Skip to content

Latest commit

 

History

History
241 lines (240 loc) · 30.3 KB

TOPTWITTER.md

File metadata and controls

241 lines (240 loc) · 30.3 KB
Raw

Top reports from Twitter program at HackerOne:

  1. Potential pre-auth RCE on Twitter VPN to Twitter - 1152 upvotes, $20160
  2. Bypassing Digits origin validation which leads to account takeover to Twitter - 586 upvotes, $5040
  3. CRLF injection to Twitter - 416 upvotes, $2940
  4. Read-only application can publish/delete fleets to Twitter - 393 upvotes, $7700
  5. Blind XSS on Twitter's internal Big Data panel at █████████████ to Twitter - 335 upvotes, $5040
  6. Private list members disclosure via GraphQL to Twitter - 324 upvotes, $2940
  7. [Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable to Twitter - 317 upvotes, $5040
  8. Insufficient OAuth callback validation which leads to Periscope account takeover to Twitter - 258 upvotes, $5040
  9. Bypass Password Authentication for updating email and phone number - Security Vulnerability to Twitter - 254 upvotes, $700
  10. XXE on sms-be-vip.twitter.com in SXMP Processor to Twitter - 250 upvotes, $10080
  11. Insufficient validation on Digits bridge to Twitter - 248 upvotes, $5040
  12. XSS via Direct Message deeplinks to Twitter - 225 upvotes, $2940
  13. XSS and Open Redirect on MoPub Login to Twitter - 225 upvotes, $1540
  14. Github Account hijack through broken link in developer.twitter.com to Twitter - 208 upvotes, $280
  15. Periscope android app deeplink leads to CSRF in follow action to Twitter - 204 upvotes, $1540
  16. Stored XSS on reports. to Twitter - 201 upvotes, $700
  17. XSS and cache poisoning via upload.twitter.com on ton.twitter.com to Twitter - 191 upvotes, $2520
  18. Account Takeover in Periscope TV to Twitter - 188 upvotes, $7560
  19. Verify any unused email address to Twitter - 188 upvotes, $560
  20. protected Tweet settings overwritten by other settings to Twitter - 174 upvotes, $1540
  21. Discoverability by phone number/email restriction bypass to Twitter - 172 upvotes, $5040
  22. Takeover of Twitter-owned domain at mobileapplinking.com to Twitter - 157 upvotes, $0
  23. Twitter ID exposure via error-based side-channel attack to Twitter - 147 upvotes, $1470
  24. character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error to Twitter - 137 upvotes, $560
  25. url that twitter mobile site can not load to Twitter - 136 upvotes, $1120
  26. Reflected XSS in twitterflightschool.com to Twitter - 132 upvotes, $1120
  27. Highly wormable clickjacking in player card to Twitter - 128 upvotes, $5040
  28. Twitter Periscope Clickjacking Vulnerability to Twitter - 125 upvotes, $1120
  29. Incorrect param parsing in Digits web authentication to Twitter - 121 upvotes, $2520
  30. XSS via referrer parameter to Twitter - 119 upvotes, $0
  31. [URGENT] Opportunity to publish tweets on any twitters account to Twitter - 116 upvotes, $7560
  32. Changing email address on Twitter for Android unsets "Protect your Tweets" to Twitter - 116 upvotes, $2940
  33. Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ] to Twitter - 114 upvotes, $7560
  34. IDOR and statistics leakage in Orders to Twitter - 109 upvotes, $289
  35. Bypassing Digits web authentication's host validation with HPP to Twitter - 103 upvotes, $2520
  36. Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled. to Twitter - 98 upvotes, $0
  37. Safe Redirect Bypass to Twitter - 93 upvotes, $560
  38. Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data to Twitter - 91 upvotes, $5040
  39. Attacker can get vine repost user all informations even Ip address and location . to Twitter - 89 upvotes, $5040
  40. Bypassing Digits bridge origin validation to Twitter - 89 upvotes, $5040
  41. Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs to Twitter - 88 upvotes, $560
  42. Github Token Leaked publicly for https://github.com/mopub to Twitter - 86 upvotes, $1540
  43. Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect to Twitter - 86 upvotes, $1120
  44. Denial of Service | twitter.com & mobile.twitter.com to Twitter - 86 upvotes, $1120
  45. Remote Unrestricted file Creation/Deletion and Possible RCE. to Twitter - 83 upvotes, $0
