Forwarded from Bug Bounty Channel
Hacktivity from maxdha
https://hackerone.com/reports/2028265
Disclosed at: 2024-04-11 08:33:03 UTC+0
Created at: 2023-06-16 01:50:00 UTC+0
\#3 XSS on watchdocs\.indriverapp\.com
https://hackerone.com/reports/2028265
Disclosed at: 2024-04-11 08:33:03 UTC+0
Created at: 2023-06-16 01:50:00 UTC+0
HackerOne
inDrive disclosed on HackerOne: #3 XSS on watchdocs.indriverapp.com
And subscribe to our telegram channel with updates https://t.me/indrive_bbp
👍5❤1
Hello, security researchers!
We are happy to announce a new feature - authentication via Google, as well as a new campaign. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
We are happy to announce a new feature - authentication via Google, as well as a new campaign. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
👍13
inDrive Bug Bounty Updates pinned «Hello, security researchers! We are happy to announce a new feature - authentication via Google, as well as a new campaign. Details can be found here! Good luck hunting. Best wishes, InDrive Security Team.»
Hi, could you please take a quick survey.
Which bugbounty site do you prefer?
Which bugbounty site do you prefer?
Anonymous Poll
74%
HackerOne
15%
Bugcrowd
3%
Integrity
2%
YesWeHack
5%
Other
❤1
inDrive Bug Bounty Updates
Hello, security researchers! We are happy to announce a new feature - authentication via Google, as well as a new campaign. Details can be found here! Good luck hunting. Best wishes, InDrive Security Team.
Results of the last campaign which lasted from June 17 to July 17, 2024.
Total reports received: 264
Valid reports: 29
Total payouts: $8,565.00
Stay tuned for updates so you don't miss out on the next campaigns. Have a great day and good hunting.
Best wishes,
InDrive Security Team.
Total reports received: 264
Valid reports: 29
Total payouts: $8,565.00
Stay tuned for updates so you don't miss out on the next campaigns. Have a great day and good hunting.
Best wishes,
InDrive Security Team.
🔥13❤3👍2
Hello, security researchers!
We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.25. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.25. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
HackerOne
inDrive - Bug Bounty Program | HackerOne
The inDrive Bug Bounty Program enlists the help of the hacker community at HackerOne to make inDrive more secure. HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally…
🔥8👍1
inDrive Bug Bounty Updates pinned «Hello, security researchers! We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.25. Details can be found here! Good luck hunting. Best wishes, InDrive Security Team.»
api_methods.csv
186.7 KB
Hello, security researchers!
I hope this message catches you in good health. In the attachment you will find a CSV file containing a list of endpoints to scan. The file contains the following columns:
Method: the HTTP method used for the request (e.g. GET, POST).
Hostname: The domain name of the server to which the requests are being made.
URL: The full URL of the endpoint.
NOTE: If you get a 410 Gone response status when accessing an endpoint, then you are trying to access the wrong region. For example, no-cf.<region>.aws.indriverapp.com returns 410, try changing regions.
List of regions: africa.afso1, cis.euce1, eu.euce1, euce1, fr1.baremetal, global, latam-br.saea1, latam-co. saea1, latam-mx.saea1, latam-mx.usea1, latam-pe.saea1, latam.saea1, mena-eg.meso1, mena.meso1, sa-in.apso1, sa.apso1, sea.apse3, usa.usea2
We hope you can use this information to analyze the security of these endpoints in more detail. Good luck hunting.
Best wishes,
InDrive Security Team.
I hope this message catches you in good health. In the attachment you will find a CSV file containing a list of endpoints to scan. The file contains the following columns:
Method: the HTTP method used for the request (e.g. GET, POST).
Hostname: The domain name of the server to which the requests are being made.
URL: The full URL of the endpoint.
NOTE: If you get a 410 Gone response status when accessing an endpoint, then you are trying to access the wrong region. For example, no-cf.<region>.aws.indriverapp.com returns 410, try changing regions.
List of regions: africa.afso1, cis.euce1, eu.euce1, euce1, fr1.baremetal, global, latam-br.saea1, latam-co. saea1, latam-mx.saea1, latam-mx.usea1, latam-pe.saea1, latam.saea1, mena-eg.meso1, mena.meso1, sa-in.apso1, sa.apso1, sea.apse3, usa.usea2
We hope you can use this information to analyze the security of these endpoints in more detail. Good luck hunting.
Best wishes,
InDrive Security Team.
🔥17👍6😱3❤2
Subdomains.csv
4 KB
Hello security researchers,
We are attaching a list of subdomains for in-depth vulnerability analysis. We hope this information will be useful for you.
Good luck hunting.
Best wishes,
InDrive Security Team.
We are attaching a list of subdomains for in-depth vulnerability analysis. We hope this information will be useful for you.
Good luck hunting.
Best wishes,
InDrive Security Team.
