Yay, I was awarded a $500 bounty on
@Hacker0x01
!
Bug: Stored XSS on Profile Upload. By uploading PDF raw data instead of an image, triggered an XSS alert on accessing S3 URL.
#TogetherWeHitHarder
Identified a hidden GraphQL endpoint in a popular app iOS version, allowing user ID swaps (IDOR) to access 20M+ users’ PII data (emails, names, photos).
Reported via
@Hacker0x01
& secured a $2200 bounty! 🛠️🔐
#DataBreach
#BugBounty
#appsec
- Discovered a High severity bug in Notion
- Reported it on HackerOne.
- The notion team closed the report as informative (claiming it's not an issue).
- Emailed Notion security team for clarification.
- I got banned from the HackerOne program🙂
@IamRenganathan
@basu_banakar
Thrilled to share my latest discovery🔒 Successfully accessed sensitive database records by leveraging S3 credentials. Check out my blog for more details!
#InfoSec
#DataPrivacy
#bugbounty
I am using
@NotionHQ
's enterprise plan features like unlimited member invites, page history, link expiration (1 hour), and advanced security controls (disable public sharing, etc.) for free😌
#NotionSecurityVulnerability
#appsec
@19whoami19
This is nowadays common bro. And they have one more policy. If the customer doesn’t have budget hackerone Triager will close the report as Duplicate🥲
Discovered a critical flaw allowing free access to enterprise features by manipulating server responses:
- Used a proxy to modify responses.
- Changed subscriptionTier: free to enterprise.
- Got an enterprise plan for free.
- Program doesn’t accept business logic bypass issue🙂
Looking for a free tool to track all subscriptions and payment reminders in one place. Any recommendations? Prefer something easy to use and efficient.
#TechTips
#productivetools
@Medium
I have Reported one High Severity issue. It leads to business loss. But, still no reply from Security Team. Can you please look into that issue?
@pawan1kunwar
@BugBase
1. OTP brute force is a straightforward process using an intruder tool. The same approach can be applied in this case.
2. WAF bypass using origin IP. The origin IP can be found through
@shodanhq
@thebinarybot
I did the same and got enterprise-level premium features for free. The program doesn’t acknowledge the issue because there is no security impact.
Additionally, I received a bonus as I was banned from that particular
@Hacker0x01
program🥲
@scarybeasts
Is this looks fair?
@Securrtech
@Pwn4arn
We’re following all these recon’s steps, triaging team will close the issue as Duplicate or program team will not accept the issue🥲