Celebrating $20M in Bounties with a Recap of Our Top 20 Up Voted Reports on Hacktivity
Hacktivity is one of the most popular pages on hackerone.com. And for good reason as it’s a veritable treasure trove of learning for hackers and a wonderful way for companies to practice transparency and showcase their security efforts.
In honor of our $20M in bounties paid out to hackers (yay!), we thought we’d revisit some of the top most up voted reports ever submitted on HackerOne.
And here they are, in descending order, with a corresponding cat gif (because, the internet is awesome). Congrats to all hackers in the list, you’re making the internet safer day by day!
20. (102 upvotes) Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
$3,000 awarded to @fransrosen by Slack for finding a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens.
18. (110 upvotes) Disclose any user's private email through API
$2,000 awarded to @zombiehelp54 by HackerOne for finding a vulnerability that allows an attacker to disclose any user’s private email address.
15. (116 upvotes) Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
$5,000 awarded to @arneswinnen by Uber for finding access to subdomains by bypassing the SSO login system.
14. (119) Web Authentication Endpoint Credentials Brute-Force Vulnerability
$1,500 awarded to @arneswinnen by HackerOne for discovering an inferior request rate-limiting mechanism, which provided inadequate protection against brute force attacks.
12. (125 upvotes) Multiple endpoints are vulnerable to XML External Entity injection (XXE)
$2,500 awarded to @mak by Pornhub for finding multiple endpoints vulnerable to XML External Entity injection, enabling arbitrary requests from a production server.
10. (166 upvotes) RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
$5,000 awarded to @neex by Imgur for finding a command line argument injection vulnerability that would lead to command execution.
9. (174 upvotes) Publicly exposed SVN repository, ht.pornhub.com
$10,000 awarded to @mak by Pornhub for discovering a means for accessing a public .svn repository, which exposed usernames and provided subsequent access to production servers.
7. (200 upvotes) Internal attachments can be exported via "Export as .zip" feature
$12,500 awarded to @japzdivino by HackerOne for discovering a vulnerability that inadvertently included private, internal files when any user exported the complete report.
6. (210 upvotes) Information Disclosure in /skills call
$10,000 awarded to @deepankerchawla by HackerOne for finding a vulnerability that exposed bug reports submitted by other HackerOne community members, including confidential report descriptions.
5. (223 upvotes) Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
$10,000 awarded to @mongo by Uber for discovering a vulnerability which allowed a password change just by entering any Uber-registered phone number.
4. (262 upvotes) Partial disclosure of report activity through new "Export as .zip" feature
$10,000 awarded to @faisalahmed by HackerOne for finding a vulnerability that allowed viewing comments not normally visible in a limited disclosure.
3. (290 upvotes) Open prod Jenkins instance
$15,000 awarded to @preben_ve by Snapchat for discovering a Jenkins instance which would allow login with any valid Google account and further enable access to sensitive API tokens and source code.
2. (432 upvotes) [phpobject in cookie] Remote shell/command execution
$20,000 awarded to @static by Pornhub for finding a vulnerable deserialization function in PHP leading to remote shell on a production server.