Bug Lists

Lists Of Bug Bounty Writeups

Story of a FaceBook Page Admin Disclosure bug worth $5000FacebookInformation disclosure$5,000Shubham Bhamare
Expose the email address of Workplace usersFacebookIDOR, Information disclosure$5,000Samm0uda
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeoversFacebookXSS, Account takeover$30,000Samm0uda
Hijacking Google Docs ScreenshotsGoogleXSS, PostMessage flaw-Sreeram
Facebook page admin disclosure by “Create doc” buttonFacebookInformation disclosure$5,000Shubham Bhamare
Cookie Tossing to RCE on Google Cloud JupyterLabGoogleSelf XSS, DoS, CSRF$3,133S1r1u5
View anyone’s private email and birthday on InstagramFacebookLogic flaw$13,125Saugat
TikTok Careers Portal Account TakeoverTikTokCSRF, Open redirect$2,373Lauritz_
$10000 Facebook SSRFFacebookSSRF$10,000Amine Aboud
How I was able to bypass OTP code requirement in RazerRazerOTP Bypass$1,000Ananda Dhakal
Disclosure the verified phone number in Checkpoint.FacebookInformation disclosure$500TienDat
How I made 1000$ with AT&T Bug Bounty(H1)AT&TCSRF, Account takeover$1,000Adesh Kolte
Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information DisclosureAtlassianPath traversal$11,000Sam Curry
Spear texting via parameter injection-Parameter tampering$900Kyle
Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google DorkPaypalInformation disclosure$1,000Yoko Kho
Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As PublicFacebookPrivilege escalation$500Guhan Raja
Client, not client!-LFI$1,000Tung Pun
I Could Have Hacked All Uber Accounts- But I Chose to Report it InsteadUberInformation disclosure$6,500Anand Prakash
OTP Manipulation-OTP Bypass$300Choudhary
How two dead accounts allowed remote crash of any instagram android userFacebookDoS-Valerio brussani
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE.-RCE, Unrestricted file upload$3,000HackerOn2Wheels
How I could have hacked your Uber accountUberAccount takeover, IDOR$6,500Anand Prakash
How two dead users allowed remote crash of any instagram android userFacebookDoS-Valerio Brussani
How does my recon win $250 in 15 minutes-Open redirect$250Hein Thant
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE-RCE, Unrestricted file upload$3,000HackerOn2Wheels
Oculus identity verification bypass through brute-forceFacebookOTP bypass, Lack of rate limiting$750Dhiraj
Chaining Two 0-Days to Compromise An Uber WordpressUberStored XSS, SQL injection-Julian Ahrens
Accessing 2 million Verizon Pay Monthly contractsVerizonAuthentication bypass, IDOR-Daley Bee
Telegram addresses another privacy issueTelegramLogic flaw, Privacy issue€2,500Dhiraj
DOM Based XSS in Private Program-DOM XSS$500Moh. Haron
XSS in Zoho MailZoho MailXSS$200Anas Mahmood
Finding Gem in Someone’s Report: Instant $500USD-Information disclosure$500Hisoka Morou
HTML to PDF converter bug leads to RCE in Facebook serverFacebookRCE$1,000samm0uda
Readme.com Account TakeoverReadme.comPassword reset flaw$0Ankush Goel
My First LFI-Password reset flaw, Account takeover$1,000Tirtha Mandal
How I Hacked Instagram AgainFacebookPassword reset flaw, Account takeover$10,000Laxman Muthiyah
From Github Recon To Account Takeover-Information disclosure, Account takeover-Dipak Kumar
One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse1Password, Keeper, DashlaneInformation disclosure, Content leak-Lorenzo Stella
Instagram account is reactivated without entering 2FAFacebook2FA bypass, Authentication flaw$500Aman Shahid
How I upgraded my privileges to the administratorok.ruPrivilege escalation$500Sergey Kashatov
Removing profile pictures for any Facebook userFacebookIDOR$2,500Philippe H
How I was able to earn 1000$ with just 10 minutes-Password reset flaw$1,000Ninad Mathpati
Clickjacking DOM XSS on Google.orgGoogleClickjacking, DOM XSS-ThomasOrlita
Application Level Denial of Service [DoS] using SVG file -DoS$300Evan Ricafort
Writing my Medium blog to complete account takeoverMediumStored XSS, Account takeover$1,000Rotem Reiss
Vulnerability in Hangouts Chat: from open redirect to code executionGoogleOpen redirect, RCE$7,500VulnerabilityLabs
All Secondary users account takeover leads to unauthorized money transfer from paypal business accountsPaypalIDOR$10,500Mohd. Haji
From Sub domain Takeover to Open-Redirect-Subdomain takeover$150Anil Tom
Complete information disclosure using Broken Access Control-IDOR, Authorization flaw$100Bhavesh Thakur
