Skip to content

Latest commit

 

History

History
197 lines (196 loc) · 27.7 KB

TOPACCOUNTTAKEOVER.md

File metadata and controls

197 lines (196 loc) · 27.7 KB
Raw

Top Account Takeover reports from HackerOne:

  1. Account takeover via leaked session cookie to HackerOne - 1512 upvotes, $0
  2. Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies to Slack - 826 upvotes, $0
  3. Bypassing Digits origin validation which leads to account takeover to Twitter - 590 upvotes, $5040
  4. Request smuggling on admin-official.line.me could lead to account takeover to LINE - 554 upvotes, $9000
  5. Flickr Account Takeover using AWS Cognito API to Flickr - 394 upvotes, $7550
  6. Account Takeover worki.ru to Mail.ru - 390 upvotes, $1700
  7. Full account takeover to Reverb.com - 380 upvotes, $0
  8. CVE-2019-5765: 1-click HackerOne account takeover on all Android devices to Chrome - 369 upvotes, $0
  9. Account TakeOver at my.33slona.ru to Mail.ru - 359 upvotes, $1700
  10. [CSRF] TikTok Careers Portal Account Takeover to TikTok - 347 upvotes, $2373
  11. [cs.money] Open Redirect Leads to Account Takeover to CS Money - 336 upvotes, $0
  12. Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) to Uber - 293 upvotes, $10000
  13. Reflected XSS at https://pay.gold.razer.com escalated to account takeover to Razer - 287 upvotes, $750
  14. Insufficient OAuth callback validation which leads to Periscope account takeover to Twitter - 260 upvotes, $5040
  15. Account takeover through the combination of cookie manipulation and XSS to Grammarly - 258 upvotes, $2000
  16. Mass Account Takeover at https://app.taxjar.com/ - No user Interaction to Stripe - 230 upvotes, $11500
  17. Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $0
  18. Singapore - Account Takeover via IDOR to Starbucks - 221 upvotes, $0
  19. Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - 212 upvotes, $10500
  20. Account Takeover via Email ID Change and Forgot Password Functionality to New Relic - 211 upvotes, $2048
  21. Account Takeover in Periscope TV to Twitter - 196 upvotes, $7560
  22. Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes, $1100
  23. IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 178 upvotes, $0
  24. Account Takeover at worki.ru to Mail.ru - 143 upvotes, $1500
  25. Account Takeover at vseapteki.ru to Mail.ru - 142 upvotes, $2000
  26. Account TakeOver through password recovery at am.ru to Mail.ru - 139 upvotes, $3000
  27. Spring Actuator endpoints publicly available, leading to account takeover to LINE - 136 upvotes, $5000
  28. 1 click Account takeover via deeplink in [com.kayak.android] to KAYAK - 134 upvotes, $3000
  29. Open Redirect on central.uber.com allows for account takeover to Uber - 130 upvotes, $8000
  30. Account takeover - improper validation of jwt signature (with regards to experiation date claim) to Linktree - 122 upvotes, $0
  31. SMS Brute Force Possibility via https://youdrive.today/login/web/code can lead to Account Takeover to Mail.ru - 119 upvotes, $0
  32. Account takeover due to misconfiguration to Mattermost - 109 upvotes, $0
  33. [CRITICAL] Full account takeover without user interaction on sign with Apple flow to Glassdoor - 107 upvotes, $0
  34. [www.32red.com] Reverse proxy misconfiguration leads to 1-click account takeover to Kindred Group - 107 upvotes, $0
  35. Cache Deception Allows Account Takeover to Expedia Group Bug Bounty - 106 upvotes, $750
  36. account takeover https://qiwi.me to QIWI - 106 upvotes, $0
  37. Leak of authorization urls leads to account takeover to Bumble - 105 upvotes, $0
  38. [help.steampowered.com] Account takeover bruteforcing SteamGuard to Valve - 104 upvotes, $2500
  39. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
  40. Mass account takeover! to Stripe - 91 upvotes, $0
