List of bug bounty writeups · Pentester Land

Story of an IDOR via HTTP Shuaib Oladigbolu (@_sawzeeyy) – IDOR – 12/31/2019 Exploiting HTML Injection in Email Shuaib Oladigbolu (@_sawzeeyy) – HTML injection – 12/31/2019 From POST to GET Open redirect Sourav Sahana (@kernel_rider) – Open redirect $450 12/31/2019 Bug Hunting Journey of 2019 Sudhanshu Rajbhar (@sudhanshur705) Alibaba, Verizon Media, [Private program] XSS, Privilege escalation, Information disclosure $2,500 12/31/2019 Exploiting a Self Stored XSS with an IDOR Shuaib Oladigbolu (@_sawzeeyy) – Self XSS, Stored XSS, IDOR – 12/31/2019 How did I earn $3133.70 from Google Translator? Beri Bey (@uppmen) Google XSS $3,133.70 12/30/2019 Facebook Bug bounty Story: $X000 for an Information Disclosure Bug Circle Ninja (@circleninja) Facebook Information disclosure – 12/29/2019 How I made $7500 from My First Bug Bounty Found on Google Cloud Platform James Grunewald Google Logic flaw $7,500 12/29/2019 Drop the mic?! no! Drop the connection 😉 Sasi Levi (@sasi2103) Google DOM XSS – 12/29/2019 Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty Omkar Bhagwat (@th3_hidd3n_mist) – XSSI $0 (Duplicate) 12/27/2019 Bypassing Brand Collabs Manager Eligibility on Facebook Ajay Gautam (@evilboyajay) Facebook Authorization flaw $0 12/26/2019 Subdomain takeover via pantheon Smaran Chand (@smaranchand) – Subdomain takeover – 12/26/2019 Microsoft Edge (Chromium) – EoP via XSS to Potential RCE Abdulrahman Al-Qabandi (@Qab) Microsoft XSS, RCE $40,000 12/24/2019 SOP Bypass via browser-cache Aaron Costello (@ConspiracyProof) Keybase SOP bypass $1,500 12/24/2019 Abusing ImageMagick to obtain RCE Strynx (@Strynx_Security) – ImageMagick, RCE $5,000 12/24/2019 How we hacked one of the worlds largest Cryptocurrency Website Strynx (@Strynx_Security) – SQL injection, RCE – 12/24/2019 Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR) Vijay Kumar (@IndoAppSec) Airbnb IDOR $3,000 12/24/2019 Bugbounty | A Dom Xss Jinone (@jinonehk) – DOM XSS $500 12/24/2019 GraphQL IDOR leads to information disclosure Eshan Singh (@R0X4R) – IDOR – 12/24/2019 CSRF Token Bypasss — A Tale of my $2k bug Adeyefa Oluwatoba (@adeyefa_codes) – CSRF, Account takeover $2,000 12/23/2019 reCAPTCHA Exploits Dr. Neal Krawetz (@hackerfactor) Google reCAPTCHA bypass $0 12/23/2019 From broken link to subfolder takeover on Bukalapak wis4nggeni Bukalapak AWS flaw – 12/23/2019 2 FA Bypass via CSRF Attack Vishal Bharad 2FA bypass, CSRF $0 (Out of scope) 12/23/2019 Full Account Takeover (Android Application) Vishal Bharad – Information disclosure, Account takeover – 12/21/2019 Bypassing Captcha ! Abhishek Yadav (@abhishake100) – Captcha bypass $200 12/20/2019 Account Takeover Through Password Reset Poisoning Vishal Bharad – Password reset flaw, Account takeover – 12/19/2019 #BugBounty — How Snapdeal (India’s Popular E-commerce Website) Kept their Users Data at Risk! Nanda Kumar (@nk00_nk) Snapdeal Insecure storage of sensitive information – 12/19/2019 [Google VRP] SSRF in Google Cloud Platform StackDriver Ron Chan (@ngalongc) Google SSRF – 12/19/2019 Abusing feature to steal your tokens Harsh Jaiswal (@rootxharsh) – OAuth flaw $3,750 12/17/2019 BreakingApp – WhatsApp Crash & Data Loss Bug Dikla Barda, Roman Zaikin & Yaara Shriki Facebook DoS – 12/17/2019 [email protected] Disclosure via IDOR Pratyush Anjan Sarangi – IDOR $750 12/16/2019 Stored Iframe Injection + CSRF = Account Takeover Rounak Dhadiwal (@XploiteR_D) – HTML injection, CSRF – 12/16/2019 How I Took Over 2 Subdomains with Azure CDN Profiles m0chan (@m0chan98) – Subdomain takeover – 12/16/2019 4 Google Cloud Shell bugs explained [email protected] (@wtm_offensi) Google RCE – 12/16/2019 Authorization bug that every bug hunter missed on a popular program Ajinkya Pathare (@fellchase) – Authorization flaw – 12/15/2019 Vimeo upload function SSRF Sayed Abdelhafiz (@dPhoeniixx) – SSRF $5,000 12/13/2019 How I was able to find a logical bug on Instagram? Jabir Khan (@Jabirkhan0x0) Facebook Logic flaw – 12/13/2019 Facebook New Account Verification Bypass Santosh Baral (@santoshbrl5) Facebook Authentication bypass $0 (Internal duplicate) 12/13/2019 Multiple Host Header Attacks after bypassing protection with… a Header Attack vict0ni (@vict0ni) – Host header injection – 12/12/2019 A $25 Easy Bug. Navneet (@na5n33t) – Session management flaw $25 12/12/2019 SSRF via FFmpeg HLS processing Pflash Punk (@PflashPunk) – SSRF $0 (Duplicate) 12/11/2019 Blind Xss (A mind game to win the battle) Dirtycoder (@dirtycoder0124) – Blind XSS $1,000 12/11/2019 AirDoS: Remotely render any nearby iPhone or iPad unusable Kishan Bagaria (@KishanBagaria) Apple DoS – 12/10/2019 Get pwned by scanning QR Code Nikhil Mittal (@c0d3G33k) Mozilla XSS, CSP bypass – 12/10/2019 Authentication Bypass Rushiikesh (@u1tran00b) – 2FA bypass $700 12/09/2019 Media deletion CSRF vulnerability on Instagram Pouya Darabi (@Pouyadarabi) Facebook CSRF $3,000 12/09/2019 Telegram (v4.9.155353) was rendering file:// links + opening them via -> code execution. Vladimir Metnew (@vladimir_metnew) Telegram RCE $500 12/08/2019 Reusing Cookies Ricardo Iramar dos Santos – Session management flaws $400 12/07/2019 HTML Injection to XSS bypass in [] Evan Ricafort (@evanricafort) – Reflected XSS $600 12/07/2019 $150 XSS at Error Page of Respository Code Navneet (@na5n33t) – Reflected XSS $150 12/07/2019 Google Chrome portal element fuzzing Pawel Wylecial (@h0wlu) Google RCE, Heap Buffer Overflow, Heap Use-After-Free $8,000 12/06/2019 HTTP Request Smuggling + IDOR hipotermia (@hipotermia) – HTTP request smuggling, IDOR – 12/05/2019 XSS like a Pro Anas Mahmood (@AnasIsHere) – XSS $450 12/05/2019 Dank Writeup On Broken Access Control On An Indian Startup Divyanshu Shukla – Unrestricted file upload, Authorization flaw – 11/30/2019 My first RCE: a tale of good ideas and good friends rez0 (@rez0__) – RCE, ImageTragick – 11/29/2019 How I turned Self XSS to Stored via CSRF Abhishek Yadav (@abhishake100) – Self XSS, CSRF $550 11/29/2019 Hacking GitHub with Unicode’s dotless ‘i’ John Gracey (@jagracey) Github Logic flaw – 11/28/2019 XSS Stored On [ Outlook Web — Outlook Android App ] ElMahdi Mrhassel (@ElMrhassel) Microsoft Stored XSS $2,400 11/28/2019 Archived content Reflected XSS in leads to account takeover in IE/Edge Samm0uda (@samm0uda) Facebook Reflected XSS, Account takeover $5,000 11/27/2019 Archived content Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings Johns Simon (@Johnssimon22) – Authorization flaw – 11/27/2019 Archived content How Did Tons of People Like Me on Tinder? Mustafa iran (@Mustafaran) – HTTP request smuggling $2,500 11/25/2019 Finding a security bug in Discord and what it taught me Tristan Farkas (@TristanAtFarkas) Discord OAuth flaw – 11/24/2019 CORS Misconfiguration to Account TakeOver [Out of scope to grab items In-Scope] Mashoud1122 (@mashoud1122) – CORS misconfiguration, Open redirect, Reflected XSS, Session management flaw $1,500 11/24/2019 The AccountTakeOver Killing Chain أنس روبي (@xhzeem) – Account takeover, CSRF, Self-XSS – 11/23/2019 Exploiting padding oracles with fixed IVs Teddy Katz (@not_aardvark) – Padding oracle, Account takeover – 11/23/2019 IDOR via Websockets Shuaib Oladigbolu (@_sawzeeyy) – IDOR – 11/23/2019 Stories Of IDOR-Part 2 Shivbihari Pandey (@ninja_pandit_) – IDOR $3,650 11/21/2019 Disable Any Unconfirmed Account in Facebook Lokesh Kumar (@lokeshdlk77) Facebook Bruteforce $1,000 11/21/2019 700$ Denial of Service(DoS) vulnerability in script-loader.php (CVE-2018-6389) Pankaj Thakur (@Nep_1337_1998) – DoS $700 11/21/2019 How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads Mohamed Daher (@DaherMohamed4) – XSS $1,054 11/20/2019 Cracking reCAPTCHA, Turbo Intruder style James Kettle (@albinowax) Google Race condition $0 11/20/2019 Subdomain Takeover via Mohamed Haron (@m7mdharon) – Subdomain takeover $900 11/20/2019 How I could delete Facebook Ask for Recommendations post’s place objects in comments Raja Sudhakar (@Rajasudhakar) Facebook IDOR – 11/20/2019 Broken session management leads to bypass 2FA and Permanent access to Facebook user’s Mahmoud Barakat (@0xBarakat) Facebook Authentication bypass – 11/19/2019 Disclose the owner of a recruiting manager in Jobs Beta Philippe Harewood (@phwd) Facebook Information disclosure – 11/19/2019 Million Users PII Leak Data Leak Shivbihari Pandey (@ninja_pandit_) – Information disclosure, Blind XSS $3,250 11/18/2019 XSS in GMail’s AMP4Email via DOM Clobbering Michał Bentkowski Google XSS, DOM Clobbering – 11/18/2019 This is How I was able to hunt a rare bug in a private program Abida Fahd – Lack of authentication, Privilege escalation – 11/18/2019 My First Bug ($500) Abhishek Yadav (@abhishake100) – No valid SPF records $500 11/18/2019 Bypassing the patch for my previous Instagram bug. Baibhav Anand (@iBaibhavJha) Facebook Authorization flaw, Logic flaw – 11/18/2019 Privilege Escalation with simple recon Mayur Gupta (@RisingHunter_) – Privilege Escalation, Blind XSS – 11/16/2019 LDAP Admin Account Bypassed 🙂 Himanshu Pdy (@himanshu_pdy_01) – LDAP injection, Authentication bypass – 11/16/2019 View the ranked messenger users for any page Philippe Harewood (@phwd) Facebook Information disclosure, Authorization flaw – 11/16/2019 [Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Tokopedia IDOR $135 11/15/2019 Authenticated CORS with Access-Control-Allow-Origin: * BitK (@BitK_) Chromium Caching issue, Browser bug $0 (won’t fix) 11/15/2019 Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE) Daniel Marte (@DanielM59720745) – IDOR – 11/15/2019 Taking over Facebook Page Tabs Sagar Tanur (@Sagarvd01) Facebook Broken link hijacking $0 (informative) 11/14/2019 [Server Side Request Forgery] Blind SSRF due to Sentry Misconfiguration Kent Bayron (@bayronkentoy) – SSRF $300 11/14/2019 Command Injection Through BLH Shankar R (@trapp3r_hat) Facebook Broken link hijacking $0 (informative) 11/14/2019 Mass XS-Search using Cache Attack terjanq (@terjanq) Google XS-Search – 11/12/2019 How I accidentally took down GitHub Actions Teddy Katz (@not_aardvark) GitHub Denial of Service, Commit Hash Collisions $5,000 11/12/2019 Bug Bounty: Broken API Authorization Th3hidd3nmist (@th3_hidd3n_mist) – Authorization flaw $440 11/12/2019 How i Bought VPS, Hosting, Domain only $0.01 Zerb0a – Payment tampering $500 11/12/2019 Keylogging users via Slack themes Matt Langlois (@fletchto99) Slack CSS injection $500 11/11/2019 My First SSRF Using DNS Rebinding Marek Geleta (@marek_geleta) – SSRF, DNS rebinding – 11/11/2019 DOM-Based XSS | Bug Bounty Writeup HacknPentest (@HacknPentest) – DOM XSS $100 11/10/2019 BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! Akash Agrawal (@akashmagrawal) – 2FA bypass, Lack of rate limiting – 11/08/2019 How I Hacked Dutch Government in 5 Minutes? Twitter Account Takeover Numan ÖZDEMİR (@numanozdemircom) Dutch Government Broken link hijacking $0, Swag 11/06/2019 A simple post auth bypass leads to unauthorized web server access Hein Thant Zin (@H3Lowr) – Default credentials $750 11/08/2019 Bypassing GitHub’s OAuth flow Teddy Katz (@not_aardvark) GitHub OAuth flaw, Authorization bypass $25,000 11/05/2019 [bugbounty] A Simple SSRF Jinone (@jinonehk) – SSRF, DNS Rebinding – 11/05/2019 XSS will never die Oleksandr Opanasiuk (@Lekssik2) – XSS – 11/02/2019 Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty Sam Curry (@samwcyo) – Null byte buffer overflow $40,000 11/01/2019 Live Video facebook application (Android) its not expired when log out the device on Naufal Septiadi Facebook Logic flaw $500 10/30/2019 GraphQL introspection leads to sensitive data disclosure Eshan Singh (@R0X4R) – Information disclosure – 10/30/2019 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!) YoKo Kho (@YokoAcc) Avast Reflected XSS $5,000 10/29/2019 Cross Site Request Forgery Critical Exploitable IN Infected Site? Hossam Mesbah – CSRF – 10/29/2019 XSS to Account Takeover Tomi (@noobe_io) – XSS, CSRF – 10/29/2019 [Leak] Can I take the user information, please?!! Mohamed Sayed (@FlEx0Geek) – Information disclosure – 10/29/2019 How I hacked 50+ Companies in 6 hrs Vignesh C (@pwn_r00t) – SSTI, RCE – 10/29/2019 [Writeup — FB] Crash web — app through application form of job application pages TienDat Facebook DoS – 10/28/2019 Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO) YoKo Kho (@YokoAcc) Opera RTLO – 10/26/2019 How to Takover a ldap server. Ashish Kunwar (@D0rkerDevil) – Exposed LDAP server – 10/25/2019 Session Expiration Bypass in Facebook Creator App Ajay Gautam (@evilboyajay) Facebook Session expiration bypass $1,500 06/22/2019 How I earned by finding confidential customer data including plain-text passwords! Sushant Soni (@sushantsoni5392) – Directory listing, Information disclosure – 10/24/2019 NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] Nightwatch Cybersecurity (@nightwatchcyber) Google NFC – 10/24/2019 (POC) Disclose members in any closed Facebook group Ahmad Talahmeh Facebook Information disclosure $3,000 10/22/2019 [ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google ) Danang Tri Atmaja (@danangtriatmj) Google Authentication flaw – 10/21/2019 How PayPal helped me to generate XSS Pflash Punk (@PflashPunk) Paypal Reflected XSS $250 10/20/2019 Escalating Privileges like a Pro Gaurav Narwani (@gauravnarwani97) – Privilege escalation – 10/20/2019 Hunting for bounties case study 0xSha (@0xsha) RCE, XSS, Logic flaw, Information disclosure – 10/20/2019 [email protected] Disclosure via IDOR Pratyush Anjan Sarangi – IDOR, Information disclosure $750 10/18/2019 1-800-Flowers Credentials and message log leak via Philippe Harewood (@phwd) Facebook AWS misconfiguration – 10/17/2019 How I was able to bypass OTP code requirement in Razer [The story of a critical bug] Ananda Dhakal (@dhakal_ananda) Razer OTP bypass $1,000 10/16/2019 How I found RCE But Got Duplicated Smile Hacker – Unrestricted file upload, RCE – 10/15/2019 [ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint. TienDat Facebook Information disclosure $500 10/15/2019 How I bypassed 2 Factor Authentication Hemant Singh Manral – 2FA bypass $250 10/15/2019 An inconsistent CSRF Smaran Chand (@smaranchand) – CSRF $0 10/15/2019 Finding SQL injections fast with white-box analysis — a recent bug example frycos (@frycos) Zoho SQL injection – 10/13/2019 Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. Rohit kumar (@rohitcoder) Facebook Authorization flaw – 10/12/2019 Bypass Uppercase filters like a PRO (XSS Advanced Methods) MasterSEC (@MasterSEC_AR) – XSS $1,000 10/11/2019 How i Hacked BASF Company !! Murtada Kamil BASF Lack of authentication – 10/10/2019 EXIF Geolocation Data Not Stripped From Uploaded Images Sourav Newatia (@souravnewatia) – Information disclosure $500 10/09/2019 How “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce / eStores Prateek Tiwari Samsung Information disclosure – 10/05/2019 From Multiple IDORs leading to Code Execution on a different Host Container Rahul (@Rahul_R95) – IDOR, RCE – 10/04/2019 How I made 1000$ with AT&T Bug Bounty(H1) Adesh Kolte (@AdeshKolte) AT&T CSRF, Account takeover $1,000 10/02/2019 REST framework Admin Panel bypass and how I recon for this vulnerability Aziz Hakim (@hackerb0y_) – Authentication bypass – 10/02/2019 GraphQL Introspection leads to Sensitive Data Disclosure. Pranay Bafna – Information disclosure – 10/02/2019 How to get RCE on AEM instance without Java knowledge byq (@ByQwert) – RCE $1,000 10/01/2019 Stealing login credentials with Reflected XSS mehulpanchal007 (@007_sharky) – Reflected XSS $100 10/01/2019 One Way to Find Hidden IDOR Vulnerability Vulkey_Chen (@Vulkey_Chen) – IDOR ¥3,000 (~ $28) 10/01/2019 Bug Hunting: Xss On Cookie Popup Warning vict0ni (@vict0ni) – Reflected XSS – 09/30/2019 Spear texting via parameter injection Kyle (@B3nac) – Parameter tampering $900 09/29/2019 XSS Is Love <3 ! Nirmal Dahal (@TheNittam) – XSS – 09/29/2019 Stories Of IDOR Shivbihari Pandey (@ninja_pandit_) – IDOR – 09/28/2019 OnePlus Open/Unvalidated Redirects & Forwards Mainak Sadhukhan OnePLus Open redirect – 09/26/2019 Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure Sam Curry (@samwcyo) Atlassian Path traversal $11,000 09/25/2019 Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD YoKo Kho (@YoKoAcc) Paypal Information disclosure $1,000 09/24/2019 ONEPLUS XSS vulnerability in Customer Support Portal Mainak Sadhukhan OnePLus XSS – 09/24/2019 Fuzzing Till Verneet (@err0rrrrr) – SSTI – 09/23/2019 Broken Link Hijacking – s3 buckets Tutorgeeks (@tutorgeeks) Google Broken link hijacking – 09/22/2019 [Bug Bounty] Exploiting Cookie Based XSS by Finding RCE Tomi (@noobe_io) – Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE, XSS – 09/22/2019 [Case Study] OAuth Misconfiguration leads to Account Takeover Gaurang Bhatnagar (@0xgaurang) – OAuth flaw, Account takeover – 09/21/2019 Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public Guhan Raja (@havocgwen) Facebook Privilege escalation $500 09/21/2019 A Simple bypass of Registration Activation that Lead to many Bug – YoKo Kho (@YoKoAcc) – Information disclosure, IDOR, CSRF – 09/21/2019 Bug or Feature? GitHub Adventure #001 Dominik Opyd (@oad_earth) – OAuth flaw, Open redirect $0 09/21/2019 Stored XSS on Zendesk via Macro’s PART 2 Hariharan.s (@DJHARIZ1) Zendesk Stored XSS – 09/20/2019 IDOR in One plus leads to leak User personal Info. Aditya Sharma (@Assass1nmarcos) OnePlus IDOR $0, Swag 09/20/2019 Archived content How I able to Takeover 10 subdomains in a Private Program ? Mohamed Haron (@m7mdharon) – Subdomain takeover $500 09/20/2019 Business ID leak via Creative Hub redirect Philippe Harewood (@phwd) Facebook Open redirect – 09/20/2019 Admin hijacked by Sea Surf Pirates Gaurav Narwani (@gauravnarwani97) Dolibarr Stored XSS, CSRF, Account takeover – 09/19/2019 SSRF | Reading Local Files from DownNotifier server Dr.FarFar (@3XS0) – SSRF – 09/18/2019 RCE with Flask Jinja Template Injection AkShAy KaTkAr (@AkShAy KaTkAr) – SSTI, RCE – 09/17/2019 Client, not client! Tung Pun – LFI $1,000 09/15/2019 Google Referer Leak Bug Jayateertha Guruprasad (@JayateerthaG) Google Referer leakage, information disclosure – 09/15/2019 How I found a simple and weird Account takeover bug Bijan Murmu (@0xBijan) – Account takeover, Lack of authentication – 09/14/2019 OTP Manipulation Kishan choudhary (@choudhary_1337) – OTP bypass $300 09/14/2019 Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3) YoKo Kho (@YoKoAcc) – Race condition, RCE, Unrestricted file upload – 09/14/2019 I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead Anand Prakash (@sehacure) Uber Information disclosure $6,500 09/13/2019 How two dead accounts allowed remote crash of any instagram android user Valerio brussani (@val_brux) Facebook DoS – 09/13/2019 Unauthorized access to all user information leaks C1h2e1 (@C1h2e11) – Information disclosure – 09/13/2019 HTTP Request Smuggling CL.TE memN0ps (@memN0ps) – HTTP request smuggling – 09/13/2019 Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. HackerOn2Wheels (@HackerOn2Wheels) – RCE, Unrestricted file upload $3,000 09/13/2019 Facebook employee internal tool and conversations leaked in Facebook video Philippe Harewood (@phwd) Facebook Information disclosure – 09/12/2019 How I could have hacked your Uber account Anand Prakash (@sehacure) Uber Account takeover, IDOR $6,500 09/12/2019 How does my recon win $250 in 15 minutes Hein Thant Zin (@H3Lowr) – Open redirect $250 09/12/2019 Add users to roles on Facebook pages without an invitation consent Philippe Harewood (@phwd) Facebook Authorization flaw – 09/12/2019 Pwn Them All #BugBounty Bilal Khan (@bilalmerokhel) – Host header injection, Password reset flaw – 09/11/2019 Subscribe to the list of requesters to join a Facebook live video using MQTT Philippe Harewood (@phwd) Facebook Authorization flaw – 09/10/2019 H1-4420: From Quiz to Admin – Chaining Two 0-Days to Compromise An Uber WordPress Julien Ahrens (@MrTuxracer) Uber Stored XSS, SQL injection – 09/10/2019 Telegram addresses another privacy issue Dhiraj (@RandomDhiraj) Telegram Logic flaw, Privacy issue €2,500 09/09/2019 Accessing 2 million Verizon Pay Monthly contracts Daley Bee (@daley) Verizon Information disclosure, Authentication bypass, IDOR – 09/09/2019 Oculus identity verification bypass through brute-force karthik kumar reddy (@karthiksunny007) Facebook OTP bypass, Lack of rate limiting $750 09/09/2019 XSS in Zoho Mail Anas Mahmood (@AnasIsHere) Zoho Mail XSS $200 09/08/2019 Exploiting JSONP and Bypassing Referer Check Osama Avvan (@osamaavvan) – Information disclosure, JSONP flaw – 09/07/2019 Write up of two HTTP Requests Smuggling C1h2e1 (@C1h2e11) – HTTP request smuggling – 09/07/2019 Finding Gem in Someone’s Report: Instant $500USD at HackerOne Platform Hisoka Morou – Information disclosure $500 09/07/2019 DOM Based XSS in Private Program Mohamed Haron (@m7mdharon) – DOM XSS $500 09/05/2019 Account Takeover Ankush Goel (@0xankush) Password reset flaw $0 09/05/2019 Exposed Jenkins to RCE on 8 Adobe Experience Managers Corben Leo (@hacker_) – RCE – 09/04/2019 Add new user with Admin permission and takeover the organization Tarek Mohamed (@Conan0x3) – Authorization flaw, Privilege escalation – 09/04/2019 RCE using Path Traversal inc0gbyt3 (@incogbyte) – RCE, Path traversal – 09/02/2019 HTML to PDF converter bug leads to RCE in Facebook server Samm0uda (@samm0uda) Facebook RCE $1,000 09/02/2019 Archived content Google Cloud Blog platform vulnerability Alexandru Coltuneac (@dekeeu) Google XSS – 09/01/2019 Graphql Bug to Steal Anyone’s Address Pratik Yadav (@PratikY9967) – Information disclosure – 09/01/2019 My First LFI Tirtha Mandal (@tirtha_mandal) – LFI $1,000 08/31/2019 Shodan is your friend!!! If you ignore him you will lose many… Vijaysimha Reddy Bathini (@fatratfatrat) – SQL injection, Authentication bypass – 08/28/2019 How to look for JS files Vulnerability for fun and profit? Yeasir Arafat – Information disclosure – 08/27/2019 Private bug bounty $ USD: “RCE as root on Marathon-Mesos instance” @omespino – RCE – 08/27/2019 How I Hacked Instagram Again Laxman Muthiyah (@LaxmanMuthiyah) Facebook Password reset flaw, Account takeover $10,000 08/26/2019 Bug Bounty: Bypassing a crappy WAF to exploit a blind SQL injection Robin Verton (@robinverton) – Blind SQL injection – 08/25/2019 Create living room polls as a Facebook page analyst Philippe Harewood (@phwd) Facebook Authorization flaw $5,000 08/24/2019 From Github Recon To Account Takeover Dipak kumar Das (@d1pakdas) – Information disclosure, Account takeover – 08/24/2019 Cookie worth a fortune Gaurav Narwani (@gauravnarwani97) – Reflected XSS – 08/23/2019 One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse Lorenzo Stella (@lorenzostella) 1Password, Keeper, Dashlane Information disclosure, Content leak – 08/22/2019 Rights Manager Graph API Disclosure of business employee to non business employee Jafar Abo Nada (@Jafar_Abo_Nada) Facebook Information disclosure – 08/22/2019 Instagram account is reactivated without entering 2FA ($500) Aman Shahid (@amansmughal) Facebook 2FA bypass, Authentication flaw $500 08/21/2019 Sending Message as page being an analyst/ advertiser? Baibhav Anand (@iBaibhavJha) Facebook Authorization flaw $0 08/21/2019 How I made my first $$$ from finding a bug in Facebook Aayush Pokhrel (@aayushpok) Facebook Authorization flaw – 08/21/2019 How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener Sergey Kashatov (@iframe0x01) Privilege escalation $500 08/20/2019 Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device Arvind Facebook Authorization flaw – 08/19/2019 U.S. Department of Defense – Info Disclosure and SQLi Writeup Aaron Esau (@arinerron) U.S. Dept Of Defense Information disclosure, SQL injection – 08/19/2019 Removing profile pictures for any Facebook user Philippe Harewood (@phwd) Facebook IDOR $2,500 08/19/2019 How I was able to earn 1000$ with just 10 minutes of bug bounty? Ninad Mathpati (@ninad_mathpati) – Password reset flaw $1,000 08/17/2019 ByPassing fix of Domain Blocking feature in Business Manager Rohit kumar (@rohitcoder) Facebook Authorization flaw, Logic flaw – 08/15/2019 Facebook Messenger exposing deleted messages using [Remove for Everyone] Renwa Facebook Logic flaw – 08/15/2019 BookMyShow account takeover using social login Sukhmeet Singh (@MadGuyyy) BookMyShow OAuth flaw, Account takeover $₹2000 (~ $28) 08/15/2019 [Business Logic] Bypassing Nickname Feature Kent Bayron (@bayronkentoy) – Logic flaw $50 08/14/2019 [Business Logic Bug] Bypassing Nickname Feature Kent Bayron / kntx (@bayronkentoy) – Logic flaw $50 08/14/2019 BugBounty WriteUp — take attention and get Stored XSS Oleksandr Opanasiuk (@Lekssik2) – Stored XSS – 08/14/2019 How I XSSed Admin Account Gaurav Narwani (@gauravnarwani97) – Stored XSS, Account takeover – 08/13/2019 SSRF Vulnerability in https://app.[REDACTED].com Evan Ricafort (@evanricafort) – SSRF $0 (Duplicate) 08/13/2019 Reporting – Amazon 1 click device XSS Sneakerhax (@sneakerhax) Amazon XSS – 08/12/2019 Clickjacking DOM XSS on Thomas Orlita (@ThomasOrlita) Google Clickjacking, DOM XSS – 08/12/2019 Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up) Evan Ricafort (@evanricafort) – DoS $300 08/10/2019 Two Easy RCE in Atlassian Products Valeriy Shevchenko Atlassian RCE – 08/09/2019 Read other user support tickets in (Write Up) Evan Ricafort (@evanricafort) – IDOR $120 08/09/2019 Privilege Escalation using Api endpoint Ronak Patel (@ronak_9889) – Privilege Escalation – 08/09/2019 Writing my Medium blog to complete account takeover Rotem Reiss (@rotem_reiss) Medium Stored XSS, Account takeover $1,000 08/09/2019 Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) – XXE – 08/06/2019 Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) – XXE – 08/06/2019 BugBounty WriteUp — Creative thinking is our everything (Race Condition + Business Logic Error) Oleksandr Opanasiuk (@Lekssik2) – Race condition, Logic flaw – 08/05/2019 Stored XSS on rizal (@sayadarijawa) Stored XSS – 08/05/2019 Vulnerability in Hangouts Chat: from open redirect to code execution VulnerabilityLabs Google Open redirect, RCE $7,500 08/04/2019 Leveraging AngularJS-based XSS to Privilege Escalation Shawar Khan (@ShawarkOFFICIAL) – XSS, Privilege escalation – 08/04/2019 How I Found XSS By Searching In Shodan D1vy4n5hu 5hukl4 (@justm0rph3u5) – Reflected XSS – 08/04/2019 No Rate limiting eligible for bounty ? Smaran Chand (@smaranchand) – Lack of rate limiting – 08/03/2019 From Sub domain Takeover to Open-Redirect Anil Tom (mr_4nk) – Subdomain takeover, Open redirect $150 08/02/2019 One Misconfig (JIRA) to Leak Them All- Including NASA and Hundreds of Fortune 500 Companies! Avinash Jain (@logicbomb_1) – Information disclosure – 08/02/2019 Bypassing CORS VulnerabilityLabs – CORS misconfiguration – 08/01/2019 Complete information disclosure using Broken Access Control Bhavesh Thakur (@Bhavesh_Thakur_) – Information disclosure, Authorization flaw $100 08/01/2019 Download predictions details of ads plans of any business. Samm0uda (@samm0uda) Facebook IDOR – 08/01/2019 Archived content Internal path disclosure in Instagram