Augur: Indisputable Reporting via Arbitrarily Large Initial Reports

Summary: The initial reporter stake is determined by the REP balance of the specific InitialReporter contract at the time of initial report. This can be arbitrarily controlled via REP transfers at any time between Market creation and the initial report. Right off the bat, an attacker with 33.3......

New Relic: [NR Insights] Pull any Insights/NRQL data from any NR account

@jonbottarini discovered an issue where a feature within a cloud integration wasn't properly validating account IDs. This report helped us identify a backend issue that could prevent account validation from taking place in certain situations. This was a fun one! The full writeup is for this bug i...

Shopify: Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass

Summary athena-flex-production.shopifycloud.com seems to be an internal system that Shopify uses because it redirects user to Okta login. During this however, I noticed that it first returns 200 and then does a redirect meaning some part of the website loads before redirecting. With this, I was...

Shopify: Stored XSS on buy button

I found an XSS vulnerability on buy button. Steps to reproduce Go to Settings General Store currency Change formatting and add on "HTML with currency" the payload €amount " After that go to buy button and you will see that the payload triggers there. Impact A staff member can takeover another...

HackerOne: Disclosure of top 10 vulnerability types for programs that haven't enabled the Insights feature

Summary Although the report count is not showing, the Insights query endpoint returns a list of top 10 vulnerability types for any programs that haven't enabled the Insights feature. Reproduction 1. Go to a program that has Insights feature enabled, e.g: https://hackerone.com/security/insights 2...

IOVLabs: Attacker can add arbitrary data to the blockchain without paying gas

Summary: Due to a missing sanity check in Transaction::rlpParse, an attacker can append arbitrary RLP-encoded data to the end of an otherwise valid transaction, and that data will not only pass through validation, but also be propagated throug the network and mined into a block. Since the block...

Chaturbate: CSRF in "send them an email and browser notification" feature

The hacker found that the "send an email and browser notification" feature was a GET call and did not check for csrf tokens, this was resolved...

Starbucks: Reflected DOM XSS on www.starbucks.co.uk

Summary: www.starbucks.co.uk is vulnerable to reflected DOM XSS due to 2 seemingly unexploitable issues. The first issue is unfixed for over a year now, 252908, the second issue originates in a 3rd party module called prettyPhoto. Description: Visiting the following link results in a JavaScript...

Snapchat: Github Token Leaked publicly for https://github.sc-corp.net

Description : GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 7 hours Ago by user ██████ - Software Engineer - Snap Inc Issue & POC : You can find the leak in this link :...

Vanilla: XSS: Group search terms

Summary: The sub domain https://kentico.vanillastaging.com has a DOM XSS can be executed on any user browser by a simple get request. Description: The search param in the get request has been set in it's text value and the response has been reflected in the DOM response. Request: GET...

Chaturbate: CSRF in cancel group and private show requests

The hacker found that the private and group show cancel urls were not checking for CSRF headers. This issue was quickly resolved. I have found a CSRF vulnerability in chat room. When users cancel group shows for any chat room, a POST request is made to the server on this endpoint...

Node.js third-party modules: Reflected XSS in the npm module express-cart.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Reflected XSS in...

Node.js: url.parse() hostname spoofing via javascript: URIs

Summary: Using url.parse in security sensitive checks is dangerous as an arbitrary hostname can be spoofed via javascript: URIs. Description: The original url.parse API is dangerous as it allows to spoof an arbitrary hostname via a javascript: URI: bash $ node -e...

Brave Software: `chrome://brave` available for navigation in Release build [-> RCE] + navigation to `chrome://*` using tab_helper ["Open in new tab"]

Summary: chrome://brave is available for navigation Navigation to chrome://brave + requires local file at . The file loaded in this context has access to private Muon APIs such as chrome.ipcRenderer/remote/webFrame/webViewRequest. Muon API allows executing code on the device. e.g. with...

DuckDuckGo: XSS in Subdomain of DuckDuckGo

A cross-site scripting vulnerability was discovered in a subdomain of DuckDuckGo. The subdomain had a Content Security Policy header intended to prevent script execution, but this could be bypassed in Internet Explorer. As a result, malicious scripts could be injected and executed in the...

Chaturbate: CSRF in REPORT EMOTICON feature

The hacker found that the report emoticon endpoint did not check the csrf token. This was resolved. Users can report to emoticons on the the basis of the expressions but the request made to https://chaturbate.com/emoticonreportabuse/emoticonname was a GET request which was not protected by CSRF...

Grammarly: `socket` command allows sending data over WebSockets to arbitrary origins from Grammarly Extension

Summary 1. Attacker could trigger Grammarly extension's socket command using a crafted page to perform WS connectionand data sending from extension's background page with cookies and origin to any URL. 2. Additionally, commands received from the attacker's server are handled by extension and coul...

