| 4628 | Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org |
Stored XSS |
Webcomponents.org |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2018-08-23 | 2023-06-13 |
| 4601 | Reflected XSS in Google Code Jam |
Reflected XSS |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2018-09-08 | 2023-06-13 |
| 4573 | Bypassing Firebase authorization to create custom goo.gl subdomains |
Logic flaw
IDOR |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2018-09-21 | 2023-06-13 |
| 4412 | XSSing Google Code-in thanks to improperly escaped JSON data |
XSS |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2018-12-14 | 2023-06-13 |
| 4334 | Unsecured access to personal data of a million Leo Express users |
Authorization flaw
XSS |
Leo Express |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2019-01-29 | 2023-06-13 |
| 4260 | Inserting malware into anyone’s Google Earth Projects Archive |
IDOR
XSS
Authorization flaw |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2019-03-10 | 2023-06-13 |
| 4106 | XSSing Google Employees — Blind XSS on googleplex.com |
Blind XSS |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2019-06-15 | 2023-06-13 |
| 3979 | Clickjacking DOM XSS on Google.org |
Clickjacking
DOM XSS |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2019-08-12 | 2023-06-13 |
| 3554 | Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs |
IDOR |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2020-04-07 | 2023-06-13 |
| 3128 | Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts |
GCP bucket misconfiguration
Information disclosure
Cloud |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2020-09-29 | 2023-06-13 |
| 2243 | 5 Different Vulnerabilities in Google’s Threadit |
DOM XSS
Clickjacking
Privilege escalation
Information disclosure |
Google |
Thomas Orlita (@ThomasOrlita) |
Bug Bounty | 2021-09-07 | 2023-06-13 |
