Top REST API reports from HackerOne:
- Exposed Kubernetes API - RCE/Exposed Creds to Snapchat - 1102 upvotes, $25000
- JumpCloud API Key leaked via Open Github Repository. to Starbucks - 711 upvotes, $0
- Flickr Account Takeover using AWS Cognito API to Flickr - 394 upvotes, $7550
- Denial of service to WP-JSON API by cache poisoning the CORS allow origin header to Automattic - 387 upvotes, $0
- [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - 281 upvotes, $39999
- Blind SSRF to internal services in matrix preview_link API to Reddit - 279 upvotes, $6000
- Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 218 upvotes, $0
- Google API key leaked to Public to FetLife - 206 upvotes, $0
- Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api to GitHub - 178 upvotes, $20000
- [IDOR] API endpoint leaking sensitive user information to Razer - 172 upvotes, $375
- Undocumented
fileCopy
GraphQL API to Shopify - 140 upvotes, $2000 - Bug in GraphQL and API integration leads to limited user address disclosure to Starbucks - 136 upvotes, $0
- Public and secret api key leaked in JavaScript source to Stripo Inc - 134 upvotes, $0
- Disclose any user's private email through API to HackerOne - 130 upvotes, $0
- Git flag injection - Search API with scope 'blobs' to GitLab - 125 upvotes, $7000
- Client secret, server tokens for developer applications returned by internal API to Uber - 117 upvotes, $0
- "😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ to Mail.ru - 117 upvotes, $0
- Apache Flink RCE via GET jar/plan API Endpoint to Aiven Ltd - 116 upvotes, $6000
- China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint to Starbucks - 112 upvotes, $0
- Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
- Leak ██████████ information in real time through API request to Grab - 96 upvotes, $3000
- Full access to InDrive jira panel via exposed API token to inDrive - 93 upvotes, $0
- Support Portal Takeover via Leaked API KEY to AMBER AI - 90 upvotes, $1500
- Multiple IDORs in family pairing api to TikTok - 87 upvotes, $0
- Exposed Cortex API at https://cortex-ingest.shopifycloud.com/ to Shopify - 86 upvotes, $6300
- Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 86 upvotes, $0
- Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app to Reverb.com - 84 upvotes, $0
- Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API to LINE - 80 upvotes, $0
- Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning to Semmle - 75 upvotes, $0
- Near to Infinite loop when changing Group's name that has API token as Team Member to HackerOne - 72 upvotes, $2500
- Bumble API exposes read status of chat messages to Bumble - 69 upvotes, $600
- Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS. to HackerOne - 68 upvotes, $0
- Internal API endpoint discloses full account name of email address associated with unconfirmed user to New Relic - 61 upvotes, $1500
- Improper Authentication in Vimeo's API 'versions' endpoint. to Vimeo - 57 upvotes, $0
- Email addresses exposed in getPersonBySlug API to Semmle - 57 upvotes, $0
- Google API key leaks and security misconfiguration leads Open Redirect Vulnerability to Clario - 53 upvotes, $300
- DoS via markdown API from unauthenticated user to GitHub - 49 upvotes, $4000
- SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X to Kubernetes - 44 upvotes, $1000
- Insecure Storage and Overly Permissive API Keys in Android App to Zenly - 44 upvotes, $750
- XSPA on API service endpoint to Polymail, Inc. - 43 upvotes, $0
- TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/ to U.S. General Services Administration - 43 upvotes, $0
- API Last Request Date/Time Not Updating to HackerOne - 42 upvotes, $0
- Выполнение API-методов при открытии сообщества/приложения to VK.com - 41 upvotes, $2000
- Google Maps API key stored as plain text leading to DOS and financial damage to Zenly - 41 upvotes, $750
- Stored XSS in blog comments through Shopify API to Shopify - 41 upvotes, $0
- Unauthenticated Private Messages DIsclosure via wordpress Rest API to Automattic - 41 upvotes, $0
- Missing authentication in buddy group API of LINE TIMELINE to LINE - 40 upvotes, $3000
- Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application to PlayStation - 40 upvotes, $1000
