Top Account Takeover reports from HackerOne:
- Account takeover via leaked session cookie to HackerOne - 1512 upvotes, $0
- Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies to Slack - 826 upvotes, $0
- Bypassing Digits origin validation which leads to account takeover to Twitter - 590 upvotes, $5040
- Request smuggling on admin-official.line.me could lead to account takeover to LINE - 554 upvotes, $9000
- Flickr Account Takeover using AWS Cognito API to Flickr - 394 upvotes, $7550
- Account Takeover worki.ru to Mail.ru - 390 upvotes, $1700
- Full account takeover to Reverb.com - 380 upvotes, $0
- CVE-2019-5765: 1-click HackerOne account takeover on all Android devices to Chrome - 369 upvotes, $0
- Account TakeOver at my.33slona.ru to Mail.ru - 359 upvotes, $1700
- [CSRF] TikTok Careers Portal Account Takeover to TikTok - 347 upvotes, $2373
- [cs.money] Open Redirect Leads to Account Takeover to CS Money - 336 upvotes, $0
- Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) to Uber - 293 upvotes, $10000
- Reflected XSS at https://pay.gold.razer.com escalated to account takeover to Razer - 287 upvotes, $750
- Insufficient OAuth callback validation which leads to Periscope account takeover to Twitter - 260 upvotes, $5040
- Account takeover through the combination of cookie manipulation and XSS to Grammarly - 258 upvotes, $2000
- Mass Account Takeover at https://app.taxjar.com/ - No user Interaction to Stripe - 230 upvotes, $11500
- Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $0
- Singapore - Account Takeover via IDOR to Starbucks - 221 upvotes, $0
- Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - 212 upvotes, $10500
- Account Takeover via Email ID Change and Forgot Password Functionality to New Relic - 211 upvotes, $2048
- Account Takeover in Periscope TV to Twitter - 196 upvotes, $7560
- Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes, $1100
- IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 178 upvotes, $0
- Account Takeover at worki.ru to Mail.ru - 143 upvotes, $1500
- Account Takeover at vseapteki.ru to Mail.ru - 142 upvotes, $2000
- Account TakeOver through password recovery at am.ru to Mail.ru - 139 upvotes, $3000
- Spring Actuator endpoints publicly available, leading to account takeover to LINE - 136 upvotes, $5000
- 1 click Account takeover via deeplink in [com.kayak.android] to KAYAK - 134 upvotes, $3000
- Open Redirect on central.uber.com allows for account takeover to Uber - 130 upvotes, $8000
- Account takeover - improper validation of jwt signature (with regards to experiation date claim) to Linktree - 122 upvotes, $0
- SMS Brute Force Possibility via https://youdrive.today/login/web/code can lead to Account Takeover to Mail.ru - 119 upvotes, $0
- Account takeover due to misconfiguration to Mattermost - 109 upvotes, $0
- [CRITICAL] Full account takeover without user interaction on sign with Apple flow to Glassdoor - 107 upvotes, $0
- [www.32red.com] Reverse proxy misconfiguration leads to 1-click account takeover to Kindred Group - 107 upvotes, $0
- Cache Deception Allows Account Takeover to Expedia Group Bug Bounty - 106 upvotes, $750
- account takeover https://qiwi.me to QIWI - 106 upvotes, $0
- Leak of authorization urls leads to account takeover to Bumble - 105 upvotes, $0
- [help.steampowered.com] Account takeover bruteforcing SteamGuard to Valve - 104 upvotes, $2500
- Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
- Mass account takeover! to Stripe - 91 upvotes, $0
- password reset token leaking allowed for ATO of an Uber account to Uber - 88 upvotes, $10000
- account takeover https://idea.qiwi.com/ to QIWI - 88 upvotes, $0
- One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com to Logitech - 86 upvotes, $200
- Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account to Discourse - 82 upvotes, $0
- Account Takeover via SMS Authentication Flow to Zenly - 82 upvotes, $0
- [CRITICAL] -- Complete Account Takeover to Uber - 81 upvotes, $8000
- Cache Poisoning Allows Stored XSS Via hav Cookie Parameter (To Account Takeover) to Expedia Group Bug Bounty - 81 upvotes, $750
- CSRF Account Takeover to TikTok - 81 upvotes, $0
- Account takeover due to insufficient URL validation on RelayState parameter to GitLab - 80 upvotes, $2450
- [CRITICAL] Full account takeover using CSRF to Twitter - 79 upvotes, $0
- Urgent! Stored XSS at plugin's violations leading to account takeover to New Relic - 79 upvotes, $0
- Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify to Helium - 76 upvotes, $0
