| 5094 | Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token |
postMessage
Violation of secure design principles |
Slack |
Frans Rosén (@fransrosen) |
Bug Bounty | 2017-02-28 | 2023-06-13 |
| 4443 | Exploiting post message to steal and replace user’s cookies |
postMessage |
NA |
Yasser Gersy (@yassergersy) |
Bug Bounty | 2018-11-30 | 2023-06-13 |
| 3418 | Account takeover via postMessage |
Account takeover
postMessage |
NA |
socket (@yxw21) |
Bug Bounty | 2020-06-05 | 2023-06-13 |
| 3305 | Hunting postMessage Vulnerabilities |
postMessage
DOM XSS |
Apple
Google (Youtube)
Adobe |
Gary O%27Leary-Steele (@garyoleary) |
Bug Bounty | 2020-07-14 | 2023-06-13 |
| 2943 | [Google VRP] Hijacking Google Docs Screenshots |
postMessage
XSS |
Google |
Sreeram KL (@kl_sree) |
Bug Bounty | 2020-12-27 | 2023-06-13 |
| 2772 | Security and Privacy of Social Logins (II): PostMessage Security in Single Sign-On |
DOM XSS
postMessage
DOM XSS |
SAP
The New York Times
CNET |
Louis Jannett (@iphoneintosh) |
Bug Bounty | 2021-02-22 | 2023-06-13 |
| 2539 | XSS via postMessage in chat.mozilla.org |
XSS
postMessage |
Mozilla |
Guilherme Keerok (@k33r0k) |
Bug Bounty | 2021-05-20 | 2023-06-13 |
| 2481 | Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs |
postMessage
Token leak |
Microsoft |
Evan Grant (@stargravy) |
Bug Bounty | 2021-06-14 | 2023-06-13 |
| 2348 | PostMessage Xss vulnerability on private program |
XSS
postMessage |
NA |
Youghourta Ghannei (@YoughartaG) |
Bug Bounty | 2021-08-03 | 2023-06-13 |
| 1989 | Yes, fun browser extensions can have vulnerabilities too! |
XSS
Browser extension hacking
postMessage |
Meow |
Wladimir Palant (@WPalant) |
Bug Bounty | 2021-12-20 | 2023-06-13 |
| 1913 | Critical XSS in chrome extension |
XSS
postMessage |
NA |
p3rr0 (@Hperalta89) |
Bug Bounty | 2022-01-17 | 2023-06-13 |
| 1791 | OAuth and PostMessage - Chaining misconfigurations for your access token. |
OAuth
postMessage
Token leak |
NA |
Suraj Disoja (@ninetyn1ne_) |
Bug Bounty | 2022-02-21 | 2023-06-13 |
| 1611 | Adobe Acrobat hollowing out same-origin policy |
XSS
SOP bypass
Open redirect
postMessage |
Adobe |
Wladimir Palant (@WPalant) |
Bug Bounty | 2022-04-19 | 2023-06-13 |
| 1237 | DOM Cross-Site Scripting Via postMessage in AnnounceKit |
DOM XSS |
Announcekit |
Lorenzo Stella (@lorenzostella) |
Bug Bounty | 2022-08-12 | 2023-06-13 |
| 751 | XSS on account.leagueoflegends.com via easyXDM [2016] |
XSS
postMessage |
Riot Games |
Luke Young (@TheBoredEng) |
Bug Bounty | 2022-12-01 | 2023-06-13 |
| 590 | XSS using postMessage in Google Cloud Theia notebooks [Google VRP] |
XSS
postMessage |
Google |
Sreeram KL (@kl_sree) |
Bug Bounty | 2023-01-15 | 2023-06-13 |
| 498 | postMessage DOM XSS vulnerability in Gartner Peer Insights widget |
postMessage
DOM XSS |
Gartner
Gradle
LogRhythm
SentinelOne
Synopsys
Veeam
Vodafone
Black Kite
ReversingLabs
Tata Communications |
Justin Steven (@justinsteven) |
Bug Bounty | 2023-02-04 | 2023-06-13 |
| 360 | How Your NFTs Could Have Been Stolen in Just One Click |
postMessage
GraphQL |
NA |
PermaSecure (@PermaSecure) |
Bug Bounty | 2023-03-03 | 2023-06-13 |
| 122 | A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF… |
postMessage
JSONP
DOM XSS
CORS misconfiguration
CSRF
WAF bypass |
NA |
Julien Cretel (@jub0bs) |
Bug Bounty | 2023-05-05 | 2023-06-13 |
| 118 | CSS Injection via PostMessages to stealing Credit Card Info |
postMessage
CSS injection |
NA |
Castilho (@castilho101) |
Bug Bounty | 2023-05-05 | 2023-06-13 |
| 47 | XSS in WordPress via open embed auto discovery |
XSS
postMessage |
WordPress |
Jakub Żoczek (@zoczus) |
Bug Bounty | 2023-05-29 | 2023-06-13 |
