Shopify: Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/

Description : Github is truly awesome service but its unwise to put sensitive data in public repo as i was found a repo committed 1 houre ago contain Senseitive data Credentials && ZRTAPIKEY && JWTSECRET related to this Host - https://shopify.zendesk.com/ leaked publicly in github, and clearly th...

Affirm: Subdomain takeover of www█████████.affirm.com

Summary Hi there, assuming you want this report as your policy mentions Affirm resources with third-parties, but the scope was a little unclear. Regardless, www█████.affirm.com points to an AWS S3 bucket affirm-prod-www-cms█████████ that no longer exists. I was able to take control of this bucket...

MTN Group: Default Login Credentials on https://broadbandmaps.mtn.com.gh/

Summary: Hello Team, I just found out that broadbandmaps.mtn.com.gh requires logging in when you visit it, but it turned out that you can actually login as an Admin and do anything on the specific site. when you visit the mentioned site you will get this F1405776 it will require to be logged in t...

UPchieve: Business logic error

Hi UPCHIEVE SECURITY TEAM I'm Anto Vulnerability : Business logic error There is no password verification while changing a password. Steps to Reproduce : 1. Go to https://hackers.upchieve.org/resetpassword. 2. Click the change password. 3. If your old password was ex: hacker and in new password...

Glovo: Getting a free delivery by singing up from "[email protected]"

Hello Getting a free delivery for food by just signing up from "[email protected]" and you also see the " FREE delivery Glovo Team ∞" in profile section. To cross check, i made a another account by using regular email-id "[email protected] " and placed a order with same location but i didn't g...

U.S. Dept Of Defense: EC2 subdomain takeover at http://████████/

There is a dangling DNS A record that points to an EC2 instance that no longer exists, I was able to claim the EC2 instance and host content on http://███████/. Steps To Reproduce: 1. Visit http://█████████/██████████.html and view the PoC: ██████ Suggested Remediation Steps Remove the A record...

Valve: Modify in-flight data to payment provider Smart2Pay

I have found vulnerability which allows attacker to generate steam wallet balance. Firstly you will have to change yours steam account email to something like I will explain why in next steps, amount100 is the important part: brixamount100abc@█████ Then go to...

Shopify: EC2 Takeover at turn.shopify.com

Summary Hi team, It seems that the domain turn.shopify.com pointed to an EC2 instance that was terminated and the DNS record wasn't updated. We managed to register a new EC2 instance with the IP that turn.shopify.com points to: Command dig turn.shopify.com ; DiG 9.11.3-1ubuntu1.13-Ubuntu...

UPchieve: Failed to validate Session after Password Change

While conducting my research I discovered that the application Failed to validate session after password change. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords in another browser. Steps To Reproduce: 1 Login with the same account ...

Logitech: clickjacking on deleting user's clips [https://crossclip.com/clips]

Summary: An attacker can trick victim to delete his own clips on https://crossclip.com/clips. Steps To Reproduce: F1403810 1. Login 1. Create an HTML file with the following code. I-Frame THIS PAGE IS VULNERABLE TO CLICKJACKING Supporting Material/References: F1403810 Impact tricking user to dele...

Palo Alto Software: DNS Miconfiguration Leads to Subdomain Takeover - max1.liveplan.com

Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME record. This report is simliar to report 1069795 Misconfiguration - DNS Records json "host": "max1.liveplan.com", "resolver": "1.0.0.1:53" , "a": "54.68.121.128" , "cname":...

Twitter Algorithmic Bias: Underrepresentation Bias through Twitter's Cropping Algorithm #2: Favoring Animals over Black People

Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...

Basecamp: Login session not expire

@blackbibin reported that after signing in, you could go back in the browser and the login info would still be populated. We've ensured the login page is reloaded in this case...

Twitter Algorithmic Bias: Underrepresentation Bias through Twitter's Cropping Algorithm

Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...

Sifchain: SSH server due to Improper Signature Verification

I found that you are using golang.org/x/[email protected] which has a vulnerability that was fixed in this version golang.org/x/[email protected] but that vulnerability is: golang.org/x/crypto/ssh is an SSH client and server Version...

Khan Academy: The endpoint /api/internal/graphql/requestAuthEmail on Khanacademy.or is vulnerable to Race Condition Attack.

Summary The endpoint /api/internal/graphql/requestAuthEmail on www.khanacademy.org is vulnerable to a Race condition attack. That may cause a random e-mail user to receive an important amount of emails to Finish signing up for Khan Academy with invalid links. The attack is because your web...

