Tor: Cross-domain linkability when system time changed in Tor Browser

This report is inspired by 257942. That report uses languagechange event as an indicator for different tabs to link multiple visits to a single user. This report uses another trick to achieve the same thing. Malicious websites keeps reading Date.now inside a setInterval loop with a short interval...

Infogram: Stored XSS in the Custom Logo link (non-Basic plan required)

Description Hello. Recently i contacted with Infogram, and requested trial of the Business version to test some features, which was unavailable in the Basic version. I discovered the stored cross-site scripting issue in the Custom Logo link. F232084 There was some URL checks in place, but i was...

WordPress: Unauthenticated hidden groups disclosure via Ajax groups search

Note: this issue was previously submitted to [email protected], because I did not have the rep to submit it here. That was cleared up with HackerOne, so I am now submitting the issue here, at @aaroncampbell's direction. Summary It is possible for an unauthenticated user to view the title,...

Infogram: Internal Ports Scanning via Blind SSRF

Introduction: I found a Blind SSRF issue that allows scanning internal ports. How to reproduce: Login Send the request https://infogram.com/api/webresource/url?q=TARGETURI Look up the response. If valid, it returns status code 200 and the website's title will be exposed, or 404 for otherwise. For...

Ruby: Bugs

Account info...

VK.com: XSS в личных сообщениях

XSS в ссылках в личных сообщениях, приходящих в реалтайме...

Ruby: Provide a security sistem most fit to our team

Now we want to proof that our security sistem is most fit in this year...

Tor: Crashes/Buffer at 0x2C0086,name=PBrowser::Msg_Destroy

Hi Team, Steps to Reproduce: 1. Open Tor 2. Navigate to string.html Where string.html : function tor var uristring = unescape"%u4141%u4141"; fori=0; i 3. 'Gah! This tab has crashed. However, running it to debug mode generates the below exception : !!! ParentMessageChannel Error:...

Duolingo: RCE in TinyCards for Android

We found and confirmed an RCE bug in TinyCards for Android. Is it in scope, and if not how do we report this security issue to DuoLingo...

Tor: Preferred language option fingerprinting issue in Tor Browser

I'm not so sure if this is an in-scope issue or by-design. But based on my understanding of 1, I feel that Tor doesn't want to make user configuration details of Tor Browser detectable by websites. But in about:preferencescontent, there's a "Languages" section that allows users to "choose your...

Mavenlink: Password reset link injection allows redirect to malicious URL

@cablej found a vulnerability in our password reset functionality that allowed an attacker using an HTTP request with a modified Host header to cause a password reset link to be emailed to the target user that would navigate to the attacker's domain. Because the password reset emails are sent fro...

Inflection: Unsubscribe Any User

Researcher reported that HubSpot's "unsubscribe" feature allows any user to unsubscribe from marketing emails without having to confirm their email address. Inflection does not consider this a vulnerability, as we want to make it as easy as possible for users to stop receiving marketing emails th...

Inflection: Limited Account Takeover via Backup codes

Researcher submitted a duplicate of a previously-submitted report and requested public disclosure of this report...

Stellar.org: xss

content on a server is including Javascript content from an unrelated domain. When this script code is fetched by a user browser and loaded into the DOM, it will have complete control over the DOM, bypassing the protection offered by the same-origin policy. Even if the source of the script code i...

Uber: No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts

A lack of rate limiting on the "/confirm" endpoint made it possible for an attacker to add themselves to arbitrary business.uber.com accounts by brute forcing confirmation codes. If they were able to successfully brute force the correct confirmation code, this would allow an attacker to take ride...

RubyGems: Negative size in tar header causes infinite loop

Proof of concept The attached file loop.gem causes an infinite loop in any command that tries to iterate over the entries in the tar container. gem install loop.gem gem unpack loop.gem gem specification loop.gem Summary Gem::Package::TarHeader.from uses oct to parse fields in the tar header. oct...

RBKmoney: IDOR in merchant.rbmonkey.com allows deleting eShops of another user

Website merchant.rbmonkey.com was exposed to an insecure direct object reference vulnerability IDOR which may allow an attacker to deleting shop objects of another user...

Uber: XSS on partners.uber.com due to no user input sanitisation

The /p3/drivers/vehicles/add endpoint on partners.uber.com was vulnerable to cross site scripting, since the endpoint did not validate the data it received, it did not perform encoding on the data to remove or make harmless HTML-sensitive characters such as . The page response was not served with...