🔥15❤2
Subdomains_ext.csv
5.5 KB
Hello security researchers,
New subdomain package.
Good luck hunting.
Best wishes,
InDrive Security Team.
New subdomain package.
Good luck hunting.
Best wishes,
InDrive Security Team.
🔥13👍7❤1
The Journey of Launching a Bug Bounty Program
In the article “Strengthening Cybersecurity: Breaking Down inDrive’s Bug Bounty Program”, I dive into how we launched and developed our bug bounty program, collaborated with white hat hackers to identify vulnerabilities, optimized security processes, and fostered a culture focused on data protection.
Read the Article:
- On HackerNoon
- On Medium
This publication is the result of the collective efforts of our entire information security team. Please share the links, leave your comments, and help us spread the word about our achievements.
Together, let’s make inDrive a safer place!
Best wishes,
InDrive Security Team.
In the article “Strengthening Cybersecurity: Breaking Down inDrive’s Bug Bounty Program”, I dive into how we launched and developed our bug bounty program, collaborated with white hat hackers to identify vulnerabilities, optimized security processes, and fostered a culture focused on data protection.
Read the Article:
- On HackerNoon
- On Medium
This publication is the result of the collective efforts of our entire information security team. Please share the links, leave your comments, and help us spread the word about our achievements.
Together, let’s make inDrive a safer place!
Best wishes,
InDrive Security Team.
Hackernoon
Strengthening Cybersecurity: Breaking Down inDrive’s Bug Bounty Program
Learn how inDrive's bug bounty program strengthens cybersecurity by collaborating with white hat hackers to detect vulnerabilities and optimize security process
👏3
Hello, security researchers!
We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
HackerOne
inDrive - Bug Bounty Program | HackerOne
The inDrive Bug Bounty Program enlists the help of the hacker community at HackerOne to make inDrive more secure. HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally…
🔥5👏3❤1
Hello, security researchers,
We are pleased to present the following domains for your exploration:
We invite you to test your skills in discovering vulnerabilities on these subdomains. We eagerly await your insightful reports.
Good luck hunting.
Best wishes,
InDrive Security Team.
We are pleased to present the following domains for your exploration:
- alternativa.film
- bridekidnapping.alternativa.film
- festival.alternativa.film
- indrive.alternativa.film
- auroratechaward.com
We invite you to test your skills in discovering vulnerabilities on these subdomains. We eagerly await your insightful reports.
Good luck hunting.
Best wishes,
InDrive Security Team.
🔥13🌭3
Hello, security researchers!
We have launched a new campaign, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
We have launched a new campaign, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting.
Best wishes,
InDrive Security Team.
HackerOne
inDrive - Bug Bounty Program | HackerOne
The inDrive Bug Bounty Program enlists the help of the hacker community at HackerOne to make inDrive more secure. HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally…
🔥12👍1
inDrive Bug Bounty Updates pinned «Hello, security researchers! We have launched a new campaign, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting. Best wishes, InDrive Security Team.»
Hello, security researchers!
Have you spotted this new feature yet? If not — now’s the perfect time to dive in!
InDrive recently launched Passkey authentication in the app, and to celebrate, we're starting a 2-week special HackerOne campaign with increased bounty rewards (2x) for vulnerabilities related to the Passkey integration. 🔐
Campaign period 🗓️:
May 26 – June 9, 2025
To participate in campaign, please make sure that:
• You’re using app version 5.110 or higher. 📱
• You select the asset https://cas-cf.euce1.indriverapp.com/api/passkey when submitting your report (of course, with Passkey issue 😉).
We’re especially interested in issues on how Passkeys are integrated with the app, such as:
• Authentication/Authorization bypasses
• Improper validation
• Session management issues
• Logical or implementation flaws
P.S., We’ve conducted our own internal security audit of the Passkey feature — so don’t be surprised if some findings are marked as duplicates.
Good luck, bug hunters! 🕵️♂️
Have you spotted this new feature yet? If not — now’s the perfect time to dive in!
InDrive recently launched Passkey authentication in the app, and to celebrate, we're starting a 2-week special HackerOne campaign with increased bounty rewards (2x) for vulnerabilities related to the Passkey integration. 🔐
Campaign period 🗓️:
May 26 – June 9, 2025
To participate in campaign, please make sure that:
• You’re using app version 5.110 or higher. 📱
• You select the asset https://cas-cf.euce1.indriverapp.com/api/passkey when submitting your report (of course, with Passkey issue 😉).
We’re especially interested in issues on how Passkeys are integrated with the app, such as:
• Authentication/Authorization bypasses
• Improper validation
• Session management issues
• Logical or implementation flaws
P.S., We’ve conducted our own internal security audit of the Passkey feature — so don’t be surprised if some findings are marked as duplicates.
Good luck, bug hunters! 🕵️♂️
🔥14❤1