Twitter Algorithmic Bias: Economic Harm through Twitter's Cropping Algorithm

Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...

LY Corporation: Access to images and videos in drafts on LINE BLOG

On LINE BLOG, sequential ID is assigned to each image/video when uploaded, and the ID is converted to actual URL on preview/publish. Due to the bug in the attachment ownership verification process, it could be possible for an attacker to view unpublished images/videos in other users' drafts by...

Mail.ru: [185.30.178.57:8080] - Vulnerable to Jetleak

sfpc.euits.dev-my.games contains a vulnerable to JetLeak web server Jetty...

Basecamp: Password reset link not expiring after changing password in settings

@blackbibin reported password reset link not expiring when password was updated from an active session, by going to the Account's Login & Security setting. We were only expiring password reset links when the password was updated through a password reset request. Now we expire password reset links...

Mail.ru: [ii.worki.ru ] emarsys subdomain takeover

hi team i am find a subdomain takeover vulnerbility in ii.worki.ru subdomain the ii.worki.ru which is delegated to emarsys.net , which is vulnerable to takeover. CName :- ████████ Name: ii.worki.ru Type:CNAME when you search https://ii.worki.ru it redirects to █████████ which is emarsys.net servi...

GitHub Security Lab: [Java] CWE-601: Add Spring URL Redirect ResponseEntity sink

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Python]: Add SqlAlchemy support for SQL injection query

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Python] CWE-287: LDAP Improper Authentication

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java: Unsafe deserialization with Jackson

This bug was reported directly to GitHub Security Lab...

TikTok: Multiple IDORs in family pairing api

An IDOR Insecure Direct Object Reference vulnerability was found on a TikTok Family Pairing endpoint which could have been used to disable various features. We thank @s3c for reporting this to our team and confirming the fix. Write up...

MTN Group: No password length restriction in reset password endpoint at http://suppliers.mtn.cm

Hello Summary: I found no password length restriction in reset password endpoint at http://suppliers.mtn.cm when resetting new password Steps To Reproduce: 1. Visit https://suppliers.mtn.cm/ and register. 2. logout and reset your password 3. go to your email and click on reset password link 4...

Reddit: s3 bucket takeover presented in https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh

Hey team, Summary: I have found that in the code of full-build-macos.sh in rpanstudio on githubhttps://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/install-dependencies-osx.sh contains a s3 bucket which was unclaimed i.e...

Omise: Race condition on action: Invite members to a team

Summary: Hello there, I've found a race condition vulnerability which allows the invitation of the same member multiple times to a single team via the dashboard. Tools needed: Burp Suite community edition with the extension Turbo Intruder. This is the way I adopted to detect such vulnerability,...

Tennessee Valley Authority: Rate limit missing sign-in page

Vulnerability description not provided...

Vanilla: Homograph attack bypass cause redirection

Hi Team, I read the report 563268 which is a great report that was able to trick users to click on links which appears to them normal links but in fact its malicious links So I tried to find a way to make this happen again and I found out that there is a Homograph attack bypass which can redirect...

GitLab: Improper access control for users with expired password, giving the user full access through API and Git

Summary Users with an "expired password" can still access the full API with tokens. This includes the REST API, GraphQL API and Git HTTP access. The same issue was mitigated in 13.12.2 as "Insufficient Expired Password Validation". That patch blocked users with expired passwords from accessing th...

HackerOne: Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████

Summary: Dear Team, I am finding bugs on this private program █████████ and after logged in with provided credential. I have search some peoples in the list and I have seen Hackerone's employee account there. Looking at H1 personal stuff some sensitive information are exposed like email addresses...

Reddit: Open Redirect on www.redditinc.com via `failed` query param bypass after fixed bug #1257753

hello dear support i have found bypass to open redirect this submission 1257753 after the fixed by sec team F1394378 old open redirect it;s fixed and not working this url...

LY Corporation: Missing authentication in buddy group API of LINE TIMELINE

Due to the bug in authentication logic in LINE TIMELINE buddy group API, it could be possible for an attacker to obtain the authority of another person by manipulating API request headers, which would allow an attacker to inquire and modify the buddy group and buddy group list of another user...

