| 5281 | Stealing Facebook Access Tokens with a Double Submit |
CSRF
OAuth |
Meta / Facebook |
Jack Whitton (@fin1te) |
Bug Bounty | 2013-04-13 | 2023-06-13 |
| 5254 | How I was able to track the location of any Tinder user. |
Information disclosure |
Tinder |
Max Veytsman (@mveytsman) |
Bug Bounty | 2014-02-19 | 2023-06-13 |
| 5217 | [Responsible disclosure] How I could have hacked 62.5 million Zomato Users |
IDOR |
Zomato |
Anand Prakash (@anandpraka_sh) |
Bug Bounty | 2015-06-04 | 2023-06-13 |
| 5179 | Facebook movies recommendation vulnerability – A bug capable of erasing all your important notifications! |
Logic flaw
DoS |
Meta / Facebook |
Mohamed A. Baset |
Bug Bounty | 2016-05-05 | 2023-06-13 |
| 5169 | RunKeeper Stored XSS Vulnerability – Where worms are able to run too! |
Stored XSS
CSRF |
RunKeeper |
Mohamed A. Baset |
Bug Bounty | 2016-06-06 | 2023-06-13 |
| 5141 | Internet Explorer has a URL problem |
OAuth
RPO
XSS |
GitHub
Google |
File Descriptor (@filedescriptor) |
Bug Bounty | 2016-09-06 | 2023-06-13 |
| 5100 | How I was able to remove your Instagram Phone number |
Bruteforce |
Meta / Facebook |
Neeraj Sonaniya (@neeraj_sonaniya) |
Bug Bounty | 2017-02-20 | 2023-06-13 |
| 5035 | Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal information |
IDOR
Account takeover |
NA |
Zseano (@zseano) |
Bug Bounty | 2017-07-13 | 2023-06-13 |
| 5023 | How i was able to bypass strong xss protection in well known website. (imgur.com) |
XSS |
Imgur |
Armaan Pathan (@armaancrockroax) |
Bug Bounty | 2017-07-21 | 2023-06-13 |
| 5012 | Business Logic Vulnerabilities Series: How I became invisible and immune to blocking on Instagram! |
Logic flaw |
Meta / Facebook |
Ali Kabeel |
Bug Bounty | 2017-07-31 | 2023-06-13 |
| 5003 | Password Not Provided - Compromising Any Flurry User%27s Account [Yahoo Bug Bounty] |
Authentication flaw
Account takeover |
Yahoo! / Verizon Media |
Jack Cable (@jackhcable) |
Bug Bounty | 2017-08-15 | 2023-06-13 |
| 4965 | How I Was Able To View Private Tweets Of Any Private Twitter Account |
IDOR |
Twitter |
Cj Legacion (@LegacionCj) |
Bug Bounty | 2017-10-06 | 2023-06-13 |
| 4959 | How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne |
Information disclosure |
NA |
Yogendra Jaiswal (@vulnh0lic) |
Bug Bounty | 2017-10-13 | 2023-06-13 |
| 4949 | App Maker and Colaboratory: a stored Google XSS double-bill |
Stored XSS |
Google |
Yasin Soliman (@SecurityYasin) |
Bug Bounty | 2017-11-01 | 2023-06-13 |
| 4918 | How I Was Able To See The Bounty Balance Of Any Bug Bounty Program In HackerOne |
Logic flaw |
HackerOne |
Cj Legacion (@LegacionCj) |
Bug Bounty | 2017-12-06 | 2023-06-13 |
| 4915 | How I was able to takeover Facebook account |
Authentication bypass |
Meta / Facebook |
Ameer Hamza |
Bug Bounty | 2017-12-10 | 2023-06-13 |
| 4914 | Don%27t Trust the Host Header for Sending Password Reset Emails |
Password reset
Account takeover |
Mavenlink |
Jack Cable (@jackhcable) |
Bug Bounty | 2017-12-13 | 2023-06-13 |
| 4898 | #BugBounty — How I was able to read chat of users in an Online travel portal |
IDOR |
NA |
Avinash Jain (@logicbomb_1) |
Bug Bounty | 2018-01-10 | 2023-06-13 |
| 4896 | #BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company |
CSRF
Parameter tampering |
NA |
Avinash Jain (@logicbomb_1) |
Bug Bounty | 2018-01-14 | 2023-06-13 |
| 4884 | #BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection |
Open redirect |
LinkedIn |
Avinash Jain (@logicbomb_1) |
Bug Bounty | 2018-01-24 | 2023-06-13 |
| 4883 | Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) |
Reflected XSS |
HubSpot |
Mohamed Haron (@m7mdharon) |
Bug Bounty | 2018-01-24 | 2023-06-13 |
| 4876 | How I was able to Download Any file from Web server! |
XSS
IDOR |
NA |
hammadhassan924 |
Bug Bounty | 2018-01-27 | 2023-06-13 |
| 4875 | Getting access to prompt debug dialog and serialized tool on main website facebook.com |
Information disclosure
Debug mode enabled |
Meta / Facebook |
Omar Espino (@omespino) |
Bug Bounty | 2018-01-31 | 2023-06-13 |
| 4874 | How I was able to Bypass XSS Protection on HackerOne’s Private Program |
XSS |
NA |
Jay Jani (@JayJani007) |
Bug Bounty | 2018-02-02 | 2023-06-13 |
| 4861 | #BugBounty — “How I was able to shop for free!”- Payment Price Manipulation |
Parameter tampering
Payment tampering |
NA |
Avinash Jain (@logicbomb_1) |
Bug Bounty | 2018-02-11 | 2023-06-13 |