  46. Persistent DOM-based XSS in https://help.twitter.com via localStorage to Twitter - 82 upvotes, $1120
  47. [Studio.twitter.com] See someone else pics to Twitter - 81 upvotes, $5040
  48. Html Injection and Possible XSS in sms-be-vip.twitter.com to Twitter - 80 upvotes, $420
  49. [CRITICAL] Full account takeover using CSRF to Twitter - 78 upvotes, $5040
  50. Incorrect details on OAuth permissions screen allows DMs to be read without permission to Twitter - 71 upvotes, $2940
  51. Multiple XSS on account settings that can hijack any users in the company. to Twitter - 70 upvotes, $700
  52. [dev.twitter.com] XSS and Open Redirect to Twitter - 66 upvotes, $1120
  53. Multiple DOMXSS on Amplify Web Player to Twitter - 65 upvotes, $2520
  54. Denial of Service [Chrome] to Twitter - 65 upvotes, $560
  55. Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App to Twitter - 64 upvotes, $1120
  56. CSRF on Periscope Web OAuth authorization endpoint to Twitter - 63 upvotes, $2520
  57. Protected tweets exposure through the URL to Twitter - 63 upvotes, $560
  58. Subdomain takeover of images.crossinstall.com to Twitter - 62 upvotes, $0
  59. Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) to Twitter - 60 upvotes, $840
  60. NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate. to Twitter - 56 upvotes, $280
  61. Subdomain takeover on dev-admin.periscope.tv to Twitter - 54 upvotes, $0
  62. Periscope iOS app CSRF in follow action due to deeplink to Twitter - 52 upvotes, $2940
  63. HTTP Response Splitting (CRLF injection) in report_story to Twitter - 51 upvotes, $3500
  64. DOMXSS in Tweetdeck to Twitter - 50 upvotes, $1120
  65. Bypass Password Authentication to Update the Password to Twitter - 50 upvotes, $700
  66. reverb.twitter.com redirects to vulnerable reverb.guru to Twitter - 50 upvotes, $560
  67. Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co to Twitter - 50 upvotes, $0
  68. Stealing User emails by clickjacking cards.twitter.com/xxx/xxx to Twitter - 49 upvotes, $1120
  69. Tracking of users on third-party websites using the Twitter cookie, due to a flaw in authenticating image requests to Twitter - 49 upvotes, $1120
  70. DOM based cookie bomb to Twitter - 49 upvotes, $280
  71. Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com to Twitter - 49 upvotes, $0
  72. Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques} to Twitter - 48 upvotes, $420
  73. Bypassing callback_url validation on Digits to Twitter - 47 upvotes, $2520
  74. csp bypass + xss to Twitter - 47 upvotes, $1120
  75. Opportunity to obtain private tweets through search widget preview caches to Twitter - 47 upvotes, $1120
  76. Cross-site scripting (reflected) to Twitter - 45 upvotes, $2520
  77. View liked twits of private account via publish.twitter.com to Twitter - 44 upvotes, $1260
  78. [dev.twitter.com] XSS and Open Redirect Protection Bypass to Twitter - 43 upvotes, $1120
  79. Periscope-all Firebase database takeover to Twitter - 41 upvotes, $560
  80. URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS to Twitter - 40 upvotes, $1680
  81. Open Redirect to Twitter - 40 upvotes, $420
  82. Bypass t.co link shortener in Twitter direct messages to Twitter - 39 upvotes, $560
  83. niche s3 buckets are readable/writeable/deleteable by authorized AWS users to Twitter - 38 upvotes, $700
  84. XSS on https://app.mopub.com/reports/custom/add/ [new-d1] to Twitter - 38 upvotes, $280
  85. CSRF on cards API to Twitter - 37 upvotes, $280
  86. [IDOR][translate.twitter.com] Opportunity to change any comment at the forum to Twitter - 36 upvotes, $1120
  87. Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain to Twitter - 36 upvotes, $560
  88. Urgent : Unauthorised Access to Media content of all Direct messages and protected tweets(Indirect object reference) to Twitter - 36 upvotes, $420
  89. CSRF on https://www.niche.co leads to "account disconnection" to Twitter - 35 upvotes, $0
  90. Twitter iOS fails to validate server certificate and sends oauth token to Twitter - 34 upvotes, $2100
  91. [staging-engineering.gnip.com] Publicly accessible GIT directory to Twitter - 32 upvotes, $280
