TOP100UPVOTED.md

Top 100 upvoted reports from HackerOne:

1. Takeover an account that doesn't have a Shopify ID and more to Shopify - 2843 upvotes, $23550
2. Bypass for #488147 enables stored XSS on https://paypal.com/signin again to PayPal - 2530 upvotes, $20000
3. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 1804 upvotes, $16000
4. Account takeover via leaked session cookie to HackerOne - 1500 upvotes, $20000
5. Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - 1428 upvotes, $20000
6. Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password to PayPal - 1326 upvotes, $15300
7. RCE on Steam Client via buffer overflow in Server Info to Valve - 1254 upvotes, $18000
8. Potential pre-auth RCE on Twitter VPN to Twitter - 1157 upvotes, $20160
9. Exposed Kubernetes API - RCE/Exposed Creds to Snapchat - 1091 upvotes, $25000
10. Github access token exposure to Shopify - 995 upvotes, $50000
11. Confidential data of users and limited metadata of programs and reports accessible via GraphQL to HackerOne - 972 upvotes, $20000
12. Improper Authentication - any user can login as other user with otp/logout & otp/login to Snapchat - 891 upvotes, $25000
13. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 869 upvotes, $15000
14. Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies to Slack - 823 upvotes, $6500
15. DoS on PayPal via web cache poisoning to PayPal - 807 upvotes, $9700
16. WannaCrypt “Killswitch” to HackerOne - 798 upvotes, $10000
17. RCE via npm misconfig -- installing internal libraries from the public registry to PayPal - 797 upvotes, $30000
18. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 791 upvotes, $15000
19. Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 788 upvotes, $10000
20. Git flag injection - local file overwrite to remote code execution to GitLab - 759 upvotes, $12000
21. Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application to PlayStation - 745 upvotes, $15000
22. SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database to Starbucks - 737 upvotes, $4000
23. Exfiltrate and mutate repository and project data through injected templated service to GitLab - 732 upvotes, $11000
24. Subdomain Takeover to Authentication bypass to Roblox - 718 upvotes, $2500
25. JumpCloud API Key leaked via Open Github Repository. to Starbucks - 709 upvotes, $4000
26. Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives to PlayStation - 709 upvotes, $10000
27. IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 683 upvotes, $10500
28. 🐞 OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter to Razer - 676 upvotes, $2000
29. Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 671 upvotes, $4000
30. SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent to GSA Bounty - 665 upvotes, $2000
31. Stored XSS on https://paypal.com/signin via cache poisoning to PayPal - 646 upvotes, $18900
32. Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ to Glassdoor - 632 upvotes, $1000
33. Email address of any user can be queried on Report Invitation GraphQL type when username is known to HackerOne - 621 upvotes, $8500
34. Time-Based SQL injection at city-mobil.ru to Mail.ru - 620 upvotes, $15000
35. Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter to Uber - 618 upvotes, $6500
36. My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft to Lyft - 618 upvotes, $0
37. [phpobject in cookie] Remote shell/command execution to Pornhub - 605 upvotes, $20000
38. Ability to reset password for account to Upserve - 601 upvotes, $3500
39. Getting all the CD keys of any game to Valve - 600 upvotes, $20000
40. Stored XSS in Wiki pages to GitLab - 595 upvotes, $4500
41. Stored XSS on imgur profile to Imgur - 591 upvotes, $650
42. Bypassing Digits origin validation which leads to account takeover to Twitter - 587 upvotes, $5040
43. SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter to Razer - 580 upvotes, $2000
44. Github Token Leaked publicly for https://github.sc-corp.net to Snapchat - 566 upvotes, $15000
45. Customer private program can disclose email any users through invited via username to HackerOne - 563 upvotes, $7500
46. Request smuggling on admin-official.line.me could lead to account takeover to LINE - 553 upvotes, $9000
47. RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ to Starbucks - 538 upvotes, $4000