- Multiple vulnerability leading to account takeover in TikTok SMB subdomain. to TikTok - 76 upvotes, $0
- Admin Authentication Bypass Lead to Admin Account Takeover to UPS VDP - 75 upvotes, $0
- Account takeover by changing email to Khan Academy - 74 upvotes, $0
- Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover to Grammarly - 71 upvotes, $0
- Full Account Takeover on *.unibet.com due to crossdomain.xml and AkamaiPlayer loaderContext to Kindred Group - 70 upvotes, $1500
- Password Reset Link not expiring after changing the email Leads To Account Takeover to Imgur - 68 upvotes, $0
- Account takeover through password reset in cups.mail.ru to Mail.ru - 66 upvotes, $0
- Account takeover via Google OneTap to Priceline - 58 upvotes, $0
- account takeover on 3.0.1 version to Rocket.Chat - 57 upvotes, $0
- Misconfigured oauth leads to Pre account takeover to Bumble - 57 upvotes, $0
- account takeover through password reset in url https://reklama.tochka.com/ to QIWI - 56 upvotes, $0
- Big Picture web browser leaks login cookies and discloses sensitive information (may lead to account takeover) to Valve - 54 upvotes, $0
- No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 52 upvotes, $0
- Account Takeover via billing to Chaturbate - 51 upvotes, $8000
- CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $256
- Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover to Uber - 46 upvotes, $3000
- through %09 Character the attacker is able to steal Github Token [ Account Takeover ] to Vercel - 44 upvotes, $0
- [CRITICAL] Full account takeover using CSRF to Bumble - 42 upvotes, $0
- Forgot Password Page SMS Brute Force could lead to Account Takeover using Android/IOS app "About the house" via api.prodom.smart.space to Mail.ru - 41 upvotes, $0
- account takeover https://teamplay.qiwi.com to QIWI - 40 upvotes, $0
- Gitlab Oauth Misconfiguration Lead To Account Takeover to Vercel - 39 upvotes, $0
- Account takeover through CSRF in http://███████/██████████/default.asp to U.S. Dept Of Defense - 39 upvotes, $0
- Account takeover by using abandoned email id of victim which has already been changed to new by victim himself on one.newrelic.com to New Relic - 38 upvotes, $300
- Social Club Account Takeover Via RGL And Steam/Epic Linked Account to Rockstar Games - 37 upvotes, $0
- Account takeover via XSS to Rocket.Chat - 35 upvotes, $0
- Full Account Takeover In ****.ru to Mail.ru - 34 upvotes, $500
- Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend to Rockstar Games - 33 upvotes, $750
- Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover to Sorare - 33 upvotes, $300
- Missing rate limit for current password field (Password Change) Account Takeover to Acronis - 33 upvotes, $200
- Reset password cookie leads to account takeover to Weblate - 33 upvotes, $0
- Improper Session management can cause account takeover[https://micropurchase.18f.gov] to GSA Bounty - 32 upvotes, $0
- html injection via invite members can be leads account takeover to Mattermost - 31 upvotes, $0
- Account takeover just through csrf in https://booking.qiwi.kz/profile to QIWI - 30 upvotes, $0
- Account takeover through multistage CSRF at https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer and ../AutoChoice/changePwOktaAnswer to U.S. General Services Administration - 30 upvotes, $0
- CSRF On Connect Account With Github Lead To Account Takeover to Vercel - 29 upvotes, $0
- Zero click account Takeover due to Api misconfiguration 🏂🎩 to UPchieve - 29 upvotes, $0
- Weak rate limit could lead to ATO due to weak password protection mechanisms to Reddit - 28 upvotes, $100
- Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com to Automattic - 28 upvotes, $0
- Account Takeover possibility via https://awards.donationalerts.com using login with twitch.tv to Mail.ru - 28 upvotes, $0
- IDOR when editing email leads to Account Takeover on Atavist to Automattic - 28 upvotes, $0
- Cleartext storage of sensitive information at https://staging.status.ai-apps-comms.ibm.com/env can lead to account takeover of several IBM employees to IBM - 28 upvotes, $0
- Account takeover on [support2.ucs.ru] to Mail.ru - 26 upvotes, $0
- CSRF + XSS leads to ATO to Mail.ru - 26 upvotes, $0
- Account Takeover through registration to the same email address to QIWI - 26 upvotes, $0
- (Possible) staff account takeover via reset token bruteforce at helpdesk.bistudio.com to BOHEMIA INTERACTIVE a.s. - 25 upvotes, $0
- ████ - Complete account takeover to U.S. Dept Of Defense - 24 upvotes, $0
