15306 matches found
Instacart: Seemingly sensitive information at /api/v2/zones
Overview == https://www.instacart.com/api/v2/zones is accessible by a regular Instacart user and seems to return sensitive information such as names, emails, phone numbers, money amounts and dates. GET /api/v2/zones "meta": "code": 200 , "data": "zones": ... "id": 73, "name": "ββββ", "createdat":...
Shopify: (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io'
Hello, Found a website of you guys that is poiting to: shardm-reader.chi2.shopify.io' This domain is disclosure fill path because there is none MySQL server host. POC: https://104.196.154.1/ Response a whole page with path disclosures: lib/patches/mysqlmonitoring.rb:19:in connect'...
Ian Dunn: Brute force on wp-login
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works...
Coinbase: Application error message
poc url:https://developers.coinbase.com/api/%e3h This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception.This may be a false positive if the error message is found in...
Internet Bug Bounty: Adobe Flash Player ShimContentResolver(resolverType=0) class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve. ------------------------------------------------------------------ II. Description Normally, resolve should validate its parameter with...
Vimeo: CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Hello Vimeo Security Team. There is a CSRF vulnerability on Vimeo.com. With this vulnerability, an attacker can make all the victim's vimeo videos go public just by having the victim open a link to the attacker webpage. He can also get the victim's vimeo name, user id, user account type and perfo...
Zendesk: XSS In /zuora/ functionality
Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...
Coinbase: Email leak in transcations in Android app
When a user received bitcoin from another Coinbase user, it was possible for the recipient to see the sender's email address in the transactions list in the Android app, despite the fact that users are told their emails would not be shown to other users. test...
Uber: Uber password reset link EMAIL FLOOD
Step to reproduce Uber password reset link EMAIL FLOOD POC Video https://youtu.be/PPJkOEo6Mw 1. Used OWSAP ZAP Proxy 2. Generated the forgotten password Link of my account [email protected] 3. Used ZAP to replay the packet 4. The Number of replay resulting into number of password link email...
Uber: text injection in get.uber.com/check-otp
Text Injection no HTML or JS in a landing page on get.uber.com...
Internet Bug Bounty: Adobe Flash Player Uninitialised Memory Corruption
Description --------------- A Uninitialised Memory Corruption exist in Adobe Flash Player SA for Mac test in v20.0.0.228 sa versionοΌsuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Environment --------------- 1γMac OSX 10.11.2...
Internet Bug Bounty: Adobe Flash Player ASnative(900,1).call(MovieClip) Use-After-Free Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. ------------------------------------------------------------------ II. Description If the ASnative900,1 is invoked with MovieClip instance and getter properties associated with swfRoot where the getter method...
VK.com: vk.com/login.php
ΠΡΠΏΠΎΠ»Π½ΠΈΠ² 3 ΠΏΡΠΎΡΡΠ΅ΠΉΡΠΈΡ ΡΠ°Π³Π°, ΠΈ ΠΡ ΡΡΠΎΠ»ΠΊΠ½ΡΡΠ΅ΡΡ Ρ ΠΎΡΠΊΠ°Π·ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ° ΡΡΠΎ-Π»ΠΈΠ±ΠΎ Π΄Π΅Π»Π°ΡΡ. Π¨Π°Π³ 1: ΠΠ΅ΡΠ΅ΠΉΡΠΈ ΠΏΠΎ Π°Π΄ΡΠ΅ΡΡ vk.com/login.php Π¨Π°Π³ 2: ΠΠ²Π΅ΡΡΠΈ Π² ΠΏΠΎΠ»Π΅ "Π»ΠΎΠ³ΠΈΠ½" ΡΠΈΠΌΠ²ΠΎΠ»Ρ 00 ΠΈΠ»ΠΈ 000 ΠΈΠ»ΠΈ 0000, ΠΈ ΡΠ°ΠΊ Π΄ΠΎ 17 Π½ΡΠ»Π΅ΠΉ, ΠΏΠ°ΡΠΎΠ»Ρ ΡΠΊΠ°Π·Π°ΡΡ Π»ΡΠ±ΠΎΠΉ. Π¨Π°Π³ 3: ΠΠ°ΠΆΠ°ΡΡ Π»ΠΎΠ³ΠΈΠ½ ΠΈ ΡΠ΅ΡΠ²Π΅Ρ Π±ΡΠ΄Π΅Ρ ΡΠΈΠ»ΡΠ½ΠΎ Π½Π΅Π΄ΠΎΠ²ΠΎΠ»Π΅Π½. Π‘ΠΏΠ°ΡΠΈΠ±ΠΎ, ΠΈ ΠΈΡΠΏΡΠ°Π²ΡΡΠ΅ ΡΠ²...
withinsecurity: Content Spoofing OR Text Injection in https://withinsecurity.com
Hi, I just found Content Spoofing OR Text-based injection vulnerability in https://withinsecurity.com site that would like to get fixed, Below are the POC and steps to reproduced an issue. 1 Go to https://withinsecurity.com this site 2 Then just changed above url like this...
Ruby on Rails: Validation bypass for Active Record and Active Model
Possible Input Validation Circumvention in Active Model There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. Versions Affected: 4.1.0 and newer Not affected: 4.0.13 and older Fixed Versions:...
HackerOne: Know whether private program for company exist or not
HI, There are some company which are hosting private BB on HackerOne which are not visible unless they invite you. However, you can check if any company is hosting private BB on HackerOne or not if you can guess the username they use. Generally most company chooses the same name as their company...
Shopify: Open redirect using theme install
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Vulnerable Endpoint -...
