Shipt - HackerOne Reports
View on HackerOne12
Total Reports
0
Critical
2
High
4
Medium
5
Low
Api Token Leaked in [shoppers.shipt.com]
Reported by:
1337n0x
|
Disclosed:
Low
Weakness: Information Disclosure
Bounty: $200.00
Slack token leaking in stackoverflow and devtimes
Reported by:
streaak
|
Disclosed:
Medium
Weakness: Cleartext Storage of Sensitive Information
Bounty: $300.00
Vulnerabilities in exported activity WebView
Reported by:
shell_c0de
|
Disclosed:
Medium
Bounty: $350.00
Sensitive Clickjacking on admin login page.
Reported by:
shakhawatpr99
|
Disclosed:
Low
Weakness: UI Redressing (Clickjacking)
Subdomain Takeover at test.shipt.com
Reported by:
m7mdharoun
|
Disclosed:
High
Bounty: $750.00
Improper Access Control + Financial fraud allows attacker to disclose + add arbitrary products to another's user's order
Reported by:
doomerhunter
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Bounty: $3900.00
Price manipulation via fraction values (Parameter Tampering)
Reported by:
codeslayer1337
|
Disclosed:
Low
Bounty: $100.00
Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol.
Reported by:
s3cur3
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
bypass the [OKTA] login redirect can lead to disclosing limited-information about the sub-domain at [ shiptsec.com ]
Reported by:
tester1231233
|
Disclosed:
Low
Weakness: Violation of Secure Design Principles
Open redirect on marketing site
Reported by:
robd4k
|
Disclosed:
Weakness: Open Redirect
Subdomain takeover at segway.shipt.com
Reported by:
plenum
|
Disclosed:
Medium
Bounty: $300.00
Multiple Subdomain Takeovers: fly.staging.shipt.com, fly.us-west-2.staging.shipt.com, fly.us-east-1.staging.shipt.com
Reported by:
mubassirpatel
|
Disclosed:
Medium
Weakness: Reliance on Reverse DNS Resolution for a Security-Critical Action