Legal Robot: Non-HTTPS link on blog

Hi, @legalrobot I found another venturebeat.com URL without HTTPS in https://www.legalrobot-uat.com/press/ I hope you fix this Screenshot attached bellow Cheers, Ph0b0s...

WePay: [stage-go.wepay.com] XSS via Request URI

PoC Open URL in Internet Explorer. This vulnerability only works in Internet Explorer and possibly in Edge, since it is necessary to send a Request-URI without a URL Encode, which is only possible in this browser via redirect...

Inflection: Business Logic Flaw allowing Privilege Escalation

Researcher misunderstood the names and permissions assigned to various roles in the GoodHire application - the permissions are working as intended. Nevertheless, the researcher requested for the report to be disclosed...

QIWI: apache access.log leakage via long request on https://rapida.ru/

Issue access.log is leaked by attacker who trying send many requests. Explain: Honestly i don't know how the bug is happened, but i guess if the access.log is too large, it will dump some part into the response, and attacker happily get it. Reproduce: 1. Access to https://rapida.ru/search/?q= 2...

Infogram: Non Critical Code Quality Bug / Self XSS on Map Editor

Hi Team, I've found non-critical XSS on map editor. It is not for bounty just for code quality. This is my url: https://infogram.com/app/edit/c024c717-31c2-4c31-8491-1cc9534e9adb When i added map on form then edit Country name and replace with "alert1;" it is executed. Attached screenshots...

Mail.ru: Stored self-XSS pubg.mail.ru в нескольких местах

Stored self-XSS in pubg.mail.ru via account name if login via social network is used. pubg.mail.ru is not currently in bug bounty scope...

Razer US: Heart-bleed Vulnerability that leads to disclose sensitive information from the memory

Summary: Upon doing penetration testing on the Rezar domains, I have found that on of the domains is vulnerable to the heartbleed vulnerability, but I am not sure that careers.razerzone.com is in scope. Because of the dangerous of the vulnerability, I took further step to report. The Heartbleed B...

Inflection: Fake mailing reports using mail service on [URL : mail-txn.identity.com]

Researcher discovered an unused subdomain that served as an alias for Mandrill's third-party transactional email service. Mandrill's relay server could be used to send bounceback/failed delivery messages to an arbitrary "sender", although the contents of the message itself are limited to Mandrill...

HackerOne: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page

Summary: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page Description Include Impact: Since search query text can both include content of private vulnerabilities, it shouldn't be sent to Google Analytics. Furthermore, the information...

LocalTapiola: High server resource usage on captcha (viestinta.lahitapiola.fi)

Short summary Hi, I noticed that the following report has been fixed and closed, however the bug has reappeared in different parameters: https://hackerone.com/reports/204208 Basic report information Summary: It is possible to generate a simple request which creates a high cpu/bandwidth consumptio...

Boozt Fashion AB: No Session change on Password change

Your system does not change session id after password is changed. Reusing same session ids, after password is changed is highly risky. Example scenario: Hacker has successfully brute forced the password of a victim and has access to the account. The victim notices that something's off and chooses...

Infogram: No Rate Limit on account deletion request(Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account deletion emails for accounts on above selected domain. -As there ...

Infogram: Incorrect Functionality of Password reset links

Vulnerability:- -Password reset links should work in such a way that "only the last generated password reset link should be valid" i.e; if two tokens are generated at a time, then 2nd token must work and 1st token must be invalid. -If not, another case is that "if some number of reset links are...

Infogram: Email notification is not being sent while changing passwords

Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords. Impact:- Case-1:- -whenever a user requests a reset token for recovery of his account,a reset token is being to...

Infogram: Server Side Request Forgery on JSON Feed

Hi Team, I would like to report SSRF issue. PoC: 1. Navigate to https://infogram.com/app/user-project. 2. Click on edit logo fields and click on add JSON Data. 3. Enter urlopenport response is Download failed 4. Enter urlclosedport response is Invalid data source Fix: Don't give permission to por...

Infogram: User Enumeration

Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -You can submit a mail address and check whether it is existing in your database or not. Remediation:- -It should display like "if that...

