUMMARY When using single-sign on through odnoklassniki, the user is sent to an http non-https URL, allowing an attacker under some conditions to log in to the victim's Badoo account by stealing odnoklassniki credentials, as well as to execute a CSRF-attack on the log-in form. RECOMMENDATION Let...

Bumble: Расшифровка всех типов шифрованных ID

Привет! Обнаружил багу, которая позволяет очень серьезно обойти логику сайта. Данная уязвимость позволяет расшифровать любой зашифрованный ID, который идентифицирует профиль пользователя. Для каждого пользователя генерируется несколько видов ID, например для отображения в "Знакоства", "Live...

Badoo - Free Chat & Dating App - Base64 encoded String, Exported ContentProvider vulnerabilities

HackApp vulnerability scanner discovered that application Badoo - Free Chat & Dating App published at the 'play' market has multiple vulnerabilities...

Bumble: Unvalidated redirect on team.badoo.com

Domain affected: https://team.badoo.com/ corp.badoo.com PoC Tested on Firefox: https://team.badoo.com/%0d%0adata:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E F129735 Describe: team.badoo.com may vulnerable to CRLF injection, when we inject %0d%0a into url, the Location header, entire content...

Bumble: Change contents of the careers iframe in https://corp.badoo.com/jobs

Hi again badoo team , In https://corp.badoo.com/jobs/?p= if you check the page you'll see an iframe from https://jobs.jobvite.com/badoo/ , the p parameter is used to control the iframe link for example if you added https://corp.badoo.com/jobs/?p=somepath the iframe link will be...

Bumble: Badoo and Hotornot User Disclosure

Hi, I have found that endpoint is leaking the currently logged in user which will result in stealing the user id and unmasking the current user, This behavior could be malicious to ads websites, rouge websites, etc... PoC Code: Badoo Current User Unmasking function UnmaskUserstr return...

Chat for Badoo - Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Chat for Badoo published at the 'play' market has multiple vulnerabilities...

Bumble: Insecure Direct Object Reference on badoo.com

Hi, I want to report IDOR Insecure Direct Object Reference vulnerability to you. IDOR Details are here: https://www.owasp.org/index.php/Top102010-A4-InsecureDirectObjectReferences https://www.owasp.org/index.php/TestingforInsecureDirectObjectReferences%28OTG-AUTHZ-004%29 As the pages say: Insecur...

Bumble: Account Takeover

Hello this is regarding an account takeover via import image from facebook option, when we import fb photos a link with a token generated which is valid for any user and it can be use to replace user linked fb account to attacker fb account And then login via fb to takeover account Note: I tested...

Bumble: Broken Authentication on Badoo

Please watch the attached video. It contains all necessary steps and demo of this vulnerability. Please fix this issue as soon as possible, it is highly severe. Looking forward for reply. Best Regards, Darshit varotaria...

Bumble: crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc.

Description The file crossdomain.xml that is hosted at https://eu1,us1,etc.badoo.com/crossdomain.xml is too permissive in the scope of allowed domains to access the content in the domain using Flash. When you contact Badoo via https://us1.badoo.com/feedback/, you can upload a file. This file can ...

Bumble: Tokens from services like Facebook can be stolen

Description This file https://mus1.badoo.com/cb.html looks for the parameters accesstoken, token and code in the URL and send the value back to the window.opener using window.opener.postMessagemessage, '';. Because you specified as the value of the second parameter of postMessage, the browser is...

Проверь Badoo на прочность! Месяц поиска уязвимостей

Цитата: Компания Badoo, вслед за своими коллегами ― крупнейшими представителями IT-индустрии, такими как Google, Facebook и Яндекс, начинает платить за найденные уязвимости. Мы объявляем конкурс «Проверь Badoo на прочность!», который стартует 19 марта и продлится ровно месяц. Участвовать в конкур...

Badoo.com Cross Site Scripting

%+ $...............4.........|........0............// %+ %+ %+ %+++++++++++++++++++++++++++++ +++++++++++ Exploit Title :Badoo persistent XSS vulnerability Vendor: www.badoo.com Author: $4d0//r007k17 a.k.a Raghavendra Karthik D Blog: http://shadowrootkit.wordpress.com/ Google Dork: © 2006–2011...

Badoo Services Limited & XSS Vulnerabilities

Exploit for php platform in category web applications ============================================ Badoo Services Limited & XSS Vulnerabilities ============================================ Product: Badoo Services online community Web: http://eu1.badoo.com/ http://badoo.com/ Versions: All version...