- Milestones leaked via search API to GitLab - 40 upvotes, $0
- Improper access control for users with expired password, giving the user full access through API and Git to GitLab - 39 upvotes, $950
- API method at api.my.games allows to enumerate user emails to Mail.ru - 39 upvotes, $400
- Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API to Reddit - 39 upvotes, $0
- API key (api.semrush.com) leak in JS-file to Semrush - 38 upvotes, $0
- Race Conditions in OAuth 2 API implementations to Internet Bug Bounty - 37 upvotes, $2500
- CSRF on cards API to Twitter - 37 upvotes, $280
- IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account to EXNESS - 36 upvotes, $0
- Internal API endpoint is accesible for everyone to WHO COVID-19 Mobile App - 35 upvotes, $0
- StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts to Shopify - 34 upvotes, $500
- Users can enable API access for free via mass assignment to New Relic - 34 upvotes, $0
- Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host to GSA Bounty - 32 upvotes, $0
- Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header to Snapchat - 32 upvotes, $0
- API request signature can be reused with other parameters/data than the original in certain cases to Gatecoin - 31 upvotes, $0
- Improper Access Control in LINE Timeline API that returns a list of hidden friends to LINE - 31 upvotes, $0
- IDOR in family pairing API to TikTok - 30 upvotes, $0
- API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers. to Uber - 29 upvotes, $750
- Public and secret api key leaked via Solana BBP github repo to Solana BBP - 29 upvotes, $0
- Zero click account Takeover due to Api misconfiguration 🏂🎩 to UPchieve - 29 upvotes, $0
- Delete any LinkedIn comment on learning API of other users to LinkedIn - 29 upvotes, $0
- Organization Takeover via invitation API to Helium - 27 upvotes, $100
- Make API calls on behalf of another user (CSRF protection bypass) to Vimeo - 27 upvotes, $0
- JSON CSRF on POST Heartbeats API to WakaTime - 27 upvotes, $0
- Secret API Key is logged in cleartext to Omise - 27 upvotes, $0
- IDOR in TalentMAP API can be abused to enumerate personal information of all the users to U.S. Department of State - 27 upvotes, $0
- [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth to Uber - 26 upvotes, $500
- IDOR on www.acronis.com API lead to steal private business user information to Acronis - 26 upvotes, $100
- CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 26 upvotes, $0
- API - Amazon S3 bucket misconfiguration to BCM Messenger - 26 upvotes, $0
- API docs expose an active token for the sample domain theburritobot.com to Cloudflare Public Bug Bounty - 25 upvotes, $500
- Full Api Access and Run All Functions via Starbucks App to Starbucks - 25 upvotes, $0
- GitHub API Key for BrewTestBot is publicly exposed to Homebrew - 25 upvotes, $0
- Api Token Leaked in [shoppers.shipt.com] to Shipt - 24 upvotes, $200
- Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation to Urban Dictionary - 24 upvotes, $0
- Open API For Username enumeration to WordPress - 24 upvotes, $0
- IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 24 upvotes, $0
- Stored XSS on PyPi simple API endpoint to GitLab - 23 upvotes, $3000
- Internal Employee informations Disclosure via TikTok Athena api to TikTok - 23 upvotes, $1000
- IDOR in "external status check" API leaks data about any status check on the instance to GitLab - 23 upvotes, $610
- Sensitive information disclosure to shared access user via streamlabs platform api to Logitech - 23 upvotes, $200
- relap.io/admin/api - административный API доступен без аутентификации to Mail.ru - 22 upvotes, $3000
- REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details to Mail.ru - 22 upvotes, $1000
- ████ api key exposed in github.com/███/███ to 8x8 - 22 upvotes, $0
- Unauthorized Access to Protected Tweets via niche.co API to Twitter - 21 upvotes, $0
- Privilege Escalation using API->Feature to Ubiquiti Inc. - 21 upvotes, $0
- Redmin API Key Exposed In GIthub to Mail.ru - 20 upvotes, $0
- Leak of Google Sheets API credentials to Azbuka Vkusa - 20 upvotes, $0
- Exposed API-key allows to control nightly builds of firmwares (█████████ & ████████) to Ubiquiti Inc. - 19 upvotes, $0