Infogram: Weak Password Policy on Signup

Hi Team, i would like to let you know about password management issue. PoC: 1. Navigate to signup page. 2. Fill you details and give password as simple as 123123. 3. You can see you will be registered and there is no strong enforcement. Fix: Use complex password management. Regards, Mr.R3boot...

Infogram: Stored Cross-Site scripting in the infographics using Data Objects links

Description Hello. This stored XSScase is different from early reported 280495, but has a very similar root cause and reproduction steps. Upon pasting the link to the Text Object not in the Add Media section, like in previous report, we can intercept the request, and change the link source to the...

Infogram: Tabnabbing via window.opener

Hi Team, i would like to report tab nabbing issue on your domain. Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. PoC: 1.Navigate to...

Infogram: Stored Cross-Site scripting in the infographics using links

Description Hello. I discovered, that it is possible to conduct Stored XSS attack in the public infographics pages. Upon pasting the link, we can intercept the request, and change the link source to the malicious - which will result to the Stored XSS POC...

Infogram: SPF Misconfiguration

I am just looking at your SPF records then found following. SPF Records missing safe check which can allow me to send mail on behalf of infogram. PoC: The TXT records found for your domain are: "v=spf1 include:spf.google.com include:spf.mandrillapp.com include:mailgun.org all" Simply anyone can u...

Infogram: No Rate limit on Password Reset Function

Hello Infogram Security Team Description:- I have identified that when resetting the password, the request has no rate limit which then can be used to brute force through one request. Which can be annoying to the infogram users. Steps to reproduce:- Request for password reset link. Catch the abov...

Boozt Fashion AB: No Confirmation During Email Change

Hello Team, Your system is letting to change email address without confirmation. User can change the password without any confirmation. Anyone can access or make change to any account if that account is logged in public computer. So, it is better to send email to user email and confirm the change...

Tor: Enforce minimum master password complexity

Hi Team, Actual results: There is no password complexity set for Master password in about:preferencessecurity , Because I was able to set my password like 123,123456,www, admin etc which is really common, apart from that we can use spaces as well in master password i was able to set space as my...

Weblate: Improper validation of unicode characters#2

It was reported that some Unicode chars cause Weblate to crash. Upon further investigation it has shown that the issue was unrelated to Unicode. The reported was just unlucky to perform testing while there was temporary error on the database...

Inflection: Malicious callback url can be set while creating application in identity

Researcher found that while creating any application in identity, you are required to provide callback url. If you provide a malicious callback url then javascript will stop you from submitting form. But their is no server side validation and we can use an application proxy to bypass the javascri...

Boozt Fashion AB: Users Unable to login using Gmail/Facebook on https://boozt-stage1.booztx.com/login

Hi Team, when i try to login in this subdomainhttps://boozt-stage1.booztx.com/login using gmail or facebook,the login form does not redirect me to gmail/facebook,it is giving the error message since it is blacklisted by the server. Steps to Reproduce: 1 Goto https://boozt-stage1.booztx.com/login ...

HackerOne: Issue with password change in Disabled Account

Hello Hackerone, Summary: I have found that 38343 is not yet fully fixed, disabled user is not always gets notification about password change when a password is changed via password reset link, then such a notification is not send to the disabled user. Description Include Impact: When a password...

Nextcloud: Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware

Hi Team, Page: https://nextcloud.com/news/16/ Broken link for incorrect DNS entry: It seems like a typo and makes the tld as .comg instead of .com. Now other than usability issue for users, it poses security risk as .comg can be claimed as a gTLD since it is not a reserved TLD Similar to...

Gratipay: Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware

Hi Team, Page: https://gratipay.com/Breadcrumbel/ Broken link for stale DNS entry: Homepage Root domain breadcumbry.com has expiration date: Registrar Registration Expiration Date: 2018-06-10T18:18:30Z And also from whois: Domain Status: OK https://icann.org/eppok OK status means it has no...

Legal Robot: Chat exposed using cookie

Hello Broken authentication and session management: Attacker can use cookies of an authenticated user to reads and write the chat on the behalf of user and miss guide the legalrobot team. Steps to reproduce: Sign-in https://app.legalrobot.com/sign-in Check the cookies of domain legaltobot.com...

Weblate: Improper validation of unicode characters

unicode characters are not properly being validated on the https://demo.weblate.org/accounts/profile/preferences in specical character Screenshot showing this is attached below...