Access portal of Facebook mobile retailersFacebookIDOR, Authorization flaw$500Samm0uda
View orders and financial reports lists for any page shopFacebookAuthorization flaw$500Samm0uda
Old GitHub Profile TakeoverGithubAccount Takeover$1,000Moh. Haron
Facebook Oauth Account TakeoveriLotteRCE, XSS$150Zerb0a
Solr Injection by abusing Local ParametersZomatoSolr Injection$700Ronak Patel
XSS to RCE in …GithubRCE, XSS-Hungry Bytes
Reflected XSS in Ebay.comEbayReflected XSS$0, HoFSukhmeet Singh
XSS On Twitter [Worth 1120$]TwitterXSS$1,120Bywalks
Intersection between Clickjacking, XSS, and Denial of Service-Clickjacking, XSS, DoS$12,000Ashish Mathur
Microsoft Office 365 - Outlook XSSMicrosoftXSS-Al Qabandi
Сookie-based XSS exploitation-XSS$2,300Max
How Recon helped me to to find a Facebook domain takeoverFacebookSubdomain Takeover$500Sudanshu Raj
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in FacebookFacebookCSRF$3,000Lokesh Kumar
The Bugs Are Out There, Hiding in Plain Sight-IDOR, SSRF, Information disclosure$9,000A Bug'z Life
Man In The Middle on SlackSlackMiTM$500Wiard Van Rij
Site-wide CSRF through GraphQL request TOKOPEDIATokopediaCSRF-Rafie Muhammad
How I Could Have Hacked Any Instagram AccountFacebookRace condition, Rate limiting bypass$30,000Laxman Muthiyah
Cracking my windshield and earning $10,000 on the TeslaTeslaBlind XSS$10,000Sam Curry
Page Admin Disclone (Facebook Android App)FacebookInformation Disclosure$500Yusuf Furkan
Command Execution on JenkinsJenkinsRCE$8,000Jay Jani
SQL Injection Bug Bounty POC!-SQL Injection€5,000Arif-ITSEC111
Tale of account takeover — Sensitive info Disclosure-IDOR, Account Takeover$2,650Sakyb
Page Admin DisclosureFacebookAuthorization flaw$1,000Ajay Gautam
Password Reset Vulnerability-Account Takeover$1,200Muh Asim Syahzad
Stored XSSIndeedStored XSS$1,500Tirtha Mandal
Download Protection BypassGoogleBrowser Flaw$1,000Night Wacth Cyber
Gain Adfly SMTP AccessAdflySSRF-Serboa
Account Takeover CSRF-CSRF$1,000Shub Rathore
$1800 worth Clickjacking-Clickjacking$1,800Osama Avvan
Page Admin Disclosure || Facebook Bug Bounty 2019FacebookAuthorization flaw$1,000Ajay Gautam
Full Account takeover (Insecure Direct Object Reference)-IDOR, Account takeover$1,200Muh Asim Shahzad
About a Sucuri RCE…and How Not to Handle Bug Bounty ReportsSucuriRCE$750Julien Ahrens
Facebook Vulnerability: Unremovable Co-Host in facebook group eventsFacebookLogic Flaw$500Ritish Kumar Singh
Reflected XSS in Tokopedia Train TicketTokopediaReflected XSS$212Jon Bottarini
Amazon S3 bucket misconfiguration?DropboxAWS Flaw$1,500Muh Asim Shahzad
Stealing Cookies to Login in any Account-Cookie Theft$900Osama Avvan
Fullscreen API Attack’s Revisited and the FaceBook NA StoryFacebookFullscreen API Attack-Circle Ninja
XSSing Google Employees - Blind XSS on googleplex.comGoogleBlind XSS-Thomas Orlita
Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678)MicrosoftBrowser BUG$15,000Nikhil Mittal
Bypassing CSP with policy injectionPaypalCSP Bypass$900Gareth Heyes
CSRF to Account Takeover worth $750-CSRF, Account Takeover$750Nishant Saurav
Disclose files content from Facebook internal CDNsFacebookWeak Encryption$12,500Samm0uda
Determine a Facebook user from an email addressFacebookInformation Disclosure$1,000Philippe Harewood
Local File Inclusion in peering.google.comGoogleLFI$3,133.7Jafar Abo Nada
LFI on Production Servers in “springboard.google.com”GoogleLFI$13,337Omespino
Stealing Downloads from Slack UsersSlackCSRF-David Wells
Bypassing Instagram’s stories restrictionFacebookLogic Flaw$500Baibhav Anand
Advanced CORS Exploitation Techniques-CORS Misconfiguration$1,500Ayoub
Stored XSS on Techprofile MicrosoftMicrosoftStored XSS-Moh Ali Syarief
BLIND SSRF in *.stripe.com due to Sentry MisconfigurationStripeBlind SSRF-Oktavandi
Tale of a Wormable Twitter XSSTwitterXSS$2,9400xSobky
Facebook’s URL spoofing vulnerabilityFacebookURL Spoofing$3,000Rahul Kankrale
Bug Hunting in JavaScript EnginesGoogleBuffer Overflow$7,500Dimitri Fourny
Getting access to Zendesk’s Google CloudZendeskInformation Disclosure$3,000Ruby Nealon
improper access control in Gitlab private projectGitLabAuthorization Flaw$2,000Ricardo Padovani
Gain access to revenue and traffic data of Shopify storesShopifyIDOR-Ayoub Fathi
3 XSS in ProtonMail for iOSAppleXSS$1,000Vladimir Metnew
Server tokens of all Uber developer applicationsUberInformation Disclosure$5,000Anand Prakash