Chaturbate: Stored XSS on chaturbate.com (wish list)

Hi, I found a stored XSS on chaturbate.com Description The input wishlist in the bio of a user allows him/her to enter CSS properties, however some browsers like Opera or Internet Explorer are vulnerable to XSS through the attribute style. request http POST /accounts/editbio/ HTTP/1.1 Host:...

Mail.ru: Apache server-info enabled

Apache server-info was available on cn-stat.ext.terrhq.ru host...

Shopify: Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com

Good day, I truly hope it treats you great on your side of the screen : I have found that your website tim-exclusive.shopify.com is pointed via a cname to an unclaimed Heroku Instance This was not registered on Heroku. I was able to take over the domain: See my POC Pug of Concept...

Internet Bug Bounty: Integer overflow leading to buffer overflow

There exists an integer overflow in Perlmysetenv @ util.c : 2070 2070: void PerlmysetenvpTHX const char nam, const char val ... 2166: const int nlen = strlennam; ... 2171: vlen = strlenval; 2172: newenv = charsafesysmallocnlen + vlen + 2 sizeofchar; Here in a 64 bit version of Perl, since the...

PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink

A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...

Mail.ru: ******.*****.my.com open proxy

A proxy host in my.com domain related to partner service located in external network was misconfigured as an open proxy...

Zendesk: CSRF on developer.zendesk.com via Cache Deception

October 2018 - It was found under certain circumstances when arbitrary files were requested the response would be cached leading to leakage of a CSRF token. The scope of this was limited to developer.zendesk.com. We appreciate the great submission and work from @imran1121!...

Chaturbate: Passive stored XSS at broadcast room

The hacker found that a specially crafted app names could insert a small amount of data into an A tag's href in the "Broadcaster is running these apps: " chat text. Because of the character limit this required multiple successive clicks on different app names, and in the example utilised the room...

Rockstar Games: Found CSRF Vulnerability in https://support.rockstargames.com/

In this report, the researcher found a CSRF vulnerability that potentially allowed an attacker to spam false support requests. This issue was resolved in a site update...

Shopify: H1514 Wholesale customer without checkout permission can complete purchases

Summary: By default, Shopify Wholesale customers are prevented from immediately checking out: F360280 Instead, a store admin must approve each order before the customer can pay. This restriction can be bypassed, allowing a customer to check out orders without prior approval. This also bypasses an...

Shopify: H1514 Server Side Template Injection in Return Magic email templates?

Summary: Possible template injection in return magic email templates. Description: I've been playing with return magic workflow email templates and there seems to be some kinda of template injection but I am not sure if it's exploitable or even valid. Here is why I think it could be vulnerable: I...

Shopify: H1514 Extract information about other sites (new sites) through Affiliate/Referral pages

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: This bug is based on a really...

Shopify: H1514 Bypass Wholesale account signup restrictions

Summary: By default, account registration is disabled on Shopify Wholesale, requiring customers to be manually invited: Wholesale account signup is disabled. Customers need to be manually invited from the Customers page. This can be bypassed due to improper access controls in the invitation...

Shopify: H1514 Ability to MiTM Shopify PoS Session to Takeover Communications

Hi @iv-rodriguez, After a decent amount more digging and research, I must disagree with you on the "expecting to work offline" portion. The code actually specifically listens on all local interfaces 0.0.0.0 and the wifi network address is specifically used in the QR code connection string, as sho...

Shopify: H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage

Summary: There exists a stored XSS vulnerability via the Wholesale sales channel at https://wholesale.shopifyapps.com. This allows an attacker who shares one shop with an account owner to access the Wholesale sales channel of any shop belonging to the owner. Steps To Reproduce: 1. Visit...

Shopify: H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret

Hi team, The Shopify API ruby SDK has the ability for the developer to interact with their shop's REST API. When setting up the gem, a code structure similar to the one below may be used to set up the connection: ruby require 'shopifyapi' class SomeController ' session =...

Shopify: H1514 Get access to non public information by pivoting with graphql queries

Hi security team, Summary: It is possible to pivot with queries to get access to information you shouldn't have access to according to docs located at https://help.shopify.com/en/api/graphql-admin-api/reference/queryroot Description: I will try to write up all the ones I can find related to...

Tor: Email Spoofing Possible on torproject.org Email Domain

Summary: Due to a missing SPF and DMARC record it is possible to spoof emails from torproject.org. This could potentially be used to trick employees or users via phishing emails. Description: Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows what servers are...