- Add a video to favourite list of any user [via YouPorn API / FrontEnd] to Pornhub - 19 upvotes, $0
- weak protection against brute-forcing on login api leads to account takeover to Palo Alto Software - 19 upvotes, $0
- Internal machine learning API endpoint for CWE classification is vulnerable to path traversal to HackerOne - 19 upvotes, $0
- AppLovin API Key hardcoded in a Github repo to Twitter - 18 upvotes, $280
- Google Maps API key leaked during device pairing to Ping Identity - 18 upvotes, $150
- User Information Disclosure via the REST API - /?_method=GET to LocalTapiola - 18 upvotes, $50
- [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool to h1-ctf - 18 upvotes, $0
- XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) to Mail.ru - 18 upvotes, $0
- CSRF in attach phone API endpoint on delivery-club.ru to Mail.ru - 17 upvotes, $0
- CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218] to Mail.ru - 17 upvotes, $0
- Leaking Rockset API key on Github to Rockset - 17 upvotes, $0
- Invalid Phabricator API token revealed through error message when escalating a report to HackerOne - 16 upvotes, $500
- Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. to Algolia - 16 upvotes, $400
- Race condition on the Federalist API endpoints can lead to the Denial of Service attack to GSA Bounty - 16 upvotes, $0
- jaas.8x8.vc: Removed users can still have READ/WRITE access to the workspace via different API endpoints to 8x8 Bounty - 16 upvotes, $0
- Users querying dim_hacker_reports table through Analytics API can determine data from dim_reports table using WHERE or HAVING query to HackerOne - 16 upvotes, $0
- anti_ransomware_service.exe REST API does not require authentication to Acronis - 15 upvotes, $200
- Full Path Disclosure in Wordpress Rest API Response to Showmax - 15 upvotes, $50
- https://zest.co.th/zestlinepay/checkproduct API endpoint suffers from Boolean-based SQL injection to Razer - 15 upvotes, $0
- Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo to Stripo Inc - 15 upvotes, $0
- Public and secret api key leaked in JavaScript source to Top Echelon Software - 15 upvotes, $0
- Public Postman Api Collection Leaks Internal access to https://assets-paris-dev.codefi.network/ to Consensys - 14 upvotes, $500
- MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more to h1-5411-CTF - 14 upvotes, $0
- IDOR - setAttribute action of user object in API to Open-Xchange - 13 upvotes, $400
- Open API - AWS S3 GET Bucket (List Objects) Version 1 to ecobee - 13 upvotes, $0
- Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. to HackerOne - 13 upvotes, $0
- Akismet API keys are exposed by authentication method to Automattic - 13 upvotes, $0
- Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. to Rocket.Chat - 13 upvotes, $0
- Chat room member disclosure via autocomplete API to Nextcloud - 13 upvotes, $0
- SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens. to Basecamp - 12 upvotes, $350
- Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage() to Mail.ru - 12 upvotes, $200
- Remote attacker can impersonate Social users via ActivityPub API to Nextcloud - 12 upvotes, $50
- API Keys Hardcoded in Github repository to Rocket.Chat - 12 upvotes, $0
- Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result to GitLab - 12 upvotes, $0
- User personal data disclosure via API to Vercel - 12 upvotes, $0
- vidyard api auth_token exposed to 8x8 - 12 upvotes, $0
- DOM XSS at
https://adobedocs.github.io/indesign-api-docs/?configUrl={site}
due to outdated Swagger UI to Adobe - 12 upvotes, $0 - Full name of other accounts exposed through NR API Explorer (another workaround of #476958) to New Relic - 11 upvotes, $750
- IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to Twitter - 11 upvotes, $0
- Secret API Key Leakage via Query String to Zendesk - 11 upvotes, $0
- Private API key leakage due to lack of access control to Cloudflare Vulnerability Disclosure - 11 upvotes, $0
- No rate limit in stats api token endpoint to Chaturbate - 11 upvotes, $0
- H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret to Shopify - 11 upvotes, $0
- Non-revoked API Key Information disclosure via Stripo_report() to Stripo Inc - 11 upvotes, $0