- Full account takeover of any user through reset password to UPchieve - 24 upvotes, $0
- IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 24 upvotes, $0
- CSRF and probable account takeover on https://www.niche.co to Twitter - 23 upvotes, $0
- Account takeover in cups.mail.ru using punycode characters to Mail.ru - 23 upvotes, $0
- Account Takeover on https://www.delivery-club.ru через партнерский аккаунт. to Mail.ru - 22 upvotes, $1000
- CORS misconfig | Account Takeover to Twitter - 22 upvotes, $0
- IDOR to Account Takeover on https://████/index.html to U.S. Dept Of Defense - 21 upvotes, $0
- weak password poilicy in signup password leak to account takeover to Stripo Inc - 21 upvotes, $0
- Full account takeover on https://████████.mil to U.S. Dept Of Defense - 21 upvotes, $0
- Account takeover intercepting magic link for Arrive app to Shopify - 19 upvotes, $500
- weak protection against brute-forcing on login api leads to account takeover to Palo Alto Software - 19 upvotes, $0
- Account TakeOver at kvartira.city-mobil.ru to Mail.ru - 18 upvotes, $150
- [REMOTE] Full Account Takeover At https://██████████████/CAS/ to U.S. Dept Of Defense - 18 upvotes, $0
- Account takeover via CORS misconfigutation on https://beta.delivery-club.ru to Mail.ru - 18 upvotes, $0
- Account takeover via Pornhub Oauth to Pornhub - 17 upvotes, $1000
- Account Takeover on [ls5-dev.ucs.ru] to Mail.ru - 17 upvotes, $0
- Account Takeover on unverified emails in File Sync & Share to Acronis - 17 upvotes, $0
- IDOR Leads To Account Takeover Without User Interaction to MTN Group - 17 upvotes, $0
- Account Takeover to Bumble - 16 upvotes, $850
- Insecure password change mechanism may lead to full account takeover to FantasyTote - 16 upvotes, $0
- Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand to Automattic - 16 upvotes, $0
- [hta3] Chain of ESI Injection & Reflected XSS leading to Account Takeover on [███] to U.S. Dept Of Defense - 16 upvotes, $0
- Account takeover at geekbrains.ru to Mail.ru - 15 upvotes, $1500
- Password Reset link hijacking via Host Header Poisoning leads to account takeover to U.S. Dept Of Defense - 15 upvotes, $0
- Ad Account Takeover to LinkedIn - 15 upvotes, $0
- Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт. to Mail.ru - 14 upvotes, $500
- CSRF to account takeover in https://███████.mil/ to U.S. Dept Of Defense - 14 upvotes, $0
- self-xss with ClickJacking can leads to account takeover in Firefox to Imgur - 14 upvotes, $0
- Account Takeover via Forgot Password Page at https://3k.mail.ru/send_password.php? to Mail.ru - 14 upvotes, $0
- No Password Verification on Changing Email Address Cause Account takeover to Coursera - 13 upvotes, $0
- CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover to Nord Security - 12 upvotes, $0
- Github Account Takeover which is used as gradle vcs in "github.com/palantir/gradle-launch-config-plugin" to Palantir Public - 12 upvotes, $0
- Github Account Takeover from Docs page of
kubernetes-csi.github.io
to Kubernetes - 12 upvotes, $0 - Account takeover on ███████ [HtUS] to U.S. Dept Of Defense - 11 upvotes, $500
- Leaking Username and Password in the URLs via Virustotal, can leads to account takeover to Chaturbate - 11 upvotes, $0
- hard-use account takeover qiwi.com to QIWI - 11 upvotes, $0
- IDOR + Account Takeover [UNAUTHENTICATED] to U.S. Dept Of Defense - 11 upvotes, $0
- Full account takeover in ███████ due lack of rate limiting in forgot password to U.S. Dept Of Defense - 11 upvotes, $0
- ' Full Account Takeover ' at https://www.miroyalcanin.cl/ to Mars - 11 upvotes, $0
- CSRF to ATO at https://█████/user/account [HtUS] to U.S. Dept Of Defense - 10 upvotes, $500
- [flintcms] Account takeover due to blind MongoDB injection in password reset to Node.js third-party modules - 10 upvotes, $0
- [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources to h1-ctf - 10 upvotes, $0
- Full Account Takeover Student Account In https://********.ru/signin/main/student/email to Mail.ru - 9 upvotes, $500
- CSRF Full Account Takeover to Concrete CMS - 9 upvotes, $0
- Full Account Takeover to OLX - 9 upvotes, $0
- Account Takeover using Third party Auth CSRF to Weblate - 9 upvotes, $0
- CSRF Full Account Takeover - https://redtube.com/settings to Pornhub - 9 upvotes, $0
- Account takeover leading to PII chained with stored XSS to U.S. General Services Administration - 9 upvotes, $0
- response manipulation leads to bypass in register at employee website than 0 click account takeover to IBM - 9 upvotes, $0
- Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover to EXNESS - 8 upvotes, $300