server Samm0uda (@samm0uda) Facebook Internal path disclosure, Information disclosure – 08/01/2019 Archived content Access portal of Facebook mobile retailers and see earnings and referrals reports. Samm0uda (@samm0uda) Facebook IDOR, Authorization flaw $500 08/01/2019 Archived content View orders and financial reports lists for any page shop. Samm0uda (@samm0uda) Facebook Authorization flaw $500 08/01/2019 Archived content Bypassing CORS Saad Ahmed (@XSaadAhmedX) – CORS misconfiguration – 08/01/2019 RCE in Ruby using Mustache Templates Rhys Elsmore (@rhyselsmore) – RCE – 08/01/2019 Reposted [2017]: LinkedIn Hacker’s Experience Alexandru Coltuneac (@dekeeu) LinkedIn Stored XSS – 07/30/2019 Reposted [2019]: Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google Authorization flaw – 07/30/2019 Paypal bug $10K – All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts Mohd haji (@mohdhaji24) Paypal IDOR $10,500 07/30/2019 SQL Injection in Mohamed Haron (@m7mdharon) – SQL injection $0 (Out of scope) 07/30/2019 1st Bounty Story | Rewarded 300$ (IDOR) Md Hridoy – IDOR $300 07/29/2019 Story of an IDOR via Email Shuaib Oladigbolu (@_sawzeeyy) – IDOR – 07/29/2019 Old GitHub Profile Takeover! Mohamed Haron (@m7mdharon) – Github account takeover $1,000 07/28/2019 Chaining Cache Poisoning To Stored XSS Rohan aggarwal (@nahoragg) – Web cache poisoning, Stored XSS – 07/28/2019 Solr Injection by abusing Local Parameters on Ronak Patel (@ronak_9889) Zomato Solr Injection $700 07/27/2019 Story about Facebook Oauth Account Takeover Zerb0a iLOTTE Account takeover, OAuth flaw IDR 2.000.000 (~ $150) 07/26/2019 Facebook BugBounty: Tale of an Instagram bug disclosing user’s phone number via checkpoint Bijan Murmu (@0xBijan) Facebook Information disclosure – 07/26/2019 Full Account Takeover via Changing Email And Password of any User through API Parameters Adesh Kolte (@AdeshKolte) – IDOR, Password reset flaw, Account takeover – 07/26/2019 Price Parameter Tampering On Bukalapak Apapedulimu (@LocalHost31337) Bukalapak Parameter tampering $150 07/24/2019 How I found the most critical bug in live bug bounty event? Lakshay (@inn0c3ntd3v1L) – Password reset flaw, Account takeover – 07/24/2019 XSS to RCE in … Hungry Bytes (@hungrybytes) Github XSS, RCE – 07/24/2019 Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV – (Write Up) Evan Ricafort (@evanricafort) Plex TV Information disclosure, Path disclosure $0 07/24/2019 XX to XXX in one day Baibhav Anand (@iBaibhavJha) WePay, [Private program] Account takeover, Parameter tampering – 07/23/2019 Pwning child company to get access to ParentCompany’s Slack Team Parth Malhotra (@Parth_Malhotra) – SQL injection, Default credentials – 07/23/2019 XSS On Twitter [Worth 1120$] Bywalks (@bywalkss) – XSS $1,120 07/22/2019 Reflected XSS in Sukhmeet Singh (@MadGuyyy) Ebay Reflected XSS $0, HoF 07/22/2019 Subscribe to typing notifications for any Instagram user Philippe Harewood (@phwd) Facebook Authorization flaw $5,750 07/21/2019 Not a fancy bug, just HTML Injection in Clause – (Write Up) Evan Ricafort (@evanricafort) Clause HTML injection $250 07/21/2019 Shopping Products For Free- Parameter Tampering Vulnerability D1vy4n5hu 5hukl4 (@justm0rph3u5) – Parameter tampering, Payment tampering – 07/21/2019 Exploiting a Tricky Blind SQL Injection inside LIMIT clause Rahul Maini – SQL injection – 07/21/2019 Get Page Inbox notifications for any Facebook page Philippe Harewood (@phwd) Facebook Authorization flaw, Information disclosure – 07/20/2019 Microsoft ID Open Redirect Burninator Sec Microsoft Open redirect $0 07/19/2019 Microsoft Office 365 – Outlook XSS Abdulrahman Al-Qabandi (@Qab) Microsoft XSS – 07/19/2019 SQL Injection in Forget Password Function Khaled Gaber – SQL injection – 07/18/2019 How to lock a GitHub user out of their repos (bug or feature?) Teserakt AG Github DoS $0 (Feature) 07/18/2019 Сookie-based XSS exploitation | $2300 Bug Bounty story Max (@iSecMax) – XSS $2,300 07/17/2019 Account Takeover Vulnerability 🙂 Sumit Jain (@sumit_cfe) – Password reset flaw, Account takeover – 07/17/2019 How Recon helped me to to find a Facebook domain takeover Sudhanshu Rajbhar (@sudhanshur705) Facebook Subdomain takeover $500 07/17/2019 Facebook Informative Bug From Triaged Circle Ninja (@circleninja) Facebook Lack of rate limiting $0 07/17/2019 CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook Lokesh Kumar (@lokeshdlk77) Facebook CSRF $3,000 07/16/2019 Bypass CSRF With ClickJacking Worth $1250 Injector Pca / SaadAhmed (@XSaadAhmedX) – CSRF, Clickjacking $1,250 07/16/2019 What do Netcat, SMTP and self XSS have in common? Stored XSS Plenum (@plenumlab) – Stored XSS – 07/16/2019 How I Could Get The Instagram Username of Anyone on Tinder Shahar Albeck Tinder Information disclosure – 07/16/2019 The Bugs Are Out There, Hiding in Plain Sight A Bug’z Life (@abugzlife1) – IDOR, SSRF, Information disclosure, CORS misconfiguration $9,000 07/15/2019 500$ bounty: Man in the Middle on Slack Wiard van Rij / Sysrant (@RijWiard) Slack MiTM $500 07/15/2019 Facebook Bug : Sending messages as a page with jobmanager permission Devansh batham (@devanshwolf) Facebook Authorization flaw, Privilege escalation $0 (Duplicate) 07/15/2019 [TOKOPEDIA] Site-wide CSRF through GraphQL request Rafie Muhammad (@rafiem777) Tokopedia CSRF – 07/15/2019 How I Could Have Hacked Any Instagram Account Laxman Muthiyah (@LaxmanMuthiyah) Facebook Race condition, Rate limiting bypass $30,000 07/14/2019 Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program Sam Curry (@samwcyo) Tesla Blind XSS $10,000 07/14/2019 Hacking intoTinder’s Premium Model Sanskar Jethi (@sansyrox) Tinder Authorization flaw $0 07/14/2019 Account takeover on Airbnb acquisition | An Unusual Bug Part-2 PRince CHaddha (@princechaddha) Airbnb IDOR, Account takeover Swag 07/13/2019 Facebook Bug bounty page admin disclose bug {Facebook Android app} Yusuf Furkan (@h1_yusuf) Facebook Information disclosure $500 07/12/2019 XSS on Google Custom Search Engine KL Sreeram (@kl_sree) Google XSS – 07/11/2019 Story of my Biggest Bounty ever : Command Execution on Jenkin Jay Jani (@JayJani007) – RCE $8,000 07/11/2019 SQL Injection Bug Bounty POC! Arif-ITSEC111 – SQL injection €5,000 07/11/2019 Tale of account takeover — Sensitive info Disclosure + Broken Access Control Md Saqib (@sakyb7) – IDOR, Account takeover $2,650 07/10/2019 OAuth authentication bypass on Airbnb acquisition using 1-char Open Redirect Evgeniy Yakovchuk (@h1_sp1d3r) Airbnb Open redirect, OAuth token theft, Account takeover – 07/10/2019 A malicious editor of a page can support to a community action which can’t be unsupported by the admin! mAshraf Facebook Authorization flaw – 07/09/2019 Information Disclosure via Misconfigured AWS to AWS Bucket Takeover Pratyush Anjan Sarangi – AWS flaw – 07/08/2019 Cleartext password in LocalStorage (Writeup) ruv lol – Violation of secure design principles $1,500 07/07/2019 Blind (time-based) SQLi – Bug Bounty Jspin – SQL injection – 07/05/2019 This is how I managed to win $2000 through Facebook Bug Bounty Saugat Pokharel Facebook Logic flaw $2,000 07/04/2019 Facebook Vulnerability: Unremovable Co-Host in facebook page events Ritish Kumar Singh Facebook Logic flaw, DoS $500 07/04/2019 Account Takeover Using CSRF(json-based) shub rathore (@shub66452) – CSRF, Account takeover $1,000 07/04/2019 Story of a stored xss to full account takeover vulnerability(N/A to accepted) Jatin Aesthetic (@techyfreakk) – Stored XSS – 07/04/2019 Finding hidden gems vol. 4: Rakefile a.k.a. how to get AWS keys again Mateusz Olejarka – Information disclosure, Github leak – 07/03/2019 Yeah! I got P2 in 1 minute – Stored XSS via Markdown Editor Schopath – Stored XSS – 07/02/2019 Injecting {{6*200}} to $1200 Gaurav Narwani (@gauravnarwani97) – SSTI $1,200 07/02/2019 Another Download Protection Bypass in Google Chrome – BIN files in Mac OS Nightwatch Cybersecurity (@nightwatchcyber) Google Browser flaw $1,000 07/02/2019 How I escalated RFI into LFI Hassan Khan Yusufzai (@Splint3r7) – RFI, LFI – 07/01/2019 Accidental IDOR Injector Pca / SaadAhmed (@XSaadAhmedX) – IDOR – 07/01/2019 Stored XSS on Indeed Tirtha Mandal (@tirtha_mandal) Indeed Stored XSS $1,500 06/30/2019 One more Parameter manipulation bug (🤑) Kanchan Singh Yadav (@KanchanSingh0) – Parameter tampering – 06/28/2019 Facebook BugBounty : Short story on Page admin disclosure Bijan Murmu (@0xBijan) Facebook Authorization flaw, Privilege escalation – 06/28/2019 Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution Reegun J (@reegun21) Microsoft RCE – 06/28/2019 Gain adfly SMTP access with SSRF via Gopher Protocol Zerb0a SSRF – 05/27/2019 View Facebook payouts for any Facebook Trivia Game Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 05/27/2019 1-Click Account Takeover in — a Nice Case Study Yasho (@YShahinzadeh) Virgool Account takeover, Open redirect – 06/27/2019 CORS To CSRF Attack Osama Avvan (@osamaavvan) – CORS misconfiguration, CSRF – 06/27/2019 Toggle Group Rules Agreement as a non-member Philippe Harewood (@phwd) Facebook