Celebrating $20M in Bounties with a Recap of Our Top 20 Up Voted Reports on Hacktivity

Aug 28 2017

Hacktivity is one of the most popular pages on hackerone.com. And for good reason as it’s a veritable treasure trove of learning for hackers and a wonderful way for companies to practice transparency and showcase their security efforts.

In honor of our $20M in bounties paid out to hackers (yay!), we thought we’d revisit some of the top most up voted reports ever submitted on HackerOne.


And here they are, in descending order, with a corresponding cat gif (because, the internet is awesome). Congrats to all hackers in the list, you’re making the internet safer day by day!

20. (102 upvotes) Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
$3,000 awarded to @fransrosen by Slack for finding a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens.

img 2

19. (104 upvotes) Subdomain takeover at info.hacker.one
$1,000 awarded to @ak1t4 by HackerOne for discovering a CNAME entry for unbouncepages.com that allowed takeover of hundreds of managed domains.

img 3

18. (110 upvotes) Disclose any user's private email through API
$2,000 awarded to @zombiehelp54 by HackerOne for finding a vulnerability that allows an attacker to disclose any user’s private email address.

img 4

17. (111 upvotes) Round error issue -> produce money for free
$1,000 awarded to @4lemon by itBit Exchange for finding a way to exploit a rounding error during financial transactions to “make money.”

img 5

16. (114 upvotes) Reading Emails in Uber Subdomains
$10,000 awarded to @uranium238 by Uber for discovering a bug that allowed reading emails from various subdomains.

img 6

15. (116 upvotes) Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
$5,000 awarded to @arneswinnen by Uber for finding access to subdomains by bypassing the SSO login system.

img 7

14. (119) Web Authentication Endpoint Credentials Brute-Force Vulnerability
$1,500 awarded to @arneswinnen by HackerOne for discovering an inferior request rate-limiting mechanism, which provided inadequate protection against brute force attacks.

img 8

13. (122 upvotes) Hacker.One Subdomain Takeover
$1,000 awarded to @geekboy by HackerOne for exploiting an Instapage cname bug to to takeover a subdomain.

img 9

12. (125 upvotes) Multiple endpoints are vulnerable to XML External Entity injection (XXE)
$2,500 awarded to @mak by Pornhub for finding multiple endpoints vulnerable to XML External Entity injection, enabling arbitrary requests from a production server.

img 10

11. (161 upvotes) Stored XSS in developer.uber.com
$7,500 awarded to @albinowax by Uber for discovering a method for permanently defacing of an entire domain.

img 11

10. (166 upvotes) RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
$5,000 awarded to @neex by Imgur for finding a command line argument injection vulnerability that would lead to command execution.

img 12

9. (174 upvotes) Publicly exposed SVN repository, ht.pornhub.com
$10,000 awarded to @mak by Pornhub for discovering a means for accessing a public .svn repository, which exposed usernames and provided subsequent access to production servers.

img 13

8. (175 upvotes) XXE on sms-be-vip.twitter.com in SXMP Processor
$10,080 awarded to @joshbrodienz by Twitter for finding a bug that exposed local files and allowed sending of web requests.

img 14

7. (200 upvotes) Internal attachments can be exported via "Export as .zip" feature
$12,500 awarded to @japzdivino by HackerOne for discovering a vulnerability that inadvertently included private, internal files when any user exported the complete report.

img 15

6. (210 upvotes) Information Disclosure in /skills call
$10,000 awarded to @deepankerchawla by HackerOne for finding a vulnerability that exposed bug reports submitted by other HackerOne community members, including confidential report descriptions.

img 16

5. (223 upvotes) Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
$10,000 awarded to @mongo by Uber for discovering a vulnerability which allowed a password change just by entering any Uber-registered phone number.

img 17

4. (262 upvotes) Partial disclosure of report activity through new "Export as .zip" feature
$10,000 awarded to @faisalahmed by HackerOne for finding a vulnerability that allowed viewing comments not normally visible in a limited disclosure.

img 18

3. (290 upvotes) Open prod Jenkins instance
$15,000 awarded to @preben_ve by Snapchat for discovering a Jenkins instance which would allow login with any valid Google account and further enable access to sensitive API tokens and source code.

img 19

2. (432 upvotes) [phpobject in cookie] Remote shell/command execution
$20,000 awarded to @static by Pornhub for finding a vulnerable deserialization function in PHP leading to remote shell on a production server.

img 20

1. (478 votes) WannaCrypt “Killswitch”
$10,000 awarded to @malwaretech by HackerOne for identifying the “killswitch” for the  May 2017 global ransomware attack, which the hacker disclosed here.

img 21

Related Posts