  41. password reset token leaking allowed for ATO of an Uber account to Uber - 88 upvotes, $10000
  42. account takeover https://idea.qiwi.com/ to QIWI - 88 upvotes, $0
  43. One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com to Logitech - 86 upvotes, $200
  44. Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account to Discourse - 82 upvotes, $0
  45. Account Takeover via SMS Authentication Flow to Zenly - 82 upvotes, $0
  46. [CRITICAL] -- Complete Account Takeover to Uber - 81 upvotes, $8000
  47. Cache Poisoning Allows Stored XSS Via hav Cookie Parameter (To Account Takeover) to Expedia Group Bug Bounty - 81 upvotes, $750
  48. CSRF Account Takeover to TikTok - 81 upvotes, $0
  49. Account takeover due to insufficient URL validation on RelayState parameter to GitLab - 80 upvotes, $2450
  50. [CRITICAL] Full account takeover using CSRF to Twitter - 79 upvotes, $0
  51. Urgent! Stored XSS at plugin's violations leading to account takeover to New Relic - 79 upvotes, $0
  52. Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify to Helium - 76 upvotes, $0
  53. Multiple vulnerability leading to account takeover in TikTok SMB subdomain. to TikTok - 76 upvotes, $0
  54. Admin Authentication Bypass Lead to Admin Account Takeover to UPS VDP - 75 upvotes, $0
  55. Account takeover by changing email to Khan Academy - 74 upvotes, $0
  56. Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover to Grammarly - 71 upvotes, $0
  57. Full Account Takeover on *.unibet.com due to crossdomain.xml and AkamaiPlayer loaderContext to Kindred Group - 70 upvotes, $1500
  58. Password Reset Link not expiring after changing the email Leads To Account Takeover to Imgur - 68 upvotes, $0
  59. Account takeover through password reset in cups.mail.ru to Mail.ru - 66 upvotes, $0
  60. Account takeover via Google OneTap to Priceline - 58 upvotes, $0
  61. account takeover on 3.0.1 version to Rocket.Chat - 57 upvotes, $0
  62. Misconfigured oauth leads to Pre account takeover to Bumble - 57 upvotes, $0
  63. account takeover through password reset in url https://reklama.tochka.com/ to QIWI - 56 upvotes, $0
  64. Big Picture web browser leaks login cookies and discloses sensitive information (may lead to account takeover) to Valve - 54 upvotes, $0
  65. No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 52 upvotes, $0
  66. Account Takeover via billing to Chaturbate - 51 upvotes, $8000
  67. CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $256
  68. Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover to Uber - 46 upvotes, $3000
  69. through %09 Character the attacker is able to steal Github Token [ Account Takeover ] to Vercel - 44 upvotes, $0
  70. [CRITICAL] Full account takeover using CSRF to Bumble - 42 upvotes, $0
  71. Forgot Password Page SMS Brute Force could lead to Account Takeover using Android/IOS app "About the house" via api.prodom.smart.space to Mail.ru - 41 upvotes, $0
  72. account takeover https://teamplay.qiwi.com to QIWI - 40 upvotes, $0
  73. Gitlab Oauth Misconfiguration Lead To Account Takeover to Vercel - 39 upvotes, $0
  74. Account takeover through CSRF in http://███████/██████████/default.asp to U.S. Dept Of Defense - 39 upvotes, $0
  75. Account takeover by using abandoned email id of victim which has already been changed to new by victim himself on one.newrelic.com to New Relic - 38 upvotes, $300
  76. Social Club Account Takeover Via RGL And Steam/Epic Linked Account to Rockstar Games - 37 upvotes, $0
  77. Account takeover via XSS to Rocket.Chat - 35 upvotes, $0
  78. Full Account Takeover In ****.ru to Mail.ru - 34 upvotes, $500
  79. Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend to Rockstar Games - 33 upvotes, $750
  80. Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover to Sorare - 33 upvotes, $300