Algolia: an xss issue
i found an xss issue here : https://www.algolia.com/explorer?index=test&tab=ranking i tried to put an xss payload " in index ranking so i put the xss payload in Ranking formula then hit save ...when it is being saved the xss payload is being stored that upon Indices xss payload executed p.s pleas...
Whisper: SMS Invite Form Abuse
whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of...
Mail.ru: help2.m.smailru.net: XSS
GET /login/index.php/article/articleview/ALERT"alert1 HTTP/1.1 Host: help2.m.smailru.net User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.10; rv:32.0 Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...
VK.com: XSS on added name album on videos.
Hi Steps to reproduce: First go to : https://vk.com/video Next click on Add a Video After add a video from youtube and on title Field Insert TEST XSS And click save. Next after this go to https://vk.com/video again and you will see video with the name TEST XSS Click above TEST XSS and you will fo...
Internet Bug Bounty: PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
https://bugs.php.net/bug.php?id=69617 Description: ------------ The PHP unserialize function is considered unsafe due to its behavior regarding class instantiation; in cases where serialized data is attacker controlled, it can be tampered with, allowing for the instantiation of arbitrary PHP...
Enter: Email Enumeration (POC)
HI i am opening the ticket again now i have a poc to show you First here is the issue again: 1.log in robocoin account go to settings 2.choose change my email 3.enter your pass 4.enter any email you want to check 5.if the email isn't registered a message appears sayingthe email is changed 6.if it...
HackerOne: Insecure Direct Object Reference vulnerability
In the program portal, there is an option to add external people as participants in a bug report. The admin can then remove this person as well if needed. The request for removing an external reporter looks like: DELETE /reports//externalusers/ HTTP/1.1 Host: hackerone.com User-Agent:...
X (Formerly Twitter): Flaw in login with twitter to steal Oauth tokens
Hey hi, Steps to reproduce: ============================================= I have been testing the twitter kit in fabric. I added login with twitter integration to my application. I pushed the application to my android phone , clicked login with twitter. entered my username and password. Searched ...
Coinbase: Credit Card Validation Issue
Hi Coinbase, I'm not sure if this counts as a bug, but it definitely counts as a vulerability. The issue is in your credit card verification for instant purchases. The system does not or rarely check the validity of a credit card after it is added. This allows me to make instant buy purchases,...
Faceless: Tap Jacking Attack on Button Tags
UI Redressing Tap jacking attack may trick users into tapping a specifically crafted malicious App popup window e.g. toast view, making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on...
Slack: Stored XSS in Slackbot Direct Messages
Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...
HackerOne: Control Characters Not Stripped From Username on Signup
Hey, To be honest, I'm not sure if there is any real security implications of this bug, but it's IMO something which should be fixed at some point since it'll be pretty easy. On signup, the username you chose has to be alphanumeric. If you submit someone else's username, followed by a null-byte...
Yahoo!: Yahoo mail login page bruteforce protection bypass
Thank you for your submission to Yahooβs Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...
curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization
Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...
AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...
Cosmos: Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse
A heap-buffer-overread vulnerability was discovered in the containswhitespace function when calling parservalidate after supplying a maliciously crafted buffer to parserparse. The vulnerability was not exploitable in the primary use case of the library, but a length check was added to prevent thi...
HackerOne: [ Spot Check ] Team members can edit a user's write-up
Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...
Liberapay: Unsafe yaml load can lead to remote code execution
The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...
U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ββββββ
The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ββββββββ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...
U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://βββ/Administration/Administration.aspx
A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...
Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage
Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...
Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...
Rockstar Games: Cache Poisoning DoS on updates.rockstargames.com
In this report, the researcher discovered that there was a cache poisoning weakness on updates.rockstargames.com due to an unkeyed header, trailer. By sending this header, an attacker could cause the cache to save a malformed response with status code 400. An example of such a request, as provide...
Zenly: Google Maps API key stored as plain text leading to DOS and financial damage
The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...
h1-ctf: Writeup Hackyholiday CTF
Hi there, Find my writeup on attached : F1128138 Thanks adam for making the CTF, Really PAIN for my head! Impact Hackerone Hoodie ? ππ...
Stripo Inc: No rate limit in email subscription
I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...
Informatica: Improper Sanitization leads to XSS Fire on admin panel
Summary Because the HTML is not sanitized when taking the input on https://accounts.informatica.com/registration.html, the input is vulnerable to XSS. When a payload such as " is put into the form under company it triggers a blind xss. When the payload successfully is loaded, it dumps information...
TikTok: Bypass "Industry Documents" Validation
The researcher found that the attacker can bypass the review process and mark the document as "approved" when a user adds Industry Documents. The attacker will bypass only the qualification status at frontend, the form status is still under review, and it will be reviewed by an employee...
RBKmoney: Apple Pay cryptogram replay and amount tampering
During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...
Mail.ru: ΠΡΠΊΡΡΡΠ°Ρ Π°Π΄ΠΌΠΈΠ½ΠΊΠ° Tarantool
Testing installation of internal Tarantool admin inteface without actual users data was available from external network...
h1-ctf: [H1-2006 2020] 36 hours of brain cycles utilized on solving a neat puzzle
Here we go: F852423 Recon: The given scope is: .bountypay.h1ctf.com Found subdomains: bountypay.h1ctf.com api.bountypay.h1ctf.com app.bountypay.h1ctf.com software.bountypay.h1ctf.com staff.bountypay.h1ctf.com www.bountypay.h1ctf.com Relevant GitHub repository:...
h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!
^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...
Nord Security: Past payments using the Direct Debit method keep subscriptions active even if payments fail
I think this is a vulnerability that has no impact but it violates I found many accounts that are actively subscribed even though the payment failed, this is because the payment uses the Direct Debit method, and you have deleted it. Because Direct Debit payments have been deleted and no longer wo...