Homebrew: Bypass of the installation sandbox by injecting keystrokes with TIOCSTI

While doing some internal testing recently, we ran into installation sandboxing and found a way to bypass it so that a formula's install script can execute commands outside of the sandbox. I understand from https://github.com/Homebrew/brew/issues/2986 that the sandbox is intended to prevent...

Sifchain: ETHEREUM_PRIVATE_KEY leaked via github

ETHEREUMPRIVATEKEY It is used to sign Ethereum transactions on the Blockchain. Steps To Reproduce: Open this url https://github.com/Sifchain/sifnode/blob/f96727748e1f44926d3bd72b1021f6c2461dee17/test/integration/start-integration-env.sh POC - screenshot attached Impact It shouldn’t be publicly...

Stripo Inc: Insecure Storage and Overly Permissive API Keys

Summary: I am surfing on the stripo.email website. I found a sensitive data including authentication key/secrettoken written in public accessible subdo. We found a aviaryApiKeyand other secretkey exposed in staging.empleio.stripo.email. Risk Factors: Most often Developers for their ease of...

GitLab: ReDoS in syntax highlighting due to Rouge

Summary Gitlab is using the ruby gem "rouge" which has a ReDoS vulnerability. In rouge, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have cubic worst-case complexity and are vulnerable to Regular Expression Denial of Service...

UPchieve: url redirection

Summary: the following url is vulnerable to redirect https://app.upchieve.org Steps To Reproduce: when you add @evil.com the user will be directed to evil.com https://[email protected] Impact Users could get redirected to malicious domain...

Grammarly: Bypassing the Grammarly plagiarism checker by simply replacing characters in the source text

Summary: Replacing the characters i, a, e, o, p, c, x in the text with similar ones in the Ukrainian keyboard layout leads to the fact that plagiarism detectors Grammarly plagiarism checker and others skip such text, mark it as unique without any plagiarism and do not even signal that the...

U.S. Dept Of Defense: https://██████/ Vulnerable to CVE-2013-3827 (Directory-traversal vulnerability)

Description: Hi team, https://█████/ using older version of Oracle JavaServer which is vulnerable to CVE-2013-3827. POC: https://█████/████ References https://www.securityfocus.com/bid/63052/info https://www.exploit-db.com/exploits/38802 Impact Directory-traversal System Hosts █████ Affected...

8x8: DNS Misconfiguration (Subdomain Takeover) - █████████.8x8.com

@melbadry9 reported to us an issue with an A record which pointed to subdomains outside of 8x8's control. This was caused due to a misconfiguration in a script, together with changes in AWS' DNS resolution behaviour. The issue has been rectified...

GitLab: Stored XSS via Mermaid Prototype Pollution vulnerability

Summary I am continue investigating 1106238 and found additional vector for prototype pollution and stored xss. Steps to reproduce 1. Create an issue in any repository 2. Create mermaid diagram with following payload: %%init: 'proto': 'template': '' %% %%init: 'proto': 'template': '' %%...

Shopify: Ability to add address without being an admin or staff in the store via wholesale store

Customers in the shopify store can be added manually or automatically, an example is added automatically when you want to checkout here we don't need to checkout just by proceeding to "Continue to shipping" information will be sent directly to the customer such as email address and other things b...

U.S. Dept Of Defense: Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint on ████████

Description: Hi, While going through the testing of DoD assets, I have came across a subdomain that is vulnerable to CVE-2020-14179. Some of the internal fields that are exposed are Project, Status, Limits, Creator, Query, Created Date, Updated Date, Resolution Date, etc. References...

U.S. Dept Of Defense: Sensitive data exposure via /secure/███████ endpoint on ████████

The sensitive data exposure vulnerability in the /secure/███████ endpoint on ████████ was identified. The vulnerability allowed unauthenticated attackers to view custom field names and custom SLA names. The vulnerability was caused by CVE-2020-14179...

UPchieve: blind sql on [ https://argocd.upchieve.org/login?return_url=id= ]

Summary: i have discoverd a blind sql on your site login page which i confirmed using two scenarios to confirm its existance. Steps To Reproduce: add details for how we can reproduce the issue use the following payloads this one retured a 200 ok response confirming sql vulnerability existance...

U.S. Dept Of Defense: [CVE-2021-29156] LDAP Injection at https://██████

Description: https://█████ is vulnerable to CVE-2021-29156 References https://hackerone.com/reports/1278050 https://nvd.nist.gov/vuln/detail/CVE-2021-29156 https://portswigger.net/research/hidden-oauth-attack-vectors...