Starbucks: Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy

Summary: I found the following URL, which appears to be running an Sidekiq web UI instance that is accessible unauthenticated: https://gift-test.starbucks.co.jp/sidekiq/busy Description: Sidekiq is used for Ruby background processing as I've learned, I'm not really familiar with it. The web UI ca...

Starbucks: China - president-starbucks.com.cn DNS configuration reported as takeover

k3mlol discovered that president-starbucks.com.cn was displaying Chinese gambling content, reporting it as a takeover. It was ultimately determined to be a released resource, no longer owned by Starbucks. This report was awarded a bounty in error; Future reports against this domain would not...

Shopify: H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps

Description: The /:id/sandbox/googlemaps and /:id/sandbox/googleautocomplete routes on checkout.shopify.com are used to render the Google Map on the "Order Status" page as well as the address prediction on checkout pages. The page performs origin validation on incoming postMessages making sure th...

Shopify: H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store

Hello, It was observed that it is possible to edit packaging slip templates and then view the product and shipping information in the packaging slip by a low privileged staff in a sandbox store by simply navigating to the URL https://.myshopify.com/admin/settings/packingsliptemplate. It appears...

Shopify: H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com

Hi team!, I'm reporting a Session Fixation issue on multiple shopify-built apps hosted on .shopifycloud.com and .shopifyapps.com. Normally Session Fixation is boring but I discovered a way to simply use by-design XSS to authenticate as a user on those affected apps. Details As the policy pointed...

U.S. Dept Of Defense: Unencrypted __VIEWSTATE parameter in a DoD website

Hi there i realise that the information passing to the server in the subdomain http://████████ can be seen without any encryption thought the VIEWSTATE Parameter. To reduce the change of someone interception the information the parameter should be encrypted due to the sensivity of the information...

HackerOne: Improper UUID validation results in bypass of #419896

This was found while evaluating the vulnerability and patch identified in 419896. I determined the deployed patch to be effective. However, I noticed tracer values could be sent which didn't conform to the UUID specification as characters outside of the a-f and 0-9 ranges could be used. For...

Discourse: Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account

Hi There is an option in https://try.discourse.org/u/testh1ay/preferences/account to connect our Yahoo account. I noticed Connect Yahoo account option have the workflow with GET method and there is lack of csrf protection on connecting yahoo account which can help attacker into inducing victim to...

Shopify: H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products

Hi, Background kitcrm.com allows the administrator to upload priority product images located at: https://kitcrm.com/seller/onboarding/1 F359446 F359447 These images are not being checked if they are real JPG/PNG/GIF. When uploading an ImageTragick issue found my Tavis Ormandy using the following...

Shopify: Reflected XSS on $Any$.myshopify.com/admin

Description : Hi, I have found a reflected cross site scripting vulnerability in .myshopify.com/admin through returnurl parameter . Step to reproduce : 1-Go to https://.myshopify.com/admin/authenticate?returnurl=javascript:alert100// 2-Click on reload this page 3-Xss alert message Impact Xss atta...

Chaturbate: Update Chat Allowed By Option ( without age verification )

Summary Hi Team, I am here again with one interesting issue. This issue deals with the fact that according to the policies of chaturbate, a broadcaster cannot modify the option - Chat Allowed By - until and unless he/she has verified his/her age default choice is set to all. This thing could be...

Alliance of American Football : attacker can book unlimited tickets in free at https://aaf.com/checkout/order-received/21237/?key=wc_order_5bbef48fa35b2

Dear Team, Summary: add summary of the vulnerability After looking into https://aaf.com/ i get to know that there is way where i can book a ticket and can play around , but it asked for valid credit card and all stuff so , i tried to bypass and bought a ticket 23 with 0$ Live PoC:...

Shopify: H1514 Simple phishing using auto-created modal with weak URL-pattern check in incontext_app_link

Hi, This is unrelated to the Twine-template issue reported earlier as this would still be an issue if the template escape would be fixed. Background The incontextapplink is checked server-side if it's a correct shopifycloud.com-URL. The problem however is that userdata inside the URL is allowed. ...

Shopify: H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing

Hi Team! I'm reporting a rather unusual DOMXSS that allows an attacker to perform a XSS attack on any Shopify apps that use the Embedded SDK. To exploit this, several techniques were chained together: Cookie Stuffing - Login CSRF - Not Open Redirect - DOMXSS. Details Inspired by 381192, I decided...

Shopify: H1514 [*.(my)shopify.com] - Viewing Password Protected Content

Hi guys! When administering a shop, the owner has the ability to preview his shop with various themes. When previewing, a unique link is generated, which the owner can share with various people without any authentication. The generation of that unique link does not require authentication, which...

