TOP100UPVOTED.md

Top 100 upvoted reports from HackerOne:

1. Takeover an account that doesn't have a Shopify ID and more to Shopify - 2975 upvotes, $0
2. Bypass for #488147 enables stored XSS on https://paypal.com/signin again to PayPal - 2664 upvotes, $20000
3. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 1905 upvotes, $0
4. Account takeover via leaked session cookie to HackerOne - 1616 upvotes, $20000
5. Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - 1491 upvotes, $20000
6. Github access token exposure to Shopify - 1478 upvotes, $50000
7. Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password to PayPal - 1396 upvotes, $15300
8. RCE on Steam Client via buffer overflow in Server Info to Valve - 1286 upvotes, $0
9. Potential pre-auth RCE on Twitter VPN to X / xAI - 1232 upvotes, $20160
10. Exposed Kubernetes API - RCE/Exposed Creds to Snapchat - 1179 upvotes, $25000
11. Confidential data of users and limited metadata of programs and reports accessible via GraphQL to HackerOne - 1027 upvotes, $0
12. Improper Authentication - any user can login as other user with otp/logout & otp/login to Snapchat - 959 upvotes, $0
13. RCE via npm misconfig -- installing internal libraries from the public registry to PayPal - 925 upvotes, $30000
14. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 892 upvotes, $0
15. Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies to Slack - 861 upvotes, $0
16. Account Takeover via Password Reset without user interactions to GitLab - 859 upvotes, $35000
17. DoS on PayPal via web cache poisoning to PayPal - 845 upvotes, $9700
18. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 828 upvotes, $0
19. Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 822 upvotes, $0
20. WannaCrypt “Killswitch” to HackerOne - 807 upvotes, $0
21. SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database to Starbucks - 786 upvotes, $0
22. Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application to PlayStation - 775 upvotes, $15000
23. Delete anyone's content spotlight remotely. to Snapchat - 775 upvotes, $15000
24. Git flag injection - local file overwrite to remote code execution to GitLab - 773 upvotes, $12000
25. Subdomain Takeover to Authentication bypass to Roblox - 773 upvotes, $0
26. IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 770 upvotes, $10500
27. Exfiltrate and mutate repository and project data through injected templated service to GitLab - 754 upvotes, $11000
28. Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives to PlayStation - 740 upvotes, $10000
29. JumpCloud API Key leaked via Open Github Repository. to Starbucks - 732 upvotes, $0
30. SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent to GSA Bounty - 693 upvotes, $0
31. Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 685 upvotes, $0
32. Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ to Glassdoor - 682 upvotes, $0
33. Stored XSS on https://paypal.com/signin via cache poisoning to PayPal - 679 upvotes, $18900
34. 🐞 OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter to Razer - 676 upvotes, $2000
35. Email address of any user can be queried on Report Invitation GraphQL type when username is known to HackerOne - 663 upvotes, $0
36. My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft to Lyft - 653 upvotes, $0
37. Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter to Uber - 639 upvotes, $0
38. Ability to reset password for account to Upserve - 631 upvotes, $0
39. Time-Based SQL injection at city-mobil.ru to Mail.ru - 631 upvotes, $15000
40. Getting all the CD keys of any game to Valve - 630 upvotes, $20000
41. Stored XSS in Wiki pages to GitLab - 617 upvotes, $0
42. Bypassing Digits origin validation which leads to account takeover to X / xAI - 612 upvotes, $0
43. [phpobject in cookie] Remote shell/command execution to Pornhub - 607 upvotes, $20000
44. Stored XSS on imgur profile to Imgur - 604 upvotes, $0
45. The /reports/:id.json endpoint discloses potentially sensitive user attributes when reporter summary is present to HackerOne - 601 upvotes, $25000
46. Customer private program can disclose email any users through invited via username to HackerOne - 584 upvotes, $7500
47. SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter to Razer - 580 upvotes, $2000
48. Github Token Leaked publicly for https://github.sc-corp.net to Snapchat - 579 upvotes, $0
