| 4704 | The $12,000 Intersection between Clickjacking, XSS, and Denial of Service |
Clickjacking
XSS
DoS |
Bustabit |
Sam Curry (@samwcyo) |
Bug Bounty | 2018-07-04 | 2023-06-13 |
| 4407 | Reading ASP secrets for $17,000 |
Local file disclosure (LFD) |
NA |
Sam Curry (@samwcyo) |
Bug Bounty | 2018-12-16 | 2023-06-13 |
| 4044 | Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program |
Blind XSS |
Tesla |
Sam Curry (@samwcyo) |
Bug Bounty | 2019-07-14 | 2023-06-13 |
| 3900 | Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure |
Path traversal |
Atlassian |
Sam Curry (@samwcyo) |
Bug Bounty | 2019-09-25 | 2023-06-13 |
| 3853 | Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty |
Null byte buffer overflow
Memory corruption |
NA |
Sam Curry (@samwcyo) |
Bug Bounty | 2019-11-01 | 2023-06-13 |
| 3539 | Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts |
HTTP cache poisoning
Open redirect |
Rocket League |
Sam Curry (@samwcyo) |
Bug Bounty | 2020-04-19 | 2023-06-13 |
| 3377 | Hacking Starbucks and Accessing Nearly 100 Million Customer Records |
Path traversal |
Starbucks |
Sam Curry (@samwcyo) |
Bug Bounty | 2020-06-20 | 2023-06-13 |
| 3109 | We Hacked Apple for 3 Months: Here’s What We Found |
RCE
Authentication bypass
Authorization bypass
SSRF
XXE
Blind XSS
IDOR
OS command injection
SQL injection |
Apple |
Sam Curry (@samwcyo) |
Bug Bounty | 2020-10-07 | 2023-06-13 |
| 2818 | Hacking Chess.com and Accessing 50 Million Customer Records |
Reflected XSS
Information disclosure
Account takeover |
Chess.com |
Sam Curry (@samwcyo) |
Bug Bounty | 2021-02-11 | 2023-06-13 |
| 2422 | Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer |
Broken link hijacking |
Chess.com |
Sam Curry (@samwcyo) |
Bug Bounty | 2021-07-10 | 2023-06-13 |
| 1052 | Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library |
Universal XSS
SSRF
Open redirect
Web cache poisoning |
Netlify
Gemini
PancakeSwap
Docusign
Moonpay
Celo |
Sam Curry (@samwcyo) |
Bug Bounty | 2022-09-21 | 2023-06-13 |
| 621 | Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More |
Account takeover
SSO
RCE
Authorization bypass
SQL injection
Mass assignment
Information disclosure |
Kia
Honda
Infiniti
Nissan
Acura
Mercedes-Benz
Hyundai
Genesis
BMW
Rolls Royce
Ferrari
Spireon
Ford
Reviver
Porsche
Toyota
Jaguar
Land Rover
SiriusXM |
Sam Curry (@samwcyo) |
Bug Bounty | 2023-01-03 | 2023-06-13 |