  81. Missing rate limit for current password field (Password Change) Account Takeover to Acronis - 33 upvotes, $200
  82. Reset password cookie leads to account takeover to Weblate - 33 upvotes, $0
  83. Improper Session management can cause account takeover[https://micropurchase.18f.gov] to GSA Bounty - 32 upvotes, $0
  84. html injection via invite members can be leads account takeover to Mattermost - 31 upvotes, $0
  85. Account takeover just through csrf in https://booking.qiwi.kz/profile to QIWI - 30 upvotes, $0
  86. Account takeover through multistage CSRF at https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer and ../AutoChoice/changePwOktaAnswer to U.S. General Services Administration - 30 upvotes, $0
  87. CSRF On Connect Account With Github Lead To Account Takeover to Vercel - 29 upvotes, $0
  88. Zero click account Takeover due to Api misconfiguration 🏂🎩 to UPchieve - 29 upvotes, $0
  89. Weak rate limit could lead to ATO due to weak password protection mechanisms to Reddit - 28 upvotes, $100
  90. Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com to Automattic - 28 upvotes, $0
  91. Account Takeover possibility via https://awards.donationalerts.com using login with twitch.tv to Mail.ru - 28 upvotes, $0
  92. IDOR when editing email leads to Account Takeover on Atavist to Automattic - 28 upvotes, $0
  93. Cleartext storage of sensitive information at https://staging.status.ai-apps-comms.ibm.com/env can lead to account takeover of several IBM employees to IBM - 28 upvotes, $0
  94. Account takeover on [support2.ucs.ru] to Mail.ru - 26 upvotes, $0
  95. CSRF + XSS leads to ATO to Mail.ru - 26 upvotes, $0
  96. Account Takeover through registration to the same email address to QIWI - 26 upvotes, $0
  97. (Possible) staff account takeover via reset token bruteforce at helpdesk.bistudio.com to BOHEMIA INTERACTIVE a.s. - 25 upvotes, $0
  98. ████ - Complete account takeover to U.S. Dept Of Defense - 24 upvotes, $0
  99. Full account takeover of any user through reset password to UPchieve - 24 upvotes, $0
  100. IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 24 upvotes, $0
  101. CSRF and probable account takeover on https://www.niche.co to Twitter - 23 upvotes, $0
  102. Account takeover in cups.mail.ru using punycode characters to Mail.ru - 23 upvotes, $0
  103. Account Takeover on https://www.delivery-club.ru через партнерский аккаунт. to Mail.ru - 22 upvotes, $1000
  104. CORS misconfig | Account Takeover to Twitter - 22 upvotes, $0
  105. IDOR to Account Takeover on https://████/index.html to U.S. Dept Of Defense - 21 upvotes, $0
  106. weak password poilicy in signup password leak to account takeover to Stripo Inc - 21 upvotes, $0
  107. Full account takeover on https://████████.mil to U.S. Dept Of Defense - 21 upvotes, $0
  108. Account takeover intercepting magic link for Arrive app to Shopify - 19 upvotes, $500
  109. weak protection against brute-forcing on login api leads to account takeover to Palo Alto Software - 19 upvotes, $0
  110. Account TakeOver at kvartira.city-mobil.ru to Mail.ru - 18 upvotes, $150
  111. [REMOTE] Full Account Takeover At https://██████████████/CAS/ to U.S. Dept Of Defense - 18 upvotes, $0
  112. Account takeover via CORS misconfigutation on https://beta.delivery-club.ru to Mail.ru - 18 upvotes, $0
  113. Account takeover via Pornhub Oauth to Pornhub - 17 upvotes, $1000
  114. Account Takeover on [ls5-dev.ucs.ru] to Mail.ru - 17 upvotes, $0
  115. Account Takeover on unverified emails in File Sync & Share to Acronis - 17 upvotes, $0
  116. IDOR Leads To Account Takeover Without User Interaction to MTN Group - 17 upvotes, $0
  117. Account Takeover to Bumble - 16 upvotes, $850
  118. Insecure password change mechanism may lead to full account takeover to FantasyTote - 16 upvotes, $0
  119. Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand to Automattic - 16 upvotes, $0