  92. 2 Subdomains Takeover at readfu.com to Twitter - 32 upvotes, $0
  93. Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv) to Twitter - 31 upvotes, $140
  94. 暴力破解用户密码没有速率控制 to Twitter - 30 upvotes, $700
  95. HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter to Twitter - 30 upvotes, $560
  96. Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 to Twitter - 30 upvotes, $560
  97. GNIP subdomain take over to Twitter - 30 upvotes, $0
  98. Bypass Password Authentication to Update the Password to Twitter - 30 upvotes, $0
  99. Accepting error message on twitter sends you to attacker site to Twitter - 29 upvotes, $560
  100. CRLF and XSS stored on ton.twitter.com to Twitter - 28 upvotes, $1680
  101. [sms-be-vip.twitter.com] vulnerable to Jetleak to Twitter - 28 upvotes, $1260
  102. Delete direct message history without access the proper conversation_id to Twitter - 27 upvotes, $560
  103. POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204) to Twitter - 27 upvotes, $280
  104. HTTP Response Splitting (CRLF injection) due to headers overflow to Twitter - 26 upvotes, $2800
  105. Reset password without knowing current password to Twitter - 26 upvotes, $0
  106. Information Disclosure through .DS_Store in ██████████ to Twitter - 25 upvotes, $560
  107. [Critical] - Steal OAuth Tokens to Twitter - 24 upvotes, $840
  108. cookie injection allow dos attack to periscope.tv to Twitter - 24 upvotes, $560
  109. Twitter Media Studio Source Information Disclosure With Analyst Role to Twitter - 24 upvotes, $560
  110. Open Redirect Protection Bypass to Twitter - 24 upvotes, $280
  111. Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites to Twitter - 24 upvotes, $0
  112. Twitter for android is exposing user's location to any installed android app to Twitter - 23 upvotes, $560
  113. Vine - overwrite account associated with email via android application to Twitter - 23 upvotes, $280
  114. CVE-2017-15277 on Profile page to Twitter - 23 upvotes, $0
  115. CSRF and probable account takeover on https://www.niche.co to Twitter - 23 upvotes, $0
  116. CORS misconfig | Account Takeover to Twitter - 22 upvotes, $0
  117. File Upload XSS in image uploading of App in mopub to Twitter - 21 upvotes, $560
  118. [Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user to Twitter - 21 upvotes, $560
  119. Stored XSS in https://app.mopub.com to Twitter - 21 upvotes, $280
  120. Unauthorized Access to Protected Tweets via niche.co API to Twitter - 21 upvotes, $0
  121. http request smuggling in pscp.tv and periscope.tv to Twitter - 20 upvotes, $560
  122. Identify the mobile number of a twitter user to Twitter - 20 upvotes, $560
  123. Improper session handling on web browsers to Twitter - 19 upvotes, $560
  124. Improper Host Detection During Team Up on tweetdeck.twitter.com to Twitter - 19 upvotes, $280
  125. Twitter Source Label allow 'mongolian vowel separator' U+180E (app name) to Twitter - 18 upvotes, $560
  126. [██████████.gnip.com] .htpasswd disclosure to Twitter - 18 upvotes, $280
  127. Sensitive Information Disclosure https://cards-dev.twitter.com to Twitter - 18 upvotes, $280
  128. ms5 debug page exposing internal info (internal IPs, headers) to Twitter - 18 upvotes, $280
  129. AppLovin API Key hardcoded in a Github repo to Twitter - 18 upvotes, $280
  130. lack of input validation that can lead Denial of Service (DOS) to Twitter - 17 upvotes, $560
  131. XSS on OAuth authorize/authenticate endpoint to Twitter - 16 upvotes, $2520
  132. Protected Tweets setting overridden by Android app to Twitter - 16 upvotes, $560
  133. SSRF in https://cards-dev.twitter.com/validator to Twitter - 15 upvotes, $280
  134. http request smuggling in twitter.com to Twitter - 15 upvotes, $0
  135. XSS using javascript:alert(8007) to Twitter - 14 upvotes, $280
  136. No Rate Limit in email leads to huge Mass mailings to Twitter - 14 upvotes, $140
  137. iOS app crashed by specially crafted direct message reactions to Twitter - 13 upvotes, $560
  138. PI leakage By Brute Forcing and Phone number deleting without using password to Twitter - 13 upvotes, $0
