Top Vulnerability Reports of Third Quarter, 2016

It’s time for the third installment of Top 5 Vulnerability Reports on HackerOne.

What a quarter! We sweated through the Vegas conferences, Hacked the World and held a jammed AMA on Reddit. Our hackers crossed the $10,000,000 mark of bounties earned. Best of all, our fantastic hackers helped companies find great vulnerabilities like the ones below.

Instead of listing the raw top five, we looked at the best five, non-repeat, non-summarized vulnerabilities of the quarter to share. Detailed vulnerabilities are the most instructive, so that’s why we highlight them here.

The Top 5 Vulnerability Reports of Third Quarter, 2016:

1. Mongo investigated Uber passwords via their passwordless signup features. Uber fixed it in a day (Mongo confirmed it) and paid out $10,000. In Uber’s words, “Thanks for the great find @mongo!”. We’re very glad to have Mongo hacking for HackerOne.

2. A frequent reporter in this blog series, orange knows how not to waste a trip. In this case to China, where a .cn domain of Uber’s was found to have a SQL Injection vulnerability when investigating an unsubscribe link closely. The report earned a nice $4,000.

3. Paragonie-Scott is one of the most vocal security team leaders on HackerOne. Read his reaction to this oddball .svg report that reminds us that .svg is not like other image file formats. It allows arbitrary code execution by design. Abdullah received the largest-ever bounty from the Paragon program, not to mention over 3,500 pageviews and counting.

4. We see lots of phrases like “This is probably not a big deal…” in initial hacker reports. Modest hackers! This report Subdomain takeover on http://fastly.sc-cdn.net/ began that way. Ebrietas started with an outdated DNS record and ended with a $3,000 bounty payment. Thanks for preventing users from potentially being served false content.

5. Egypt’s secgeek reported Html Injection and Possible XSS in sms-be-vip.twitter.com to Twitter. The vulnerability, which affected the latest versions of Internet Explorer, could have allowed injection of html tags and Javascript execution. At HackerOne, we particularly like the professional, polite disagreement and resolution that came up along the way to a $420 reward. Nice find!

Do you see vulnerabilities you think were instructive or otherwise awesome? You can vote here to highlight the best on the top of the Hacktivity page.

Want to appear here next quarter? Hack on! Or invite your own hackers like the companies here did. As I once read, every organization needs a bug bounty program!

Rajesh F. Krishnan

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.