Authorization flaw – 06/26/2019 Sensitive Information Disclosure: Web Cache Deception Attack Wasim Shaikh (@Wa_sim_sim) Intuit Information disclosure $0, HoF 06/26/2019 Download .arexport files for any public AR Studio Effect Philippe Harewood (@phwd) Facebook IDOR – 06/24/2019 CSV injection at Comment Section. Navneet (@na5n33t) – CSV injection $0 (VDP) 06/24/2019 Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference) Muhammad Asim Shahzad – Password reset flaw, IDOR, Account takeover $1,200 06/22/2019 Page Admin Disclosure | Facebook Bug Bounty 2019 Ajay Gautam (@evilboyajay) Facebook Authorization flaw $1,000 06/22/2019 How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105 Bryan Appleby (@bryapp) Microsoft XSS – 06/21/2019 Catching support emails from my internet service provider Sander Lentink T-Mobile Email account takeover $0 (VDP), Swag 06/21/2019 $1800 worth Clickjacking Osama Avvan (@osamaavvan) – Clickjacking $1,800 06/21/2019 About a Sucuri RCE…and How Not to Handle Bug Bounty Reports Julien Ahrens (@MrTuxracer) Sucuri RCE $750 06/22/2019 IDOR: Payment Fraud Vibhurushi Chotaliya (@Vibhurushi) – IDOR, Payment tampering – 06/20/2019 Self XSS To Evil XSS Injector Pca / SaadAhmed (@XSaadAhmedX) – XSS $0 06/20/2019 A Fight For Duplicate Marked Bug: Story of BBC Hall Of Fame Wasim Shaikh (@Wa_sim_sim) BBC XSS $0 (HoF) 06/20/2019 How a classical XSS can lead to persistent ATO Vulnerability? Milind Purswani (@MilindPurswani) & Yash Sodha (@y_sodha) – XSS, Account takeover – 06/19/2019 Facebook Vulnerability: Unremovable Co-Host in facebook group events Ritish Kumar Singh Facebook Logic flaw $500 06/19/2019 Account Takeover with Clickjacking Osama Avvan (@osamaavvan) – Clickjacking – 06/19/2019 XSS Filter Evasion m0z (@LooseSecurity) – XSS – 06/17/2019 Business user Employees could have applied block list to all ad accounts listed in the business manager. Rohit kumar (@rohitcoder) Facebook Authorization flaw, Logic flaw $500 06/17/2019 Reflected XSS in Tokopedia Train Ticket Jon Bottarini (@jon_bottarini) New Relic Reflected XSS IDR 3.000.000 (~ $212) 06/17/2019 Using Burp Suite match and replace settings to escalate your user privileges and find hidden features Jon Bottarini (@jon_bottarini) New Relic Client-side enforcement of server-side security $500 06/17/2019 Parameter Pollution issue in API resulting $XXX Smaran Chand (@smaranchand) – Parameter pollution – 06/17/2019 SQl Injection Injector Pca / SaadAhmed (@XSaadAhmedX) – SQl Injection $500 06/17/2019 Bypassing XSS filter and Stealing User Payment Data Osama Avvan (@osamaavvan) – XSS $0 (Duplicate) 06/17/2019 Password Bypass and Something Else… Vibhurushi Chotaliya (@Vibhurushi) – Authentication bypass $600 06/16/2019 How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration? Muhammad Asim Shahzad Dropbox AWS flaw $1,500 06/16/2019 Account Takeover Worth $900 Injector Pca / SaadAhmed (@XSaadAhmedX) – Account takeover, CSRF $900 06/16/2019 Stealing Cookies to Login in any Account Osama Avvan (@osamaavvan) – Cookie theft $900 06/16/2019 Bug Bounty – Information Disclosure through error message + WAF Bypass led to Local File Inclusion Λявєη (@spenkkkkk) & Çlirim Emini (@0xcela) – WAF bypass, LFI, Information disclosure – 06/15/2019 Complete Web Server Access Injector Pca / SaadAhmed (@XSaadAhmedX) – Unrestricted file upload, RCE $500 06/15/2019 Fullscreen API Attack’s Revisited and the FaceBook NA Story Circle Ninja (@circleninja) Facebook Fullscreen API Attack $0 (N/A) 06/15/2019 XSSing Google Employees — Blind XSS on Thomas Orlita (@ThomasOrlita) Google Blind XSS – 06/15/2019 Admin Account total Information Disclosure Nishant Saurav (@inishantsinha) – Source code disclosure, Information disclosure $200 06/15/2019 IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) – IDOR $500 06/14/2019 How spending our Saturday hacking earned us 20k Matti Bijnens (@MattiBijnens) – IDOR $20,000 06/14/2019 IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) – IDOR – 06/14/2019 Chaining Improper Authorization To Race Condition To Harvest Credit Card Details : A Bug Bounty Story Mandeep Jadon (@1337tr0lls) – Authorization flaw, Race condition – 06/13/2019 Redstrom Denial Of Service — Write Up Zerb0a – DoS $0, Swag 06/12/2019 Reflected XSS on Error Page Tomi (@noobe_io) – Reflected XSS – 06/11/2019 Facebook Vulnerability: Non-unfriendable user in /hacked workflow Ritish Kumar Singh Facebook Logic flaw $1,500 06/11/2019 Account takeover using IDOR and the misleading case of error 403. Plenum (@plenumlab) – IDOR – 06/11/2019 IDOR Leads To Project Takeover Hariharan.s (@DJHARIZ1) – IDOR – 06/09/2019 Don’t underestimates the Errors They can provide good $$$ Bounty! Aditya Sharma (@Assass1nmarcos) Mamba Information disclosure, Path disclosure $200 06/07/2019 How I was able to get private ticket response panel and FortiGate web panel via blind XSS Bijan Murmu (@0xBijan) – Blind XSS $1,250 06/06/2019 Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) Nikhil Mittal (@c0d3G33k) Microsoft Browser bug $15,000 06/06/2019 Unicode vs WAF — XSS WAF Bypass Prial Islam Khan (@prial261) – XSS – 06/05/2019 Bypassing CSP with policy injection Gareth Heyes (@garethheyes) Paypal CSP bypass $900 06/05/2019 REMOTE CODE EXECUTION ! Recon Wins Vishnuraj KV – RCE – 06/04/2019 Chaining multiple low-impact bugs to arbitrary file read in GitLab Li Rongxi (@nyan_gawa) GitLab Directory traversal – 06/04/2019 Simple PathTraversal bypass fr0stNuLL – Path traversal – 06/03/2019 Missing access control at play store Vishwaraj Bhattrai (@vishwaraj101) Google Authorization flaw – 06/03/2019 The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise Avinash Jain (@logicbomb_1) – RFI, SSRF – 06/02/2019 Story of a uri based xss with some simple google dorking Jatin Aesthetic (@techyfreakk) – XSS – 06/02/2019 Edmodo Account Deactivation Vulnerability Shankar R Edmodo CORS misconfiguration $0 06/01/2019 My First CSRF to Account Takeover worth $750 Nishant Saurav (@inishantsinha) – CSRF, Account takeover $750 05/30/2019 Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty HackerOn2Wheels (@HackerOn2Wheels) – Stored XSS, MIME sniffing – 05/30/2019 Stored XSS on Edmodo Rohit Verma (@rv0x00) Edmodo Stored XSS – 05/28/2019 Source Code disclose Vulnerability Mohamed R. Serwah (@mohamedrserwah) – Source code disclosure – 05/27/2019 An unexploited CORS misconfiguration reflecting further issues. Smaran Chand (@smaranchand) – CORS misconfiguration – 05/27/2019 How did I bypass a Custom Brute Force protection and why that solution is not a good idea? dortz – Bruteforce, Authentication flaw – 05/25/2019 Disclose files content from Facebook internal CDNs Samm0uda (@samm0uda) Facebook Weak encryption $12,500 05/25/2019 Archived content Google bug bounty: LFI on production servers in “” — $13,337 USD VulnerabilityLabs Google LFI $13,337 05/24/2019 Multiple API issues due to Fixed Authorization token. Mustafa Khan (@by6153) – Authorization flaw – 05/24/2019 From file upload to email:pass fr0stNuLL – Unrestricted file upload – 05/24/2019 Security assessment on the staging domains Tutorgeeks (@tutorgeeks) – Lack of authentication – 05/24/2019 Instagram GitHub Token with public_scope found In Travis CI Build Logs Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 05/24/2019 How I acquired $XXX bounty by investing 99 cents Smaran Chand (@smaranchand) – Logic flaw – 05/24/2019 Escalating subdomain takeovers to steal cookies by abusing document.domain Ameya (@iamTakeMyHand) Postmates Subdomain takeover – 05/23/2019 Determine a Facebook user from an email address Philippe Harewood (@phwd) Facebook Information disclosure $1,000 05/22/2019 Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts Family guy Google Privilege escalation, Authorization flaw – 05/21/2019 Local File Inclusion in Jafar Abo Nada (@Jafar_Abo_Nada) Google LFI $3,133.7 05/21/2019 Leaking OpenID tokens with “ — the bug right infront of you Zseano (@zseano) – OpenID flaw – 05/21/2019 WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “” – $13,337 USD @omespino Google LFI $13,337 05/21/2019 Open-redirect to Account Takeover. Rishabh (@__cypher__) – Open redirect, Account takeover – 05/19/2019 A base64 encoded parameter. Navneet (@na5n33t) – HTML injection $75 05/19/2019 XSSed my way to 1000$ Gaurav Narwani (@gauravnarwani97) – XSS $1,100 05/17/2019 Stealing Downloads from Slack Users David Wells Slack CSRF – 05/17/2019 Bypassing Instagram’s stories restriction Baibhav Anand (@iBaibhavJha) Facebook Logic flaw $500 05/17/2019 ‘Try-Harder’ for XSS Frans Hendrik Botes (@initroott) – Reflected XSS – 05/17/2019 From parameter pollution to XSS Mo’men Basel – Parameter pollution, XSS – 05/16/2019 You do not need to run 80 reconnaissance tools to get access to user accounts Stefano Vettorazzi (@stefanohablando) – Open redirect – 05/15/2019 Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties] Komodo Security Google Stored XSS, MIME sniffing – 05/15/2019 Think Outside the Scope: Advanced CORS Exploitation Techniques Ayoub (@sandh0t) – CORS misconfiguration $1,500 05/14/2019 Stored XSS on Techprofile Microsoft Mohammad Ali Syarief Microsoft Stored XSS – 05/09/2019 BLIND SSRF in * due to Sentry Misconfiguration Oktavandi (@0ktavandi) Stripe Blind SSRF – 05/09/2019 4x CSRFs Chained For Company Account Takeover A Bug’z Life (@abugzlife1) – CSRF, Account takeover $3,000 05/08/2019 fake bug bounty Daniel Maksimovic SSRF, XSS $0 (150€ + 150€ platform credit promised but not delivered) 05/08/2019 SQL injection through User-Agent fr0stNuLL – SQL injection – 05/08/2019 Subdomain takeover [Awarded $200] Friendly (@SkeletorKeys) ownCloud Subdomain takeover $200 05/07/2019 Server Side Request Forgery(SSRF){port issue hidden approch } Deepak Holani (@w_hat_boy) – SSRF – 05/03/2019 Tale of a Wormable Twitter XSS @0xSobky Twitter XSS $2,940 05/02/2019 Why You Shouldn’t Use a Password Manager For Your Linode Account @0xSobky Linode Account takeover, Information disclosure – 05/02/2019 XSS attacks on Googlebot allow search index manipulation Tom Anthony (@TomAnthonySEO) Google Logic flaw – 05/01/2019 Remote code execution On Microsoft edge using URL Protocol Matt harr0ey (@harr0ey) Microsoft RCE $0 (N/A) 05/01/2019 From NA to $3000 : Facebook’s URL spoofing vulnerability Rahul Kankrale (@RahulKankrale) Facebook URL spoofing $3,000 04/30/2019 From Reflected XSS to Account Takeover — Showing XSS Impact A Bug’z Life (@abugzlife1) – Reflected XSS, Account takeover – 04/30/2019 Don’t Follow The Masses: Bug Hunting in JavaScript Engines Dimitri Fourny (@dimitrifourny) Google Buffer overflow $7,500 04/29/2019 Two-Factor Authentication Bypass Gaurav Narwani (@gauravnarwani97) – 2FA bypass – 04/29/2019 Broken Access: Posting to Google private groups through any user in the group Elber Andre (@Elber333) Google Autorization flaw $0 (N/A) 04/27/2019 Denial of Service using Cookie Bombing Ronak Patel (@ronak_9889) – DoS, Cookie bombing $350 04/26/2019 How to bypass a 2FA with a HTTP header Yumi – 2FA bypass – 04/26/2019 for PayPal security team,“get user balances and transaction details” is not a vulnerability! Todaro (@tod4ro) Paypal Information disclosure $0 (N/A) 04/26/2019 Missing Authorization check while deleting App Review for Marketing API Family guy Facebook Authorization flaw – 04/25/2019 Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) – Stored XSS, Account takeover $800 04/25/2019 The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! Avinash Jain (@logicbomb_1) – LFI, SSRF, Cloudflare bypass – 04/25/2019 CSRF Attack can lead to Stored XSS Mohamed Sayed (@FlEx0Geek) – CSRF, Stored XSS – 04/25/2019 A picture that steals data Sergey Kashatov (@iframe0x01) – Information disclosure – 04/24/2019 Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos Ruby Nealon (@_ruby) Zendesk Information disclosure $3,000 04/23/2019 Facebook’s Burglary Shopping List John Moss (@x41x41x41) Facebook Information disclosure $5,000 04/23/2019 The neglected bug that can infect All Facebook users who pay for leads ads. Hesham Watany Facebook CSV injection $0 (Out of scope) 04/23/2019 Yet Other Examples of Abusing CSRF in Logout Soroush Dalili (@irsdl) – CSRF – 04/23/2019 [XSS] Reflected XSS Bypass Filter Mohamed Sayed (@FlEx0Geek) – Reflected XSS – 04/23/2019 Disclose the content of internal Facebook Javascript modules. Samm0uda (@samm0uda) Facebook Authorization flaw – 04/22/2019 Archived content Ssrf to Read Local Files and Abusing the AWS metadata Pratik Yadav (@PratikY9967) – SSRF – 04/21/2019 [CONFIRMATION BYPASS ] Navneet (@na5n33t) – Email confirmation bypass, Information disclosure $0 (VDP) 04/21/2019 Twitter – protected tweets exposure terjanq (@terjanq) Twitter Information disclosure $560 04/19/2019 Responsible disclosure: improper access control in Gitlab private project. Riccardo Padovani (@rpadovani93) GitLab Authorization flaw $2,000 04/19/2019 Scary Tickets Uranium238 (@uraniumhacker) – Ticket Trick – 04/19/2019 PDFReacter SSRF to ROOT Level Local File Read which led to RCE Armaan Pathan (@armaancrockroax) – SSRF, RCE – 04/18/2019 Code execution – Evernote Dhiraj (@mishradhiraj_) Evernote RCE, Path traversal – 04/17/2019 How I was able to Bypass XSS Protection on HackerOne’s Private Program Security Executions Code BugHunter – XSS – 04/16/2019 Banner Grabbing to DoS and Memory Corruption Daniel V. – DoS<, Information disclosure – 04/16/2019 A $5000 IDOR… Mr.Hacker (@mr_hacker0007) – IDOR $5,000 04/16/2019 How i found credential enriched redis dump Ashish Kunwar (@D0rkerDevil) – File disclosure, Information disclosure $0 04/16/2019 Just 5 minute to get my 2nd stored XSS on ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS $0, Swag 04/15/2019 How I hacked Vending Machine Valeriy Shevchenko – Violation of secure design principles €300 gift card 04/15/2019 Google Groups Authorization Bypass Daniel Marad Google Authorization flaw $500 04/15/2019 The Outlook Winner is Dash marcan2020 (@marcan2020) Microsoft Authorization flaw $0 (N/A) 04/15/2019 How I gained access to revenue and traffic data of thousands of Shopify stores Ayoub Fathi (@ayoubfathi) Shopify IDOR $0 (Policy violation) 04/15/2019 Web Cache Deception to API endpoint attack using cached token header Kunal pandey (@kunalp94) – Web cache deception $250 04/13/2019 [RCE] Remote code execution at (CVE-2017-5638) Mohamed Haron (@m7mdharon) – RCE $2,250 04/12/2019 Unauthenticated Account Takeover Through HTTP Leak Nik srivastava (@niksthehacker) – HTML injection, HTTP Leak, Account takeover – 04/11/2019 Account Takeover by chaining two vulnerabilities. Sheraz Khalid – CSRF, Open redirect, Account takeover – 04/10/2019 Multiple xss in * & Multiple xss in * (2) Jayateertha Guruprasad (@JayateerthaG) Microsoft XSS $0, HoF 04/10/2019 Spokeo Bug bounty Experience Nur A Alam Dipu Spokeo XSS $0 (Can’t reproduce) 04/10/2019 Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652 Julien Ahrens (@MrTuxracer) Dropbox (Dell KACE vendor) RCE – 04/09/2019 SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central Elber Andre (@Elber333) Microsoft SSRF, XSPA – 04/09/2019 Obtaining XSS Using Moodle Features and Minor Bugs Daniel Thatcher Moodle Login CSRF, XSS $0 (VDP) 04/09/2019 XSS “403 forbidden” bypass (Akamai Security )write up Security Executions Code BugHunter – XSS – 04/08/2019 How I got a trip to amsterdam through bug bounty Ninad Mathpati (@ninad_mathpati) – Bruteforce – 04/07/2019 Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice Ron Chan (@ngalongc) Uber SSRF, Path traversal, Account takeover – 04/07/2019 Email content spoofing at Jonathan Bouman (@JonathanBouman) Ikea Email content spoofing $50 04/06/2019 Edmodo — IDOR to view private files of any class Rohan Pagey (@rohan_x3) Edmodo IDOR – 04/06/2019 Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers Armaan Pathan (@armaancrockroax) PortSwigger MiTM – 04/06/2019 Google Ads — Information Disclosure via null pointer exception Valerio brussani (@val_brux) Google Information disclosure – 04/04/2019 Handlebars template injection and RCE in a Shopify app Mahmoud Gamal (@Zombiehelp54) Shopify SSTI, RCE 10,000 04/04/2019 Leaked Salesforce API access token at Jonathan Bouman (@JonathanBouman) Ikea Information disclosure $250 04/04/2019 DownNotifier SSRF _m_q_t (@_m_q_t) DownNotifier SSRF – 04/04/2019 How I am able to hijack you. terjanq (@terjanq) Google Logic flaw – 04/03/2019 Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow Ritish Kumar Singh Facebook Logic flaw $1,000 04/02/2019 FileZilla Untrusted Search Path & FileZilla ‘fzsftp’ Untrusted Search Path Chris Lyne (@lynerc) FileZilla (EU-FOSSA 2) RCE – 04/02/2019 How I was able to get your facebook private friend list [Responsible Disclosure] Raja Sekar Durairaj Facebook Information disclosure $10,000 04/01/2019 EdM0d0 IDOR Vulnerabilities Pratyush Anjan Sarangi Edmodo IDOR $0, Swag 04/01/2019 Comma is forbidden! No worries!! Inject in insert/update queries without it Ahmed Sultan (@0x4148) – SQL injection $10,000 03/31/2019 Recon in 2 minutes and got $250 easy Cryptographer Snapchat Missing secure flag $250 03/31/2019 How I was able to turn self xss into reflected xss Hein Thant Zin (@H3Lowr) – Reflected XSS $300 03/31/2019 alert(“A tale of 3 XSS!”) Gaurav Narwani (@gauravnarwani97) – XSS – 03/29/2019 My very first bug: a dreaded dupe and then an IDOR jackpot! John H4X00R (@JohnH4X00R) Yahoo IDOR $5,000 03/28/2019 How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup) Yash Sodha (@y_sodha) Google CSRF $3,133.70 03/26/2019 An Unusual Bug on Braintree [PayPal] PRince CHaddha (@princechaddha) Paypal DoS $3,200 03/25/2019 Twitter Denial of Service bug or How i could prevent all followers from reading or accessing literally ANY tweets! Seif Elsallamy Twitter DoS $1,120 03/25/2019 Stored (XSS) on [] Security Executions Code BugHunter Google Stored XSS – 03/25/2019 Stored XSS in the guide’s GameplayVersion ( Security Executions Code BugHunter Dota 2 Stored XSS $750 03/25/2019 Self (XSS) on [] Security Executions Code BugHunter Bukalapak Self XSS $50 03/25/2019 Reflected (XSS)on [] Security Executions Code BugHunter Alibaba Reflected XSS – 03/25/2019 Self (XSS) on [] Komodo Security Google Authorization flaw $500 03/25/2019 Facebook Marketing Confidential Call Transcript Philippe Harewood (@phwd) Facebook Information disclosure $500 03/24/2019 Google Books X-Hacking terjanq (@terjanq) Google XS-Search $1,337 03/21/2019 How to hunt for Malvertising ads on Android Kyle (@B3nac) – Android flaw – 03/21/2019 A real XSS in OLX Bug Bounty Paulo Choupina (@PauloChoupina) OLX Reflected XSS $0 (VDP), HoF 03/21/2019 Slack announcement-only channel post restriction bypass Rodney Beede Slack Authorization flaw, Logic flaw $0, Out of scope 03/20/2019 Disclose private/scheduled streams of any Livestream user due to open .m3u8 endpoint Abss TBH @abss_tbh Livestream Information disclosure $1,000 03/20/2019 Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560) Kevin Backhouse (@kevin_backhouse) Facebook Integer overflow $10,000 03/19/2019 Discovering a zero day and getting code execution on Mozilla’s AWS Network Shubham Shah (@infosec_au) & Mathias Karlsson (@avlidienbrunn) Mozilla RCE $500 03/19/2019 DoS Across Facebook Endpoints Max Pasqua Facebook DoS $750 03/19/2019 From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin Heige (@80vul) Microsoft DOM XSS $0 03/19/2019 Should you be concerned about LastPass uploading your passwords to its server? Avinash Kumar (@itsavinash_) LastPass Information disclosure, Logic flaw – 03/18/2019 Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) OLX Reflected XSS $0, HoF 03/17/2019 Disclosure of Pending Roles for any Facebook Page Avinash Kumar (@itsavinash_) Facebook IDOR $4,000 03/16/2019 Target Finds Cross-Site Scripting in Microsoft SharePoint Target Microsoft XSS – 03/15/2019 How I was able to pwned 30000+ user’s webhook gujjuboy10x00 (@vis_hacker) – IDOR – 03/14/2019 Privilege escalation on private program. Imran Parray (@CreedHackers) – Privilege escalation, Information disclosure – 03/14/2019 User Account Takeover [Password Change]— Nice Catch! Rohit kumar (@rohitcoder) – Account takeover, Password reset flaw – 03/14/2019 Write up – $1,000 usd in 5 minutes, xss stored in (ios browsers) @omespino Microsoft Stored XSS $1,000 03/14/2019 WordPress 5.1 CSRF to Remote Code Execution Simon Scannell (@scannell_simon) WordPress CSRF, RCE, HTML injection $950 03/13/2019 OLX Bug Bounty: Reflected XSS Mukhammad Akbar (@abaykandotcom) OLX Reflected XSS – 03/13/2019 My First Stored XSS on ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS – 03/13/2019 Hack Your Form-New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) – Blind XSS, Stored XSS $800 03/13/2019 How I found Blind XSS Vulnerability in ssid (@newp_th) – Blind XSS – /27/2019 Inserting malware into anyone’s Google Earth Projects Archive Thomas Orlita (@ThomasOrlita) Google IDOR, XSS, Authorization flaw $0 03/29/2019 Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. Armaan Pathan (@armaancrockroax) – CSRF, Bruteforce – 03/12/2019 Escalating SSRF to RCE Youssef A. Mohamed (@GeneralEG64) – SSRF, RCE – 03/12/2019 CVE-2018-16794 on Philippe Harewood (@phwd) Facebook SSRF $1,000 03/11/2019 SQL injection for $50 bounty, but still worth reading!! Ronaldo Messi – SQL injection $50 03/10/2019 Account Takeover Using Cross-Site WebSocket Hijacking (CSWH) Sharan Panegav (@PanegavSharan) – Cross-Site WebSocket Hijacking (CSWH), Account takeover – 03/09/2019 Vimeo SSRF with code execution potential. Harsh Jaiswal (@rootxharsh) Vimeo SSRF $5,000 03/08/2019 Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack Ron Masas Facebook Side-channel attack, Cross-Site Frame Leakage (CSFL) – 03/07/2019 Facebook Messenger server random memory exposure through corrupted GIF image Dzmitry Lukyanenka (@vulnano) Facebook Information disclosure $10,000 03/06/2019 3 XSS in ProtonMail for iOS Vladimir Metnew (@vladimir_metnew) Apple XSS $1,000 03/06/2019 Fixed : Register any email address on Facebook Account Sameer Rao Facebook Authorization flow – 03/05/2019 Fixed : Brute-force Instagram account’s passwords Sameer Rao Facebook Bruteforce, Rate limiting bypass – 03/05/2019 Facebook exploit – Confirm website visitor identities Tom Anthony (@TomAnthonySEO) Facebook Information disclosure, IDOR $1,000 03/04/2019 Auditing GitHub Repo Wikis for Fun and Profit Smeege (@SmeegeSec) – Misconfigured Github wiki $500 03/04/2019 XSS in Edmodo within 5 Minute (My First Bug Bounty) Vala Keyur (@valakeyur) Edmodo Reflected XSS – 03/04/2019 A simple Account takeover misusing JWT late expiration Scalar (@mrprajapati_360) – Authorization flaw, Logic flaw – 03/03/2019 Bypassing a restrictive JS sandbox Licencia para Hackear Private program, static-eval library JS sandbox breakout, RCE – 03/01/2019 Yet Another (unexpected) Hack for Bounty Pumudu Ruhunage Information disclosure $150 03/01/2019 Horizontal Privilege Escalation on Quora which can compromise all users on Quora SpyD3r (@TarunkantG) Quora Privilege escalation – 02/26/2019 [Still work] Redirect Yahoo Subdomain XSS Reflected from Mohamed Haron (@m7mdharon) Yahoo Reflected XSS – 02/26/2019 How I alert(1) in Azure DevOps SpyD3r (@TarunkantG) Microsoft XSS, CSP bypass – 02/26/2019 Web Cache Deception Attack leads to user info disclosure Kunal pandey (@kunalp94) – Web cache deception, Information disclosure $300 02/25/2019 Chain of hacks leading to Database Compromise! Avinash Jain (@logicbomb_1) – LFI, SSRF – 02/23/2019 Bug Bounty 101 — Always Check The Source Code Mohamed Haron (@m7mdharon) – Lack of rate limiting, Information disclosure – 02/23/2019 Download any organisation Data — S3 amazonaws Misconfiguration Chand Singh (@Chand_42) – Authorization flaw $2,500 02/22/2019 Subdomain Misconfiguration lead to AWS S3 Buckets Reader Mohamed Haron (@m7mdharon) – Subdomain takeover $800 02/22/2019 Exploiting Google Calendars Rojan Rijal (@uraniumhacker) & Brandon Nguyen (@cmdrsnuggle) Uber, Shopify, Netflix Authorization flaw, Information disclosure – 02/22/2019 Swiss_E-Voting_Publications setuid0 (@setuid0) Swiss E-Voting XSS, XXE, RCE, Lack of authentication, Authentication flaw, Hardcoded credentials – 02/21/2019 Abusing autoresponders and email bounces Inti De Ceukelaire (@securinti) Google, Intigriti Information disclosure, Logic flaw – 02/21/2019 Reflected XSS at Ahamed Morad (@Modam3r5 Shopify Reflected XSS $0, Out of scope 02/21/2019 How I Registered Multiple Accounts in PrivateInternetAccess VPN Service for FREE Spade PrivateInternetAccess VPN Logic flaw $1,000 02/20/2019 Bug Writeup: FBCTF IDOR George Osterweil Facebook IDOR $0, Duplicate 02/20/2019 Leakage of Client Secret, Server tokens of all Uber developer applications Anand Prakash (@sehacure) Uber Information disclosure $5,000 02/19/2019 Multiple Stored XSS On Tokopedia Apapedulimu (@Apapedulimu) Tokopedia Stored XSS, Blind XSS – 02/19/2019 Using URI to pop shells via the Discord Client RagSec (@rag_sec) Discord URI abuse, Social engineering $0, Out of scope 02/18/2019 DoS on WAF Protected Sites by Abusing Cookie Anas Mahmood (@AnasIsHere) Upwork DoS $400 02/18/2019 2 Subdomains Takeover via Unbounce in a Private Program Mohamed Haron (@m7mdharon) – Subdomain takeover $0, Duplicate 02/18/2019 Stored XSS on Edmodo Rohit kumar (@rohitcoder) Edmodo Stored XSS $0, Duplicate 02/18/2019 $1.000 SSRF in Slack Elber Andre (@Elber333) Slack SSRF $1,000 02/17/2019 Bypass password confirmation in Facebook “DYI” feature Samm0uda (@samm0uda) Facebook Authorization flaw, IDOR – 02/16/2019 Archived content Facebook/Workplace Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk Rohit kumar (@rohitcoder) Facebook Information disclosure $1,000 02/16/2019 Subdomain Takeover via Wufoo Service in a Private Program Mohamed Haron (@m7mdharon) – Subdomain takeover – 02/16/2019 Open Redirect in SLACK Mukhammad Akbar (@abaykandotcom) Slack Open redirect $0, N/A 02/16/2019 Bypassing rate limit abusing misconfiguration rules Daniel V. – Rate limiting bypass – 02/15/2019 Subdomain Takeover via HubSpot Mohamed Haron (@m7mdharon) – Subdomain takeover – 02/15/2019 Subdomain Takeover via service Mohamed Haron (@m7mdharon) Subdomain takeover $0, Informative 02/15/2019 Never Stop at Banner Grabbing Gaurav Narwani (@gauravnarwani97) – Information disclosure $241.93 02/14/2019 Third Party Android App Storing Facebook Data Insecurely (Facebook Data Abuse Program) Nightwatch Cybersecurity (@nightwatchcyber) Facebook Information disclosure, Lack of authentication – 02/14/2019 [SSRF] Server Side Request Forgery in a private Program Mohamed Haron (@m7mdharon) – SSRF $200 02/14/2019 Disclose private attachments in Facebook Messenger Infrastructure – 15,000$ Sarmad Hassan (@JubaBaghdad) Facebook IDOR $15,000 02/13/2019 Facebook CSRF protection bypass which leads to Account Takeover Samm0uda (@samm0uda) Facebook CSRF $25,000 02/12/2019 Archived content Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google IDOR – 02/12/2019 Export Facebook audience network reports of any business Samm0uda (@samm0uda) Facebook Authorization flaw – 02/12/2019 Archived content