- CSRF in login form would led to account takeover to Ubiquiti Inc. - 8 upvotes, $0
- CSRF token fixation and potential account takeover to Khan Academy - 8 upvotes, $0
- Full account takeover am.ru to Mail.ru - 8 upvotes, $0
- Oauth Misconfiguration Lead To Account Takeover to Reddit - 8 upvotes, $0
- Bruteforcing password reset tokens, could lead to account takeover to Instacart - 7 upvotes, $50
- CSRF to account takeover in https://█████/ to U.S. Dept Of Defense - 7 upvotes, $0
- Missing rate limit in current password change settings leads to Account takeover to Reddit - 7 upvotes, $0
- IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/ to U.S. Dept Of Defense - 7 upvotes, $0
- Full account takeover using CSRF and password reset to IRCCloud - 6 upvotes, $0
- Liberapay Non Verified Account Takeover with signup feature to Liberapay - 6 upvotes, $0
- Account takeover vulnerability by editor role privileged users/attackers via clickjacking to WordPress - 6 upvotes, $0
- Account takeover due to CSRF in "Account details" option on █████████ to U.S. Dept Of Defense - 6 upvotes, $0
- [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover to Mail.ru - 6 upvotes, $0
- [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin to h1-ctf - 6 upvotes, $0
- Stored XSS via 64(?) vulnerable fields in ███ leads to credential theft/account takeover to U.S. Dept Of Defense - 6 upvotes, $0
- Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover to Automattic - 6 upvotes, $0
- No Rate limit on change password leads to account takeover to Reddit - 6 upvotes, $0
- Regex account takeover to Rocket.Chat - 6 upvotes, $0
- Session mismatch leading to potential account takeover (local access required) to Cloudflare Public Bug Bounty - 6 upvotes, $0
- Broken authentication and invalidated email address leads to account takeover to Twitter - 5 upvotes, $0
- Password Reset emails missing TLS leads account takeover to RubyGems - 5 upvotes, $0
- No Security check at changing password and at adding mobile number which leads to account takeover and spam to Khan Academy - 5 upvotes, $0
- [hosted.weblate.org]Account Takeover to Weblate - 5 upvotes, $0
- Weak e-mail change functionality could lead to account takeover to Weblate - 5 upvotes, $0
- [H1-2006 2020] Multiple vulnerabilities leading account takeover to h1-ctf - 5 upvotes, $0
- Account Takeover and Information update due to cross site request forgery via POST █████████/registration/my-account.cfm to U.S. Dept Of Defense - 5 upvotes, $0
- mrgs.my.games account takeover to Mail.ru - 4 upvotes, $500
- Account takeover to HackerOne - 4 upvotes, $0
- Clickjacking Full account takeover and editing the personal information at [account.my.com] to Mail.ru - 4 upvotes, $0
- Keychain data persistence may lead to account takeover to QIWI - 4 upvotes, $0
- registering with the same email address multiple times leads to account takeover to Reddit - 4 upvotes, $0
- oauth misconfigration lead to account takeover to Reddit - 4 upvotes, $0
- Session Token is not Verified while changing Account Setting's which Result In account Takeover to IRCCloud - 3 upvotes, $0
- Account Takeover with old password and login QR to BCM Messenger - 3 upvotes, $0
- [h1-2006 2020] Chained vulnerabilities lead to account takeover to h1-ctf - 3 upvotes, $0
- Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin to New Relic - 3 upvotes, $0
- Password Reset Link not expiring after changing the email Leads To Account Takeover to Nord Security - 3 upvotes, $0
- Verification Link not expiring leading to Account Takeover. to New Relic - 3 upvotes, $0
- Unauthorized access to PII leads to MASS account Takeover to U.S. Dept Of Defense - 3 upvotes, $0
- Limited Account Takeover via Backup codes to Inflection - 2 upvotes, $0
- [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties to h1-ctf - 2 upvotes, $0
- [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments to h1-ctf - 2 upvotes, $0
- Session Token is not Verified while changing Account Setting's which Result In account Takeover to FanFootage - 1 upvotes, $0
- Full account takeover via Add a New Email to account without email verified and without password confirmation. to Vimeo - 1 upvotes, $0
- Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 1 upvotes, $0
- CSRF - Modify User Settings with one click - Account TakeOver to U.S. Dept Of Defense - 1 upvotes, $0
- No Confirmation or Notification During Email Change which can leads to account takeover to Infogram - 0 upvotes, $0