Smule - HackerOne Reports
View on HackerOne11
Total Reports
1
Critical
1
High
4
Medium
3
Low
[com.smule.autorap.*] Cloud Messaging/Push Notification service takeover due to clear-text usage of Legacy FCM Server keys in the client app
Reported by:
absshax
|
Disclosed:
Critical
Weakness: Use of Hard-coded Credentials
Open Redirect on ███
Reported by:
assassin_marcos
|
Disclosed:
Medium
Weakness: Open Redirect
Error Page Content Spoofing or Text Injection
Reported by:
ajayshrimali
|
Disclosed:
Low
Weakness: Violation of Secure Design Principles
stored xss in https://www.smule.com
Reported by:
hami
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Stored
Possible Subdomain Takeover For Inbound Emails
Reported by:
cryptic_
|
Disclosed:
Weakness: Improper Access Control - Generic
Missing Rate Limit in Forgot Password can Lead to email address leakage of all smule accounts
Reported by:
dhakal_ananda
|
Disclosed:
Medium
Weakness: Improper Restriction of Authentication Attempts
Open redirect bypass & SSRF Security Vulnerability
Reported by:
snwlvl
|
Disclosed:
Weakness: Server-Side Request Forgery (SSRF)
Missing Rate Limit in Password Change
Reported by:
dhakal_ananda
|
Disclosed:
Low
Weakness: Improper Restriction of Authentication Attempts
Disclosure of information about the system, configuration files.
Reported by:
fr_0_ank
|
Disclosed:
Low
Weakness: Information Disclosure
No Rate Limiting On Phone Number Login Leads to Login Bypass
Reported by:
done11
|
Disclosed:
Medium
Weakness: Improper Authentication - Generic
Web cache poisoning leads to disclosure of CSRF token and sensitive information
Reported by:
d3f4u17
|
Disclosed:
Medium
Weakness: Violation of Secure Design Principles