I Found Clickjacking on Google CSE. Is This Important? Mukhammad Akbar (@abaykandotcom) Google Clickjacking $0 02/10/2019 Csrf Bypass Using Cross Frame Scripting Mr.Hacker (@mr_hacker0007) – CSRF – 02/10/2019 How I hacked ASUS? Mustafa Kemal Can (@muskecan) Asus RCE, Unrestricted file upload – 02/09/2019 Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. Sahil Tikoo (@viperbluff) – Information disclosure – 02/09/2019 Design Flaws – Scenario One and Fix Alli-Balogun Faruq (@node_shack) – Logic flaw – 02/08/2019 Paypal’s Security Check Bypassed Anees Khan (@AneesEthical) Paypal Logic flaw $0, N/A 02/08/2019 Internal paths disclosure due to improper exception handling Samm0uda (@samm0uda) Facebook Information disclosure – 02/07/2019 Archived content Leak of private/in-development app ids, names and translation requests Samm0uda (@samm0uda) Facebook IDOR – 02/07/2019 Archived content LFI To 10 Servers Pwn Nirmal Dahal (@TheNittam) – LFI, RCE – 02/07/2019 How i was able to dump SqlDB | Simple bug clever idi0t – Directory listing, SQL injection, Authentication bypass – 02/07/2019 Cache Deception: How I discovered a vulnerability in Medium and helped them fix it Yuval Shprinz Medium Cache deception $100, Swag 02/06/2019 Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard Lee Christensen (@tifkin_) Microsoft Path traversal, RCE – 02/06/2019 Jumping Over The Fence Shahar Albeck – Open redirect – 02/05/2019 How I hacked 40,000 user accounts of Microsoft using 2FA bypass( Vartul Goyal (@hackvartul) Microsoft 2FA bypass $0 02/05/2019 Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages Paul (@padannewitz) – Mass assignment $5,000 02/05/2019 Reverse RDP Attack: Code Execution on RDP Clients Eyal Itkin Microsoft Path traversal $0 02/05/2019 A Unique XSS Scenario in SmartSheet || $1000 bounty Rohan Chavan (@rohanchavan1918) Smartsheet Stored XSS $1,000 02/03/2019 How I was able to Extract Information of Other Users- Exploiting IDOR Rupika Luhach (@Rup_Ki_Rani) IDOR $0, Duplicate 02/02/2019 LFI in Apigee portals [email protected] (@wtm_offensi) Google LFI – 01/31/2019 How I found a simple bug in Facebook without any Test Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw – 01/31/2019 $7.5k Google Cloud Platform organization issue Ezequiel Pereira (@epereiralopez) Google Logic flaw $7,500 01/30/2019 How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds. Piyush Raj (@0x48piraj) WeeQuizz Information disclosure $0, No response 01/30/2019 Publish tweets by any other user Kedrisec (@kedrisec) Twitter IDOR $7,560 01/30/2019 Guest blog: Eray Mitrani – Hacking isn’t an exact science Eray Mitrani (@ErayMitrani) – Authorization flaw – 01/29/2019 Protonmail XSS — Stored Chand Singh (@Chand_42) Protonmail Stored XSS, Bruteforce – 01/29/2019 Unsecured access to personal data of a million Leo Express users Thomas Orlita (@ThomasOrlita) Leo Express Authorization flaw, XSS – 01/29/2019 Hijacking accounts by retrieving JWT tokens via unvalidated redirects Shawar Khan (@ShawarkOFFICIAL) – Open redirect, Token theft – 01/27/2019 A short tale of Account verification bypass Satyendra Kumar – Email verification bypass, Authorization flaw – 01/27/2019 Chaining Tricky OAuth Exploitation To Stored XSS Rohan aggarwal (@nahoragg) – Stored XSS, OAuth flaw – 01/27/2019 Misconfiguration-Whatsapp Messenger Pratheesh P Narayanan Facebook Logic flaw $0, Informative 01/26/2019 AntiHack IDOR on Create Submission Syahrul Akbar Rohmani (@sahruldotid) IDOR $0, Swag 01/26/2019 Facebook Change Product Availability as a PageAnalyst onehackzero Facebook Logic flaw, Authorization flaw – 01/25/2019 How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc) Luke Berner Google, Microsoft, Facebook Logic flaw, Authentication flaw – 01/25/2019 Magento – RCE & Local File Read with low privilege admin rights Daniel Le Gall Magento LFI, RCE, Path traversal – 01/24/2019 Blind XSS To PHP File Upload Vulnerability SayCure (@SaycureIO) Blind XSS – 01/24/2019 Privilege Escalation to Highest Admin Privileges Gaurav Narwani (@gauravnarwani97) – IDOR, Privilege escalation – 01/23/2019 Frappé Technologies ERPNext Server Side Template Injection Brian Hyde ERPNext SSTI $0 01/23/2019 Enroll in Facebook Ad-break program without Facebook approval Samm0uda (@samm0uda) Facebook Logic flaw, Authorization flaw – 01/22/2019 Archived content Disclose page’s admins and its Monetization payout details Samm0uda (@samm0uda) Facebook IDOR, Information disclosure – 01/22/2019 Archived content Disclose page violations and its eligibility to use Ad-breaks Samm0uda (@samm0uda) Facebook IDOR, Information disclosure – 01/22/2019 Archived content Disclose Instagram business account linked to a Facebook page Samm0uda (@samm0uda) Facebook IDOR, Information disclosure – 01/22/2019 Archived content Change payment account of any Facebook commerce page Samm0uda (@samm0uda) Facebook Logic flaw, Authorization flaw – 01/22/2019 Archived content Expose business email and payment account balance of any Facebook commerce page. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure – 01/22/2019 Reveal if a Facebook merchant page has pending or completed orders. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure – 01/22/2019 Bruteforce Instagram account’s passwords (lack of rate limiting protection). Samm0uda (@samm0uda) Facebook Bruteforce, Lack of rate limiting – 01/22/2019 Generate Access Tokens for any Facebook user Samm0uda (@samm0uda) Facebook IDOR – 01/22/2019 Modify users profiles of Samm0uda (@samm0uda) Facebook Authorization flaw – 01/22/2019 Uploading files to Samm0uda (@samm0uda) Facebook File upload XSS – 01/22/2019 Reflected XSS in Zomato Sudhanshu Rajbhar (@sudhanshur705) Zomato Reflected XSS $250 01/21/2019 How I Found and Reporting Vulnerabilities to by Tomi Tomi (@nahoragg) IDOR, LFI $0, Swag 01/20/2019 A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram Rohan aggarwal (@nahoragg) – CORS miconfiguration – 01/20/2019 Oauth Misconfiguration lead to complete account takeover Jackson kv (@Jacksonkv22) – CSRF, OAuth flaw, Account takeover – 01/20/2019 XSS Through SWF file! Friendly (@SkeletorKeys) – SWF XSS $200 01/18/2019 Bypass Content Security Policy framing restriction rule – OLX Taha Ibrahim Draidia OLX CSP bypass – 01/17/2019 Command Injection PoC NoGe – Command injection – 01/15/2019 Facebook Vulnerability: Unremovable facebook group admin Ritish Kumar Singh Facebook Logic flaw $500 01/15/2019 #BugBounty How I Hack Billion $ Company Sadiq West – Directory listing $500 01/15/2019 Abusing MySQL clients to get LFI from the server/client Jarkko Vesiluoma (@jvesiluoma) – LFI – 01/15/2019 Gaining access to Uber’s user data through AMPScript evaluation Shubham Shah (@infosec_au) Uber AMPScript injection $23,000 01/14/2019 Turning Self XSS to good XSS via access control Yusuf Yazir (@Hacklad) – Stored XSS, Self XSS – 01/13/2019 Hack Your Form – New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) Facebook Blind XSS $800 01/13/2019 Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty Ajay Gautam (@evilboyajay) Facebook IDOR – 01/11/2019 Facebook PageAnalyst Could Add oneself as Moderator on Group onehackzero Facebook Authorization flaw – 01/11/2019 Multiple Vulnerabilities Tomi LFI, IDOR $0, Swag 01/11/2019 View the contact list for a Messenger Kid as a parent-approved contact Philippe Harewood (@phwd) Facebook Authorization flaw – 01/08/2019 Tips for bug bounty beginners from a real life experience Renaud Martinet (@karouf) YNAB XSS, SQL injection $1,500 01/08/2019 When Cookie Hijacking + HTML Injection become dangerous Daniel V. – Cookie Hijacking, HTML Injection – 01/07/2019 Reflected XSS ON ASUS. Thejus Krishnan Asus Reflected XSS $0, HoF 01/06/2019 Stored XSS Via Alternate Text At Zendesk Support Hariharan.s (@DJHARIZ1) Zendesk Stored XSS – 01/06/2019 How I hacked Jacopo Tediosi (@jacopotediosi) Altervista Open redirect $0, HoF 01/05/2019 Facebook Android Application Ash King Facebook Authorization flaw $750 01/05/2019 How I could have taken over any Pinterest account Arnold Anthony (@armold9anthony) Pinterest CSRF, Account takeover $2,400 01/05/2019 How I stumbled upon a Stored XSS(My first bug bounty story). Parth Shah Edmodo Stored XSS – 01/04/2019 Cookie Based Self-XSS to Good XSS Brian Hyde – XSS $616 01/04/2019 Stealing Side-Channel Attack Tokens in Facebook Account Switcher Max Pasqua Facebook Token theft $1,000 01/04/2019 Yes I can see your OTP Vulnerables – IDOR – 01/03/2019 A Tricky Open Redirect Anas Mahmood (@AnasIsHere) – Open Redirect $200 01/03/2019 How I was able to Harvest other Vine users IP address Prial Islam Khan (@prial261) Vine IDOR $5,040 01/02/2019 How i found web shell on and Awarded Gold Coin And SWAG Rudra Sarkar (@rudr4_sarkar) RCE – 01/01/2019 A Curious Case From Little To Complete Email Verification Bypass Megaman (@N0_M3ga_Hacks) – Email validation bypass, Authorization flaw – 01/01/2019


About Post Author


i breed unicorns, and when they sleep i play theremin Anything regarding hacking, drones, rov and android tickle me 🙂