Kaspersky: test report

xxx...

DuckDuckGo: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)

Hello, I saw that SSRF on proxy.duckduckgo.com is out of scope but because of the severity I wanted to report this. The payload is simple: curl "https://proxy.duckduckgo.com/iur/?f=1&imagehost=http://169.254.169.254/latest/meta-data/" Response from the server: ami-id ami-launch-index...

HackerOne: Internal usage of AdBlockPlus may expose PoC URLs to unknown third-parties

Hello HackerOne team, this is probably going to be a different kind of report than what you are used to: it looks to me this is more of an internal, operational security best-practice that you may choose to follow. This is something that's bugging me from January now, but it took me some time and...

Chaturbate: Bypass subdomain limits using race condition

The hacker found that it was possible to add more than the limit of 5 whitelabel subdomains. The 5 limit is a soft limit, however we resolved this...

U.S. Dept Of Defense: ███████ Site Exposes █████████ forms

Summary The █████ site https://██████.mil/ allows authenticated users to submit ██████ e-forms. Due to a vulnerability in this system, any authenticated user can access the full █████████ e-form of any other user. Steps to reproduce 1. Intercept an authenticated request on █████████ containing an...

MariaDB: Incorrect Permission Assignment for Critical Resource

Dear Team, Product Affected: https://github.com/MariaDB/server File: /server/blob/10.3/sql/mysqld.ccL2761 if !SetSecurityDescriptorDacl&sdPipeDescriptor, TRUE, NULL, FALSE This was purely identified on code review, Never create NULL ACLs. A mail was sent to [email protected] and MariaDB team i...

Chaturbate: Stats Token doesn't expire after deactivating account

The hacker found that the stats token, that a user can use to access their own account information, does not expire when an account is deactivated. This was resolved so the view could not be used after deactivation. Application has a feature Authorize your 3rd party stats that provides users a wa...

Zendesk: Stored Cross Site Scripting on Zendesk agent dashboard

A cross-site scripting vulnerability was found in the Zendesk Support product. The Zendesk Security team validated the report within one day and implemented a remediation into production shortly after. Thank you @apfeifer27 for responsibly disclosing this issue and helping to keep Zendesk secure!...

VK.com: [Клевер/Android] Небезопасный BroadcastReceiver позволяет создавать окно диалога в приложении посредством другого неавторизованного приложения

Небезопасный BroadcastReceiver. morethEnvulnerability Click to view screenshot Когда приложение видно пользователю в MainActivity регистрируются два ресивера: java registerReceiverthis.r, new IntentFilter"com.vk.quiz.action"; registerReceiverthis.q, new IntentFilter"com.vk.quiz.action.coins";...

Chaturbate: Account Takeover via billing

The hacker found that when subscribing to a fanclub the parameters could be manipulated to purchase a fanclub subscription for another user. This will set the email of the target account if they had no email on file. This could then be used to reset the password for the target user. The purchasin...

Node.js third-party modules: [samsung-remote] Command injection

I would like to report a command injection vulnerability in the samsung-remote npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: samsung-remote version: 1.2.5 npm page: https://www.npmjs.com/package/samsung-remote Module Descriptio...

Ruby on Rails: Validation bypass for queries generated for PostgreSQL

When using DB for PostgreSQL, I discovered that if a parameter of a query contains null character, there is a pattern in which subsequent strings are lost. how to reproduce Prepare the environment $ rails new postgresqlrails -TB --database=postgresql $ cd postgresqlrails $ bundle exec ruby -v rub...

Passit: app.passit.io is vulnerable against username enumeration

Summary: The application app.passit.io is vulnerable against username enumeration through the use of error messages and dictionary attack. Description: We noted that the application uses GET request with a rate limit of 60 seconds which is too broad. The application returns an error message that...

Discourse: Web Cache Deception Attack (XSS)

This XSS does not affect the try.discourse.org, but worked on many other Discourse instances, that i tested. In discussions with the Mozilla team, we came to the conclusion that this is a vulnerability in the Discourse and it needs to be sent through this program. List of vulnerable hosts:...

Ed: Physical Laptop Takeover

At 6:16PM of August 11th of 2018, during H1-702, right before the sand storm beat the shit out of the rooftop party, we managed to perform a critical attack on Ed's infrastructure. F332214 Report Summary During our analysis and reconnaissance of how Ed program worked during the h1-702 event, we...

Snapchat: Domain Takeover in [obviousengine.com] a snapchat acquisitions

Hello, Summary while searching in snapchat acquisitions i found obviousengine moe information here https://www.crunchbase.com/organization/obvious-engineeringsection-overview and i found that it's pointing to Github page so i claimed it POC - when i visit it was look like F331040 - i successfully...