49. SSRF in Exchange leads to ROOT access in all instances to Shopify - 571 upvotes, $0
50. RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ to Starbucks - 568 upvotes, $0
51. Request smuggling on admin-official.line.me could lead to account takeover to LY Corporation - 563 upvotes, $0
52. The return of the ＜ to Rockstar Games - 562 upvotes, $1000
53. Publicly accessible Continuous Integration Tool to Snapchat - 560 upvotes, $0
54. Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com to Eternal - 557 upvotes, $0
55. Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 555 upvotes, $0
56. Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 550 upvotes, $0
57. BAD Code ! to Paragon Initiative Enterprises - 541 upvotes, $0
58. [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure to Grab - 541 upvotes, $0
59. Local files could be overwritten in GitLab, leading to remote command execution to GitLab - 539 upvotes, $12000
60. SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog to Razer - 528 upvotes, $2000
61. Shopify Stocky App OAuth Misconfiguration to Shopify - 523 upvotes, $0
62. Server Side Request Forgery (SSRF) via Analytics Reports to HackerOne - 508 upvotes, $0
63. Remote Code Execution in Slack desktop apps + bonus to Slack - 504 upvotes, $0
64. RCE when removing metadata with ExifTool to GitLab - 503 upvotes, $20000
65. One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com to Reddit - 497 upvotes, $0
66. Able to Become Admin for Any LINE Official Account to LY Corporation - 491 upvotes, $0
67. Password theft login.newrelic.com via Request Smuggling to New Relic - 490 upvotes, $3000
68. XSS in steam react chat client to Valve - 483 upvotes, $7500
69. Reflected XSS in OAUTH2 login flow to LY Corporation - 483 upvotes, $1989
70. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 475 upvotes, $0
71. profile-picture name parameter with large value lead to DoS for other users and programs on the platform to HackerOne - 473 upvotes, $0
72. How the Bug stole hacking to HackerOne - 467 upvotes, $0
73. Steal ALL collateral during liquidation by exploiting lack of validation in flip.kick to BlockDev Sp. Z o.o - 464 upvotes, $0
74. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 464 upvotes, $0
75. Access to multiple production Grafana dashboards to Snapchat - 459 upvotes, $10000
76. XSS vulnerable parameter in a location hash to Slack - 451 upvotes, $0
77. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 450 upvotes, $12000
78. Blind XSS on image upload to CS Money - 441 upvotes, $1000
79. CRLF injection to X / xAI - 436 upvotes, $0
80. Flickr Account Takeover using AWS Cognito API to Flickr - 435 upvotes, $0
81. Reset password link sent over unsecured http protocol to Mattermost - 434 upvotes, $750
82. Open prod Jenkins instance to Snapchat - 432 upvotes, $15000
83. Blind SQL Injection to InnoGames - 432 upvotes, $2000
84. Modify in-flight data to payment provider Smart2Pay to Valve - 425 upvotes, $7500
85. [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - 424 upvotes, $39999
86. RCE via unsafe inline Kramdown options when rendering certain Wiki pages to GitLab - 423 upvotes, $20000
87. Chained Bugs to Leak Victim's Uber's FB Oauth Token to Uber - 422 upvotes, $0
88. June 2022 Incident Report to HackerOne - 420 upvotes, $0
89. An attacker can can view any hacker email via /SaveCollaboratorsMutation operation name to HackerOne - 420 upvotes, $12500
90. Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata to Snapchat - 416 upvotes, $0
91. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 415 upvotes, $0
92. Remote code execution on Basecamp.com to Basecamp - 414 upvotes, $5000
93. touch.mail.ru / e.mail.ru memory content disclosure to Mail.ru - 409 upvotes, $10000
94. H1514 Server Side Template Injection in Return Magic email templates? to Shopify - 408 upvotes, $0
95. gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read to GitLab - 408 upvotes, $10000
96. Employee's GitHub Token Found In Travis CI Build Logs to Superhuman (formerly Grammarly) - 405 upvotes, $5000
97. Full account takeover to Reverb.com - 405 upvotes, $0
98. Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 404 upvotes, $3000
99. Denial of service to WP-JSON API by cache poisoning the CORS allow origin header to Automattic - 402 upvotes, $0
100. Stored XSS Vulnerability to WordPress - 400 upvotes, $0