- Bypassing creation of API tokens without email verification to Cloudflare Public Bug Bounty - 11 upvotes, $0
- Facebook App API credentials leaked in the APK to GlassWire - 11 upvotes, $0
- Хранимая XSS ( API ) to Mail.ru - 10 upvotes, $500
- Отправка произвольных запросов к API с правами любого установленного у пользователя iframe/miniapp to VK.com - 10 upvotes, $500
- DOS: out of memory from gif through upload api to Mattermost - 10 upvotes, $150
- Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action to Moneybird - 10 upvotes, $0
- Group admin can remove user from all his groups via API to Nextcloud - 10 upvotes, $0
- Publicy accessible IDRAC instance at api-m.inapp.pushwoosh.com to Pushwoosh - 10 upvotes, $0
- Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= to Starbucks - 10 upvotes, $0
- Leaking sensitive information lead to compromise employer API keys to Yelp - 10 upvotes, $0
- Insecure Storage and Overly Permissive Google Maps API Key in Android App to Mail.ru - 10 upvotes, $0
- Hard-coded API keys at NordVpn Android App to Nord Security - 10 upvotes, $0
- Git repo on https://██████.mil/ discloses API password to U.S. Dept Of Defense - 10 upvotes, $0
- api keys leaked to Reddit - 10 upvotes, $0
- No brute force protection on web-api-cloud.acronis.com to Acronis - 9 upvotes, $100
- Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution to Rocket.Chat - 9 upvotes, $0
- Campaign Account Balance and History Disclosed in API Response to LinkedIn - 9 upvotes, $0
- Authenticated but unauthorized users may enumerate Application names via the API to Internet Bug Bounty - 8 upvotes, $2400
- Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter to New Relic - 8 upvotes, $2000
- Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object to Phabricator - 8 upvotes, $300
- User Information Disclosure via REST API to Nextcloud - 8 upvotes, $0
- API Webhooks Fire And Are Unlisted After Permissions Removed to Shopify - 8 upvotes, $0
- Revoked User can still view the Merge Request created by him via API to GitLab - 7 upvotes, $1500
- User Information Disclosure via REST API to ownCloud - 7 upvotes, $0
- Stored XSS in content when Graph is created via API to Infogram - 7 upvotes, $0
- Disclosure of Users Information On Wordpress Api [https://jitsi.org/] to 8x8 - 7 upvotes, $0
- I found some api keys in js files ,huge leak of token addresses and huge amount of js files are not forbidden to AMBER AI - 7 upvotes, $0
- Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content to Shopify - 6 upvotes, $2000
- API: Bug in method auth.signup , дающий возможность бесконечно звонить to VK.com - 6 upvotes, $500
- CSRF : Reset API to Weblate - 6 upvotes, $0
- Insecure Cache-Control Leading to API key Retrieval to ThisData - 6 upvotes, $0
- Api token exposed in Reverb.com's public github repository to Reverb.com - 6 upvotes, $0
- Public and secret api key leaked via omise github repo(owned by omise) to Omise - 6 upvotes, $0
- Sending trusted ████ and ██████████ emails through public API endpoint in ███████ site to U.S. Dept Of Defense - 6 upvotes, $0
- Improper authorization on
/api/as/v1/credentials/
allows any App Search user to access all API keys and escalate privileges to Elastic - 6 upvotes, $0 - Google Maps API Key Leakage to Uber - 6 upvotes, $0
- Insecure Storage and Overly Permissive API Keys to Stripo Inc - 6 upvotes, $0
- API Key added for one Indices works for all other indices too. to Algolia - 5 upvotes, $1000
- [NR Infrastructure] Restricted user can update integration provider account name via integrations API to New Relic - 5 upvotes, $750
- [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions to New Relic - 5 upvotes, $750
- Deprecated owners.query API bypasses object view policy to Phabricator - 5 upvotes, $300
- API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 5 upvotes, $0
- No Rate Limitation on Regenerate Api Key to Weblate - 5 upvotes, $0
- Wordpress.com REST API oauth bypass via Cross Site Flashing to Automattic - 5 upvotes, $0
- Private account causes displayed through API to Staging.every.org - 5 upvotes, $0
- Acessed internal api documentation and information to Mail.ru - 5 upvotes, $0
- HTML injection in API response including request url to Reddit - 5 upvotes, $0
- Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем. to VK.com - 4 upvotes, $200
- Conversation API Leaks Details Of UnAuthorized Conversations to Vanilla - 4 upvotes, $150
- Disclosure of Users Information via Wordpress API (?rest_route) to LocalTapiola - 4 upvotes, $50
- Private snippets in public / internal projects leaked though GitLab API to GitLab - 4 upvotes, $0
- API OAuth Public Key disclosure in mobile app to Instacart - 4 upvotes, $0
- Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form to Weblate - 4 upvotes, $0
- [api.data.gov] Leak Valid API With out Verification - to GSA Bounty - 4 upvotes, $0
- API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation. to Dropcontact - 4 upvotes, $0
- Getting API access key Through Introspection query Graphql to New Relic - 4 upvotes, $0
- API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone to Adobe - 4 upvotes, $0
- Логирование ответов запросов VK API в приложении Клевер to VK.com - 3 upvotes, $300
- Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) to Twitter - 3 upvotes, $280
- Stored XSS in api key of operator wallet to Enter - 3 upvotes, $0
- The mailbox verification API interface is unlimited and can be used as a mailbox bomb to Phabricator - 3 upvotes, $0
- API Does Not Apply Access Controls to Translations to Weblate - 3 upvotes, $0
- Insecure Direct Object Reference on API without API key to Semrush - 3 upvotes, $0
- twitter api access token leaked on github to Liberapay - 3 upvotes, $0
- Unprotected Api EndPoints to Semmle - 3 upvotes, $0
- Cross-Site Request Forgery (CSRF) in my.games API to Mail.ru - 3 upvotes, $0
- hardcoded api secret & api key in com.reddit.frontpage to Reddit - 3 upvotes, $0
- Mapbox API Access Token with No Scope Can Read Styles to Mapbox - 2 upvotes, $200
- Unauthenticated Stored XSS in API Panel to WePay - 2 upvotes, $100
- API keys being cached to Kadira - 2 upvotes, $0
- Timing Attack Side-Channel on API Token Verification to joola.io - 2 upvotes, $0
- Header Misconfiguration - PHP API to Shopify - 2 upvotes, $0
- Cross site scripting On api Calculator API requests to ok.ru - 2 upvotes, $0
- Abuse of Api that causes spamming users and possible DOS due to missing rate limit to Weblate - 2 upvotes, $0
- CRLF Injection in legacy url API (url.parse().hostname) to Node.js - 2 upvotes, $0
- [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет. to Mail.ru - 2 upvotes, $0
- Google API Key is not restricted for specific application package name and signature [Mail.ru Cloud for Android] to Mail.ru - 2 upvotes, $0
- API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint to Kubernetes - 2 upvotes, $0
- API route chat.getThreadsList leaks private message content to Rocket.Chat - 2 upvotes, $0
- User information disclosed via API to U.S. General Services Administration - 2 upvotes, $0
- Bypass access restrictions from API to Shopify - 1 upvotes, $1000
- API: Bug in method auth.validatePhone to VK.com - 1 upvotes, $500
- Apps can access 'channels' beta api to Shopify - 1 upvotes, $500
- User Enumeration, Information Disclosure and Lack of Rate Limitation on API to Coinbase - 1 upvotes, $0
- Reflected XSS on Zomato API to Zomato - 1 upvotes, $0
- CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
- The email API to reset password is unlimited and can be used as a email bomb to Nextcloud - 1 upvotes, $0
- The email API to test email-server settings is unlimited and can be used as a email bomb to Nextcloud - 1 upvotes, $0
- Account owner/admin can't actually delete personal users' API keys to New Relic - 1 upvotes, $0
- Unprotected ██████ and Test site API Exposes Documents, Credentials, and Emails in ██████████ Proposal System to U.S. Dept Of Defense - 1 upvotes, $0
- REST API gets
query
as parameter and executes it to Rocket.Chat - 1 upvotes, $0 - Inadequate input validation on API endpoint leading to self denial of service and increased system load. to IRCCloud - 0 upvotes, $500
- Legacy API exposes private video titles to Vimeo - 0 upvotes, $0
- Create Api Key is not working to Legal Robot - 0 upvotes, $0
- SSRF in login page using fetch API exposes victims IP address to attacker controled server to U.S. Dept Of Defense - 0 upvotes, $0