  120. [hta3] Chain of ESI Injection & Reflected XSS leading to Account Takeover on [███] to U.S. Dept Of Defense - 16 upvotes, $0
  121. Account takeover at geekbrains.ru to Mail.ru - 15 upvotes, $1500
  122. Password Reset link hijacking via Host Header Poisoning leads to account takeover to U.S. Dept Of Defense - 15 upvotes, $0
  123. Ad Account Takeover to LinkedIn - 15 upvotes, $0
  124. Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт. to Mail.ru - 14 upvotes, $500
  125. CSRF to account takeover in https://███████.mil/ to U.S. Dept Of Defense - 14 upvotes, $0
  126. self-xss with ClickJacking can leads to account takeover in Firefox to Imgur - 14 upvotes, $0
  127. Account Takeover via Forgot Password Page at https://3k.mail.ru/send_password.php? to Mail.ru - 14 upvotes, $0
  128. No Password Verification on Changing Email Address Cause Account takeover to Coursera - 13 upvotes, $0
  129. CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover to Nord Security - 12 upvotes, $0
  130. Github Account Takeover which is used as gradle vcs in "github.com/palantir/gradle-launch-config-plugin" to Palantir Public - 12 upvotes, $0
  131. Github Account Takeover from Docs page of kubernetes-csi.github.io to Kubernetes - 12 upvotes, $0
  132. Account takeover on ███████ [HtUS] to U.S. Dept Of Defense - 11 upvotes, $500
  133. Leaking Username and Password in the URLs via Virustotal, can leads to account takeover to Chaturbate - 11 upvotes, $0
  134. hard-use account takeover qiwi.com to QIWI - 11 upvotes, $0
  135. IDOR + Account Takeover [UNAUTHENTICATED] to U.S. Dept Of Defense - 11 upvotes, $0
  136. Full account takeover in ███████ due lack of rate limiting in forgot password to U.S. Dept Of Defense - 11 upvotes, $0
  137. ' Full Account Takeover ' at https://www.miroyalcanin.cl/ to Mars - 11 upvotes, $0
  138. CSRF to ATO at https://█████/user/account [HtUS] to U.S. Dept Of Defense - 10 upvotes, $500
  139. [flintcms] Account takeover due to blind MongoDB injection in password reset to Node.js third-party modules - 10 upvotes, $0
  140. [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources to h1-ctf - 10 upvotes, $0
  141. Full Account Takeover Student Account In https://********.ru/signin/main/student/email to Mail.ru - 9 upvotes, $500
  142. CSRF Full Account Takeover to Concrete CMS - 9 upvotes, $0
  143. Full Account Takeover to OLX - 9 upvotes, $0
  144. Account Takeover using Third party Auth CSRF to Weblate - 9 upvotes, $0
  145. CSRF Full Account Takeover - https://redtube.com/settings to Pornhub - 9 upvotes, $0
  146. Account takeover leading to PII chained with stored XSS to U.S. General Services Administration - 9 upvotes, $0
  147. response manipulation leads to bypass in register at employee website than 0 click account takeover to IBM - 9 upvotes, $0
  148. Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover to EXNESS - 8 upvotes, $300
  149. CSRF in login form would led to account takeover to Ubiquiti Inc. - 8 upvotes, $0
  150. CSRF token fixation and potential account takeover to Khan Academy - 8 upvotes, $0
  151. Full account takeover am.ru to Mail.ru - 8 upvotes, $0
  152. Oauth Misconfiguration Lead To Account Takeover to Reddit - 8 upvotes, $0
  153. Bruteforcing password reset tokens, could lead to account takeover to Instacart - 7 upvotes, $50
  154. CSRF to account takeover in https://█████/ to U.S. Dept Of Defense - 7 upvotes, $0
  155. Missing rate limit in current password change settings leads to Account takeover to Reddit - 7 upvotes, $0
  156. IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/ to U.S. Dept Of Defense - 7 upvotes, $0
  157. Full account takeover using CSRF and password reset to IRCCloud - 6 upvotes, $0
  158. Liberapay Non Verified Account Takeover with signup feature to Liberapay - 6 upvotes, $0
  159. Account takeover vulnerability by editor role privileged users/attackers via clickjacking to WordPress - 6 upvotes, $0
  160. Account takeover due to CSRF in "Account details" option on █████████ to U.S. Dept Of Defense - 6 upvotes, $0
  161. [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover to Mail.ru - 6 upvotes, $0
  162. [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin to h1-ctf - 6 upvotes, $0
  163. Stored XSS via 64(?) vulnerable fields in ███ leads to credential theft/account takeover to U.S. Dept Of Defense - 6 upvotes, $0
  164. Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover to Automattic - 6 upvotes, $0
  165. No Rate limit on change password leads to account takeover to Reddit - 6 upvotes, $0
  166. Regex account takeover to Rocket.Chat - 6 upvotes, $0
  167. Session mismatch leading to potential account takeover (local access required) to Cloudflare Public Bug Bounty - 6 upvotes, $0
  168. Broken authentication and invalidated email address leads to account takeover to Twitter - 5 upvotes, $0
  169. Password Reset emails missing TLS leads account takeover to RubyGems - 5 upvotes, $0
  170. No Security check at changing password and at adding mobile number which leads to account takeover and spam to Khan Academy - 5 upvotes, $0
  171. [hosted.weblate.org]Account Takeover to Weblate - 5 upvotes, $0
  172. Weak e-mail change functionality could lead to account takeover to Weblate - 5 upvotes, $0
  173. [H1-2006 2020] Multiple vulnerabilities leading account takeover to h1-ctf - 5 upvotes, $0
  174. Account Takeover and Information update due to cross site request forgery via POST █████████/registration/my-account.cfm to U.S. Dept Of Defense - 5 upvotes, $0
  175. mrgs.my.games account takeover to Mail.ru - 4 upvotes, $500
  176. Account takeover to HackerOne - 4 upvotes, $0
  177. Clickjacking Full account takeover and editing the personal information at [account.my.com] to Mail.ru - 4 upvotes, $0
  178. Keychain data persistence may lead to account takeover to QIWI - 4 upvotes, $0
  179. registering with the same email address multiple times leads to account takeover to Reddit - 4 upvotes, $0
  180. oauth misconfigration lead to account takeover to Reddit - 4 upvotes, $0
  181. Session Token is not Verified while changing Account Setting's which Result In account Takeover to IRCCloud - 3 upvotes, $0
  182. Account Takeover with old password and login QR to BCM Messenger - 3 upvotes, $0
  183. [h1-2006 2020] Chained vulnerabilities lead to account takeover to h1-ctf - 3 upvotes, $0
  184. Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin to New Relic - 3 upvotes, $0
  185. Password Reset Link not expiring after changing the email Leads To Account Takeover to Nord Security - 3 upvotes, $0
  186. Verification Link not expiring leading to Account Takeover. to New Relic - 3 upvotes, $0
  187. Unauthorized access to PII leads to MASS account Takeover to U.S. Dept Of Defense - 3 upvotes, $0
  188. Limited Account Takeover via Backup codes to Inflection - 2 upvotes, $0
  189. [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties to h1-ctf - 2 upvotes, $0
  190. [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments to h1-ctf - 2 upvotes, $0
  191. Session Token is not Verified while changing Account Setting's which Result In account Takeover to FanFootage - 1 upvotes, $0
  192. Full account takeover via Add a New Email to account without email verified and without password confirmation. to Vimeo - 1 upvotes, $0
  193. Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 1 upvotes, $0
  194. CSRF - Modify User Settings with one click - Account TakeOver to U.S. Dept Of Defense - 1 upvotes, $0
  195. No Confirmation or Notification During Email Change which can leads to account takeover to Infogram - 0 upvotes, $0