MariaDB: vulnerable to Cross-site Request Forgery | Jira

Vulnerabilities in our publicly available issue and bug tracking Jira instance have been reported and resolved to the best of our abilities by upgrading to the latest available Jira software from Atlassian...

Slack: Possibility to freeze/crash the host system of all Slack Desktop users easily

Hello, I report here what I suspect to be a critical issue for all your users using the Slack Desktop app. Please find below my research way and the corresponding POC result: First, I started by exploring the content of the file app.asar of the Slack Dresktop application. I was firstly attrackted...

MariaDB: Vulnerability Report - Missing Certificate Authority Authorization rule

A missing DNS Certificate Authority Authorization rule was reported for our main domain. We resolved this by adding the relevant CAA rules in our DNS configuration...

Zendesk: Admin Macro Description Stored XSS

A description field only available to account Administrators allowed for unexpected input which could be triggered to execute JavaScript if viewed by lower-level roles under certain circumstances. Thanks to @hariharan21 for their great work!...

Mail.ru: Хранимая XSS в пожертованиях на dobro.mail.ru

Stored XSS in dobro.mail.ru charity crowdfunding service. dobro.mail.ru is not currently covered by bug bounty program. XSS при пожертвовании , помогите там кому нибудь https://dobro.mail.ru/ ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████...

RubyGems: Malware in `active-support` gem

This was sent to RubySec: The gem duplicates official activesupport no hyphen code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain 29faea63.planfhntage.de, downloads a payload, and executes...

Uber: [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter

Stored XSS execution at https://login.uber.com due to unsanitized user-supplied input passed through Privacy Policy URL...

Monero: Malicious get_random_rct_outs.bin rpc can cause a near-infinite loop

Summary: An unsanitized getrandomrctouts.bin rpc request can cause the rpc handler to go into an effectively infinite-loop, peg the cpu, and block other requests from completing. Description: The rpc endpoint /getrandomrctouts.bin takes a uint64 outscount as input and will return that many random...

Shopify: Stored XSS on activity

Hi security team members, Description I found a store xss on the activity which allows an attacker to steal admin account cookies. Step to reproduce 1-Create store 2- Add a member in a store 3- Member can choose any name 4- So change the any member name with hunter" 5- Now on admain account make...

Yelp: Unauthorized Use of Victim Credit Card

SUMMARY Yelp user's credit cards are at risk of being compromised There's a way by which a malicious attacker can make unauthorized purchases from the victim's credit card. Just by getting the victim to some external website and clicking on it, the victim would have eventually paid for some...

Valve: Getting all the CD keys of any game

Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access. Audit logs were not bypassed using this method, and an investigation of those...

Block.one: [FG-VD-18-126] Buffer Overflow Vulnerability in Latest EOS's EOSIO.WASMSDK Repository II

Hello Block.One / EOS Product Security Team, Good Afternoon. There exists a Memory Corruption vulnerability in the latest EOS WASMSDK Library. The PoC.wasm file is attached along with this report. Reproduction Steps: - 1 Fetch latest EOS WASMSDK repsository from...

Block.one: [FG-VD-18-125] Buffer Overflow Vulnerability in Latest EOS's EOSIO.WASMSDK Repository

Hello Block.One / EOS Product Security Team, Good Afternoon. There exists a Memory Corruption vulnerability in the latest EOS WASMSDK Library. The PoC.wasm file is attached along with this report. Reproduction Steps: - 1 Fetch latest EOS WASMSDK repsository from...

Yelp: I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD)

@hk755a found an Insecure Direct Object Reference IDOR Vulnerability that allowed an attacker to pay with someone else's registered credit card, while ordering food with Grubhub through the /checkout/transactionplatform endpoint. No credit card information was disclosed as a result of this...

Node.js third-party modules: Code Injection Vulnerability in dot Package

I would like to report a code injection vulnerability in dot. It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack. Module module name: dot version: 1.1.2 npm page: https://www.npmjs.com/package/dot Module Description Created in search of th...

Node.js third-party modules: Code Injection Vulnerability in morgan Package

I would like to report a code injection vulnerability in morgan. It allows an attacker to inject arbitrary JS commands in certain situations. Module module name: morgan version: 1.9.0 npm page: https://www.npmjs.com/package/morgan Module Description HTTP request logger middleware for node.js Name...

U.S. Dept Of Defense: SQL Injection on www.██████████ on countID parameter

Description: Hello Team, I have came across a sql injection vulnerability on www.██████ on countID parameter. I was able to retrieve the banner which is Microsoft SQL Server 2008 R2 SP3 - 10.50.6220.0 X64& Mar 19 2015 12:32:14 Copyright c Microsoft Corporation Standard Edition 64-bit on Windows N...