Mail.ru: [my.games, lootdog.io] XSS via MCS Bucket

Proxy pass for the path in my.games and lootdog.io domains was misconfigured to point to the root of public S3 storage, allowing to place static content in the domain path leading to XSS possibility...

Mail.ru: Брутфорс sms кода подтверждения для смены номера телефона в аккаунте LootDog.

SMS code for phone number change in lootdog.io was not sufficiently protected against bruteforce...

Mail.ru: Blindy Replace User's Session with Attacker's Session

Login CSRF via OAuth code in lootdog.io...

Mail.ru: ssl cookkie without secure flag set

Based on this report, decision was made to add SSL flag for session cookie and HSTS header for lootdog.io. Usually, HTTPS/SSL configuration reports are only accepted for Main Scope, this report was accepted/awarded as an exception...

Mail.ru: Make user buy items via clickjacking possibility

Clickjacking attack could allow to force user to buy some item on lootdog.io...

Mail.ru: [lootdog.io] User phone number disclosure

User phone could be self-disclosed on lootdog.io...

Mail.ru: lootdog.io XSS

В данной ссылке можно наблюдать опенредирект: 1. https://lootdog.io/register?next=http://mail.ru?https%3A%2F%2Flootdog.io%2F Заполняем эту форму, подтверждаем номер: F290679 Нас перекидывает на http://mail.ru Impact open redirect...

Mail.ru: CSRF на покупку товара https://lootdog.io/

CSRF vulnerability for item buy action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...

Mail.ru: CSRF на добавление товара на продажу

CSRF in lootdog.io allowed to put item on sale. Вело к выставлению предмету за любую цену 1 рубль и возможности выкупить после этого с другого аккаунта...

Mail.ru: CSRF on lootdog.io

CSRF vulnerability for phone/email change action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...