48. Publicly accessible Continuous Integration Tool to Snapchat - 538 upvotes, $25000
49. Local files could be overwritten in GitLab, leading to remote command execution to GitLab - 536 upvotes, $12000
50. Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 536 upvotes, $16109
51. The return of the ＜ to Rockstar Games - 533 upvotes, $1000
52. Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com to Zomato - 533 upvotes, $5000
53. Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 532 upvotes, $22500
54. SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog to Razer - 528 upvotes, $2000
55. SSRF in Exchange leads to ROOT access in all instances to Shopify - 520 upvotes, $25000
56. [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure to Grab - 518 upvotes, $7500
57. Shopify Stocky App OAuth Misconfiguration to Shopify - 514 upvotes, $5000
58. Password theft login.newrelic.com via Request Smuggling to New Relic - 485 upvotes, $3000
59. BAD Code ! to Paragon Initiative Enterprises - 484 upvotes, $0
60. Able to Become Admin for Any LINE Official Account to LINE - 483 upvotes, $4750
61. Remote Code Execution in Slack desktop apps + bonus to Slack - 481 upvotes, $1750
62. RCE when removing metadata with ExifTool to GitLab - 476 upvotes, $20000
63. Reflected XSS in OAUTH2 login flow to LINE - 471 upvotes, $1989
64. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 465 upvotes, $5500
65. Steal ALL collateral during liquidation by exploiting lack of validation in flip.kick to BlockDev Sp. Z o.o - 461 upvotes, $50000
66. profile-picture name parameter with large value lead to DoS for other users and programs on the platform to HackerOne - 460 upvotes, $2500
67. XSS in steam react chat client to Valve - 453 upvotes, $7500
68. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 449 upvotes, $3860
69. How the Bug stole hacking to HackerOne - 444 upvotes, $0
70. Access to multiple production Grafana dashboards to Snapchat - 443 upvotes, $10000
71. XSS vulnerable parameter in a location hash to Slack - 440 upvotes, $1100
72. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 438 upvotes, $12000
73. Blind SQL Injection to InnoGames - 432 upvotes, $2000
74. CRLF injection to Twitter - 423 upvotes, $2940
75. Open prod Jenkins instance to Snapchat - 422 upvotes, $15000
76. One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com to Reddit - 419 upvotes, $10000
77. touch.mail.ru / e.mail.ru memory content disclosure to Mail.ru - 409 upvotes, $10000
78. RCE via unsafe inline Kramdown options when rendering certain Wiki pages to GitLab - 408 upvotes, $20000
79. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 407 upvotes, $9000
80. Blind XSS on image upload to CS Money - 407 upvotes, $1000
81. Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 404 upvotes, $3000
82. Remote code execution on Basecamp.com to Basecamp - 400 upvotes, $5000
83. H1514 Server Side Template Injection in Return Magic email templates? to Shopify - 397 upvotes, $10000
84. gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read to GitLab - 397 upvotes, $10000
85. June 2022 Incident Report to HackerOne - 396 upvotes, $0
86. Stored XSS Vulnerability to WordPress - 394 upvotes, $500
87. Read-only application can publish/delete fleets to Twitter - 394 upvotes, $7700
88. Chained Bugs to Leak Victim's Uber's FB Oauth Token to Uber - 392 upvotes, $7500
89. Employee's GitHub Token Found In Travis CI Build Logs to Grammarly - 392 upvotes, $5000
90. Account Takeover worki.ru to Mail.ru - 390 upvotes, $1700
91. Flickr Account Takeover using AWS Cognito API to Flickr - 389 upvotes, $7550
92. Modify in-flight data to payment provider Smart2Pay to Valve - 388 upvotes, $7500
93. Denial of service to WP-JSON API by cache poisoning the CORS allow origin header to Automattic - 387 upvotes, $550
94. Full account takeover to Reverb.com - 376 upvotes, $800
95. Cross-organization data access in city-mobil.ru to Mail.ru - 372 upvotes, $8000
96. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 369 upvotes, $4000
97. SQL injection at fleet.city-mobil.ru to Mail.ru - 369 upvotes, $10000
98. CVE-2019-5765: 1-click HackerOne account takeover on all Android devices to Chrome - 366 upvotes, $0
99. Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure to Dropbox - 360 upvotes, $4913
100. RCE on shared.mail.ru due to "widget" plugin to Mail.ru - 359 upvotes, $10000