Shopify: H1514 Deanonymizing Exchange Marketplace private listings

Summary: Exchange Marketplace allows Shop owners to sell their business in a easy way. When placing the shop in the listings, the owner has the option to place their store as a private listing - where only stats will be displayed, and no information about the actual Shop, domain name or shop owne...

Infogram: possibility to create account without username

hi , infogram.com doesn't allow us to go next untill we give name of our account but i bypassed that. i am able to create an account without any name, just by modify response field. steps:- 1. create new account , when you reach page where you have to give your name. 2. give name and intercept th...

Shopify: H1514 Stored XSS in Return Magic App portal content

Summary: Stored XSS vulnerability was found in return magic app portal content which executes in the application domain in https://services.alveo.io/dashboard-shopify/settings/portal/content Description: It's been found that Return Magic app allows users to add HTML content to their return portal...

QIWI: Возможность регистрации на сайте qiwi.com на любой номер телефона

Summary При регистрации на сайте qiwi.com присылается один и тот же код подтверждения в СМС. Impact Возможность зарегистрироваться под любым новым пользователем за счет перебора кода из СМС...

shopify-scripts: Crash in mrb_ary_push

PoC === The following demonstrates a crash: def methodmissing end .00 %= begin0=0 00end Debug info ========== The crash happens in mrbarypush: 495│ mrbarypushmrbstate mrb, mrbvalue ary, mrbvalue elem 496│ 497│ struct RArray a = mrbaryptrary; 498├─ mrbint len = ARYLENa; gdb p a $1 = struct RArray...

HackerOne: Unauthenticated user can upload an attachment to the last updated report draft

The newly launched beta embedded submissions form introduced the concept of anonymous submissions. When an anonymous user starts writing a report through an embedded form, a UUID will be generated to track their submission. Any object that is created will reference this UUID. We call this a trace...

Khan Academy: Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers

Summary The /signup/email API endpoint at khanacademy.org is vulnerable to Cross-Site Request Forgery CSRF attacks, allowing takeovers of accounts associated with unconfirmed email addresses. Description The vulnerable endpoint allows an authenticated user to change the email address associated...

Shopify: H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption

Hi security team, Summary: With great pleasure we would like to report that we have discovered a GraqhQL endpoint that discloses internal beer consumption at your offices. Description: This endpoint is leaking internal app details about how much beer you have left on any given day. Steps To...

New Relic: [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users

This is a similar IDOR that I've reported in the past - but I've found a bypass through a misconfiguration requiring pre-setup in both Alerts and Synthetics to work correctly. I'll show you what I mean: Steps to Reproduce From new user creation page: 1. Add a new user to the account...

Mail.ru: XSS in e.mail.ru

XSS via dom clobbering on message reply composing...

Zomato: [www.zomato.com] Blind XSS in one of the Admin Dashboard

@sandeephodkasia identified a Blind XSS vulnerability that fired in one of our admin dashboard. POC - @sandeephodkasia added "alert0; XSS Hunter was used in this case in address field while placing an order. - XSS triggered when one of our support agent viewed the order details. Thanks...

Uber: Client secret, server tokens for developer applications returned by internal API

@appsecurein identified an internal API for https://riders.uber.com that could return clientsecret and server token for applications authorized by the account owner to access their Uber account. We restricted the data returned by this endpoint. Thanks for bringing this to our attention,...

Mail.ru: Bypass security fixes by downgrading version of application

Version downgrade attack was possible in webagent web application webagent.mail.ru. It could allow attacker to force user to visit an older version of web application with known vulnerabilities...

U.S. Dept Of Defense: SQL Injection in ████

Summary: There is an SQL injection vulnerability in the SSN field at https://██████████/████/candidateapp/statusscholarship.aspx Impact An attacker could use this vulnerability to control the content in the database, exfiltrate information, and potentially obtain remote code execution. Step-by-st...

Zomato: Reflected XSS on developers.zomato.com

There is a vulnerability in https://developers.zomato.com/documentation due to an old version of Swagger UI Step to reproduce: - Create an endpoint containing : json "swagger":"2.0","info":"description":"This is a sample server Petstore server. You can find out more about Swagger at...

HackerOne: Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form

Hi Team, Summary: A program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/parrotsec/submissionrequirements see below image F355169 The Parrot Sec program has this feature enabled to enforce the hacke...

Django: Email Spoofing Possible on djangoproject.com Email Domain

Summary: Due to lacking a SPF and DMARC record it is possible to spoof emails from djangoproject.com. This could potentially be used to trick employees, customers or clients via phishing emails. Description: Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows...