Instacart - HackerOne Reports
View on HackerOne35
Total Reports
0
Critical
1
High
3
Medium
3
Low
Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=
Reported by:
ak1t4
|
Disclosed:
View & add to cart unlisted items via IDOR
Reported by:
bigshaq
|
Disclosed:
High
Weakness: Insecure Direct Object Reference (IDOR)
Issues with uploading list images
Reported by:
cablej
|
Disclosed:
Weakness: Uncontrolled Resource Consumption
User Information sent to client through websockets
Reported by:
archers123
|
Disclosed:
Weakness: Information Disclosure
Authentication Bypass in Updating Personal Information
Reported by:
footstep
|
Disclosed:
Weakness: Improper Authentication - Generic
Cross-Site Request Forgery (CSRF)
Reported by:
malcolmx
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
Race Condition in Redeeming Coupons
Reported by:
cablej
|
Disclosed:
Weakness: Violation of Secure Design Principles
Stored XSS
Reported by:
s44mux
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Generic
CSRF To change Email Notification Settings
Reported by:
trad_zero_h
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
READ .svg files by changing .svg into .png extension
Reported by:
codertom
|
Disclosed:
Weakness: Violation of Secure Design Principles
Access private list metadata
Reported by:
sameoldstory
|
Disclosed:
Low
Weakness: Information Disclosure
Bounty: $100.00
Missing rel=noreferrer tag allows link in list to change url of currently open tab
Reported by:
cablej
|
Disclosed:
Weakness: Violation of Secure Design Principles
Cross-Site Scripting Reflected On Main Domain
Reported by:
hussain_0x3c
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Generic
Get all instacart emails - missing rate limit on /accounts/register
Reported by:
003random
|
Disclosed:
Medium
Bounty: $150.00
Cookie-Based Injection
Reported by:
hussain_0x3c
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Generic
Previous
Page 2 of 2