| 3621 | The unexpected Google wide domain check bypass |
Logic flaw |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2020-03-08 | 2023-06-13 |
| 2907 | Stealing Your Private YouTube Videos, One Frame at a Time |
IDOR |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-01-11 | 2023-06-13 |
| 2884 | The Embedded YouTube Player Told Me What You Were Watching (and more) |
Information disclosure |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-01-18 | 2023-06-13 |
| 2662 | CSRF in YouTube Leanback API |
CSRF |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-04-05 | 2023-06-13 |
| 2657 | I Built a TV That Plays All of Your Private YouTube Videos |
CSRF |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-04-05 | 2023-06-13 |
| 2624 | Auth Bypass in Google Workspace Real Time Collaboration |
Authentication bypass
Information disclosure |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-04-20 | 2023-06-13 |
| 2598 | De-anonymising Anonymous Animals in Google Workspace |
Privacy issue
Information disclosure |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-04-29 | 2023-06-13 |
| 2552 | Auth Bypass in https://nearbydevices-pa.googleapis.com |
Broken Access Control |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-05-16 | 2023-06-13 |
| 2549 | Clickjacking in Nearby Devices Dashboard |
Clickjacking |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-05-17 | 2023-06-13 |
| 2546 | Path Traversal in MobileSafari |
Path traversal |
Apple |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-05-18 | 2023-06-13 |
| 2524 | Bypassing restricted port protection in WebKit |
Browser hacking |
Apple |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-05-26 | 2023-06-13 |
| 2426 | IDOR on clientauthconfig.googleapis.com |
IDOR |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-07-08 | 2023-06-13 |
| 2414 | Unencrypted HTTP Links to Google Scholar in Search |
MiTM |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-07-13 | 2023-06-13 |
| 2161 | Auth Bypass in Google Assistant |
Insecure deeplink |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-10-10 | 2023-06-13 |
| 2067 | URL whitelist bypass in https://cxl-services.appspot.com |
Privilege escalation
URL validation bypass
SSRF |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-11-17 | 2023-06-13 |
| 1954 | Fixing the Unfixable: Story of a Google Cloud SSRF |
SSRF |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2021-12-31 | 2023-06-13 |
| 1847 | Auth Bypass in com.google.android.googlequicksearchbox |
Authentication bypass |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2022-02-06 | 2023-06-13 |
| 1846 | Auth Bypass in Google Assistant |
Information disclosure
Authentication bypass |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2022-02-06 | 2023-06-13 |
| 1660 | CloudKit Share Records leak the title of private iCloud files |
IDOR
Broken Access Control |
Apple |
David Schütz (@xdavidhu) |
Bug Bounty | 2022-04-05 | 2023-06-13 |
| 1138 | Viewing Instagram live streams anonymously without notifying the host |
IDOR
Logic flaw
Privacy issue |
Meta / Facebook |
David Schütz (@xdavidhu) |
Bug Bounty | 2022-09-02 | 2023-06-13 |
| 846 | Accidental $70k Google Pixel Lock Screen Bypass |
Lock screen bypass
Authentication bypass
Android |
Google |
David Schütz (@xdavidhu) |
Bug Bounty | 2022-11-10 | 2023-06-13 |
| 798 | Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs |
GraphQL
Security misconfiguration |
Meta / Facebook |
David Schütz (@xdavidhu) |
Bug Bounty | 2022-11-21 | 2023-06-13 |