  139. xss in link items (mopub.com) to Twitter - 12 upvotes, $560
  140. Html Injection and Possible XSS via MathML to Twitter - 12 upvotes, $0
  141. IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to Twitter - 11 upvotes, $5040
  142. [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME to Twitter - 11 upvotes, $560
  143. User input validation can lead to DOS to Twitter - 11 upvotes, $560
  144. Access MoPub Reports Data even after Company removed you from their MoPub Account. to Twitter - 11 upvotes, $140
  145. leaking Digits OAuth authorization to third party websites to Twitter - 10 upvotes, $560
  146. Clickjacking Periscope.tv on Chrome to Twitter - 10 upvotes, $560
  147. login csrf in analytics.mopub.com to Twitter - 10 upvotes, $280
  148. HTTPS is not validating TLS mac codes to Twitter - 10 upvotes, $0
  149. Add tweet to collection CSRF to Twitter - 9 upvotes, $560
  150. [Twitter Open Source] Releases were & are built/executed/tested/released in the context of insecure/untrusted code to Twitter - 9 upvotes, $280
  151. Reports Modal in app.mopub.com Disclose by any user to Twitter - 8 upvotes, $280
  152. CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION) to Twitter - 8 upvotes, $0
  153. URGENT : NICHE.co Account Take Over Vulnerability to Twitter - 6 upvotes, $560
  154. Profile Pic padding (Length-hiding) fails due to use of GZIP to Twitter - 6 upvotes, $280
  155. Tweet Deck XSS- Persistent- Group DM name to Twitter - 5 upvotes, $2520
  156. Cross site scripting on ads.twitter.com to Twitter - 5 upvotes, $1400
  157. Fabric.io: Ex-admin of an organization can delete team members to Twitter - 5 upvotes, $280
  158. XSS in the "Poll" Feature on Twitter.com to Twitter - 5 upvotes, $280
  159. Sub Domain Takeover at mk.prd.vine.co to Twitter - 5 upvotes, $140
  160. Broken authentication and invalidated email address leads to account takeover to Twitter - 5 upvotes, $0
  161. Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability] to Twitter - 4 upvotes, $2800
  162. xss in DM group name in twitter to Twitter - 4 upvotes, $700
  163. Insecure Direct Object Reference - access to other user/group DM's to Twitter - 4 upvotes, $420
  164. Sub-Domain Takeover to Twitter - 4 upvotes, $280
  165. XSS via Fabrico Account Name to Twitter - 4 upvotes, $280
  166. Insecure Data Storage in Vine Android App to Twitter - 4 upvotes, $140
  167. List of a ton of internal twitter servers available on GitHub to Twitter - 4 upvotes, $0
  168. HTML/XSS rendered in Android App of Crashlytics through fabric.io to Twitter - 3 upvotes, $1400
  169. fabric.io - app member can make himself an admin to Twitter - 3 upvotes, $1400
  170. XSS in original referrer after follow to Twitter - 3 upvotes, $1400
  171. XSS in twitter.com/safety/unsafe_link_warning to Twitter - 3 upvotes, $1400
  172. Improper Verification of email address while saving Account Settings to Twitter - 3 upvotes, $560
  173. Insecure direct object reference - have access to deleted DM's to Twitter - 3 upvotes, $420
  174. Tweetdeck (twitter owned app) not revoked to Twitter - 3 upvotes, $280
  175. Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) to Twitter - 3 upvotes, $280
  176. Reporting user's profile by using another people's ID to Twitter - 3 upvotes, $140
  177. Full Path Disclosure at 27.prd.vine.co to Twitter - 3 upvotes, $140
  178. Redirect URL in /intent/ functionality is not properly escaped to Twitter - 2 upvotes, $1400
  179. Open Redirect leak of authenticity_token lead to full account take over. to Twitter - 2 upvotes, $1400
  180. Problem with OAuth to Twitter - 2 upvotes, $1260
  181. Fabric.io - an app admin can delete team members from other user apps to Twitter - 2 upvotes, $1120
  182. Can see private tweets via keyword searches on tweetdeck to Twitter - 2 upvotes, $1120
  183. Twitter Ads Campaign information disclosure through admin without any authentication. to Twitter - 2 upvotes, $560
  184. Twitter Card - Parent Window Redirection to Twitter - 2 upvotes, $560
  185. URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825 to Twitter - 2 upvotes, $420
