Bugpoint
@bugpoint
999 subscribers
3.73K photos
3.73K links
Latest updates about disclosure bug bounty reports: tech details, impacts, bounties πŸ“£

RateπŸ‘‡
https://cutt.ly/bugpoint_rate
FeedbackπŸ‘‡
https://cutt.ly/bugpoint_feedback

#️⃣ bug bounty disclosed reports
#️⃣ bug bounty write-ups
#️⃣ bug bounty teleg
Download Telegram
About
Blog
Apps
Platform
Join
Bugpoint
999 subscribers
Bugpoint
Blind HTTP GET SSRF via website icon fetch (bypass of pull#812)

πŸ‘‰ https://hackerone.com/reports/925527

πŸ”Ή Severity: Low
πŸ”Ή Reported To: Bitwarden
πŸ”Ή Reported By: #shielder
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 11, 2020, 1:24pm (UTC)
40 views
Bugpoint
Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog

πŸ‘‰ https://hackerone.com/reports/977851

πŸ”Ή Severity: Low | πŸ’° 1,000 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #dakitu
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 11, 2020, 5:03pm (UTC)
35 views
Bugpoint
[keyd] Prototype pollution

πŸ‘‰ https://hackerone.com/reports/877515

πŸ”Ή Severity: High
πŸ”Ή Reported To: Node.js third-party modules
πŸ”Ή Reported By: #d3lla
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 10:51am (UTC)
31 views
Bugpoint
[objtools] Prototype pollution

πŸ‘‰ https://hackerone.com/reports/878394

πŸ”Ή Severity: High
πŸ”Ή Reported To: Node.js third-party modules
πŸ”Ή Reported By: #d3lla
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 10:51am (UTC)
32 views
Bugpoint
[flsaba] Stored XSS in the file and directory name when directories listing

πŸ‘‰ https://hackerone.com/reports/856588

πŸ”Ή Severity: Low
πŸ”Ή Reported To: Node.js third-party modules
πŸ”Ή Reported By: #d3lla
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 10:52am (UTC)
27 views
Bugpoint
Password protection can be removed for newly created development store

πŸ‘‰ https://hackerone.com/reports/965510

πŸ”Ή Severity: No Rating | πŸ’° 500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #francisbeaudoin
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 6:59pm (UTC)
29 views
Bugpoint
Admin web sessions remain active after logout of Shopify ID

πŸ‘‰ https://hackerone.com/reports/952035

πŸ”Ή Severity: No Rating | πŸ’° 1,000 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #jaka_tingkir
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 6:59pm (UTC)
29 views
Bugpoint
XSS / SELF XSS

πŸ‘‰ https://hackerone.com/reports/906201

πŸ”Ή Severity: Low | πŸ’° 500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #whoami991
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 7:25pm (UTC)
28 views
Bugpoint
Partner's non-verified business email change reflected into Shopify Collaborator Request

πŸ‘‰ https://hackerone.com/reports/874574

πŸ”Ή Severity: No Rating | πŸ’° 1,000 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #francisbeaudoin
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 7:45pm (UTC)
27 views
Bugpoint
Staff member with no permission can delete POS staff from account settings

πŸ‘‰ https://hackerone.com/reports/860348

πŸ”Ή Severity: Low | πŸ’° 500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #kunal94
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 7:56pm (UTC)
23 views
Bugpoint
XSS within Shopify Email App - Admin

πŸ‘‰ https://hackerone.com/reports/869831

πŸ”Ή Severity: No Rating | πŸ’° 500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #francisbeaudoin
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 7:56pm (UTC)
22 views
Bugpoint
[h1-2006 2020] Bounty payments are done !

πŸ‘‰ https://hackerone.com/reports/895824

πŸ”Ή Severity: Critical
πŸ”Ή Reported To: h1-ctf
πŸ”Ή Reported By: #louzogh
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 14, 2020, 9:09pm (UTC)
22 views
Bugpoint
Adding everyone to the repo due to the lack of rate limit

πŸ‘‰ https://hackerone.com/reports/978768

πŸ”Ή Severity: High
πŸ”Ή Reported To: GitLab
πŸ”Ή Reported By: #sevilboylum
πŸ”Ή State: πŸ”΄ N/A
πŸ”Ή Disclosed: September 14, 2020, 11:28pm (UTC)
24 views
Bugpoint
staff can able to extend shopify trial period without admin permission

πŸ‘‰ https://hackerone.com/reports/947728

πŸ”Ή Severity: Low | πŸ’° 500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #risinghunter
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 2:15am (UTC)
30 views
Bugpoint
A staff without export customers permissions can still export customers CSV file

πŸ‘‰ https://hackerone.com/reports/860197

πŸ”Ή Severity: No Rating | πŸ’° 500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #ryat
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 4:42am (UTC)
28 views
Bugpoint
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation

πŸ‘‰ https://hackerone.com/reports/910300

πŸ”Ή Severity: Critical | πŸ’° 22,500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #say_ch33se
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 6:47am (UTC)
33 views
Bugpoint
CircleCI token in github repo allows for access to sensitive build information

πŸ‘‰ https://hackerone.com/reports/858915

πŸ”Ή Severity: No Rating | πŸ’° 1,500 USD
πŸ”Ή Reported To: Shopify
πŸ”Ή Reported By: #dwimmerlaik
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 9:30am (UTC)
35 views
Bugpoint
[icq.im] Reflected XSS via chat invite link

πŸ‘‰ https://hackerone.com/reports/796897

πŸ”Ή Severity: Low | πŸ’° 250 USD
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #romesful
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 12:25pm (UTC)
36 views
Bugpoint
Private files exposed to other apps

πŸ‘‰ https://hackerone.com/reports/838587

πŸ”Ή Severity: High | πŸ’° 1,000 USD
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #kanytu
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 1:14pm (UTC)
33 views
Bugpoint
Database read through provider misconfiguration

πŸ‘‰ https://hackerone.com/reports/882475

πŸ”Ή Severity: Medium | πŸ’° 1,000 USD
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #kanytu
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 1:20pm (UTC)
32 views
Bugpoint
IDOR in tracking driver logs at city-mobil.ru

πŸ‘‰ https://hackerone.com/reports/847876

πŸ”Ή Severity: Low | πŸ’° 150 USD
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #r0hack
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 15, 2020, 1:59pm (UTC)
30 views