  186. Flaw in login with twitter to steal Oauth tokens to Twitter - 2 upvotes, $140
  187. getting emails of users/removing them from victims account [using typical attack] to Twitter - 2 upvotes, $140
  188. Singup Page HTML Injection Vulnerability to Twitter - 2 upvotes, $140
  189. uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack to Twitter - 2 upvotes, $0
  190. Password reset link not validated. to Twitter - 2 upvotes, $0
  191. Headers Missing to Twitter - 2 upvotes, $0
  192. Notifications can mark as read by CSRF to Twitter - 2 upvotes, $0
  193. User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state) to Twitter - 2 upvotes, $0
  194. [mobile.twitter.com / twitter.com] CSRF protection bypass to Twitter - 2 upvotes, $0
  195. OS Command Execution on User's PC via CSV Injection to Twitter - 2 upvotes, $0
  196. Global defaming of any twitter user to Twitter - 2 upvotes, $0
  197. Stored xss to Twitter - 1 upvotes, $1400
  198. DOM Cross-Site Scripting ( XSS ) to Twitter - 1 upvotes, $1400
  199. [Stored XSS] vine.co - profile page to Twitter - 1 upvotes, $1400
  200. XSS platform.twitter.com to Twitter - 1 upvotes, $1120
  201. Unauthorized Tweeting on behalf of Account Owners to Twitter - 1 upvotes, $420
  202. Open redirection in fabric.io to Twitter - 1 upvotes, $280
  203. XSS in fabric.io to Twitter - 1 upvotes, $280
  204. Missing Rate Limiting on https://twitter.com/account/complete to Twitter - 1 upvotes, $140
  205. Full path disclosure at ads.twitter.com to Twitter - 1 upvotes, $140
  206. Cookie not marked as secure. to Twitter - 1 upvotes, $0
  207. XSS ON MOPUB.COM to Twitter - 1 upvotes, $0
  208. Token remains alive ever after logging out! to Twitter - 1 upvotes, $0
  209. Creating Unauthorized Audience Lists to Twitter - 1 upvotes, $0
  210. Flaw in valid password policy. to Twitter - 1 upvotes, $0
  211. Option Method Enabled on web server to Twitter - 1 upvotes, $0
  212. Abuse of "Remember Me" functionality. to Twitter - 1 upvotes, $0
  213. Homograph attack. to Twitter - 1 upvotes, $0
  214. URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ. to Twitter - 1 upvotes, $0
  215. Privecy Issue : view "Protected users" followers and following to Twitter - 1 upvotes, $0
  216. Cross site Port Scanning bug in twitter developers console to Twitter - 1 upvotes, $0
  217. Opportunity to post hidden comments to Twitter - 1 upvotes, $0
  218. ads.twitter.com xss to Twitter - 0 upvotes, $1400
  219. XSS platform.twitter.com | video-js metadata to Twitter - 0 upvotes, $1120
  220. open redirect sends authenticity_token to any website or (ip address) to Twitter - 0 upvotes, $560
  221. twitter android app Fragment Injection to Twitter - 0 upvotes, $420
  222. iOS App can establish Facetime calls without user's permission to Twitter - 0 upvotes, $420
  223. Bad extended ascii handling in HTTP 301 redirects of t.co to Twitter - 0 upvotes, $420
  224. Following a User Actually Follows Another User to Twitter - 0 upvotes, $280
  225. Following a User After Favoriting Actually Follows Another User (related to #95243) to Twitter - 0 upvotes, $280
  226. POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com to Twitter - 0 upvotes, $140
  227. Subdomain Expired to Twitter - 0 upvotes, $140
  228. XSS vulnerability in video player page to Twitter - 0 upvotes, $0
  229. password sent over HTTP to Twitter - 0 upvotes, $0
  230. CSRF in crashlytics.com to Twitter - 0 upvotes, $0
  231. Captcha bypass with extension at http://www.mopub.com/about/contact/ to Twitter - 0 upvotes, $0
  232. HTML form without CSRF protection at http://try.crashlytics.com/enterprise/ to Twitter - 0 upvotes, $0
  233. Twitter Flight SSL 2.0 deprecated protocol vulnerability. to Twitter - 0 upvotes, $0
  234. BROKEN AUTHENTICATION IN MOBILE VERIFICATION to Twitter - 0 upvotes, $0
  235. Options Method Enabled to Twitter - 0 upvotes, $0
  236. No rate limiting on creating lists to Twitter - 0 upvotes, $0
  237. Account Deleted without any confirmation to Twitter - 0 upvotes, $0
  238. Path disclosure in platform0.twitter.com to Twitter - 0 upvotes, $0
  239. Privacy Issue on protected tweets to Twitter - 0 upvotes, $0