Zomato - HackerOne Reports
View on HackerOne110
Total Reports
16
Critical
17
High
25
Medium
18
Low
Unauthorized update of merchants' information via /php/merchant_details.php
Reported by:
adibou
|
Disclosed:
High
Weakness: Improper Access Control - Generic
XSS on zomato.com
Reported by:
spam404
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Generic
[www.zomato.com] Leaking Email Addresses of merchants via reset password feature
Reported by:
prateek_0490
|
Disclosed:
Weakness: Improper Access Control - Generic
Information Disclosure through Sentry Instance ███████
Reported by:
chajer
|
Disclosed:
High
Weakness: Information Exposure Through Debug Information
Bounty: $750.00
Posting to Twitter CSRF on php/post_twitter_authenticate.php
Reported by:
kuromatae
|
Disclosed:
Low
Weakness: Cross-Site Request Forgery (CSRF)
Bounty: $50.00
Improper Validation at Partners Login
Reported by:
ashoka_rao
|
Disclosed:
Critical
Weakness: Improper Authentication - Generic
Bounty: $2000.00
[www.zomato.com] Abusing LocalParams (city) to Inject SOLR query
Reported by:
zzzhacker13
|
Disclosed:
Low
Weakness: SQL Injection
Bounty: $100.00
Admin Access to a domain used for development and admin access to internal dashboards on that domain
Reported by:
prateek_0490
|
Disclosed:
Weakness: Improper Access Control - Generic
IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid
Reported by:
darwinks
|
Disclosed:
High
Weakness: Insecure Direct Object Reference (IDOR)
Bounty: $250.00
Self-Stored XSS - Chained with login/logout CSRF
Reported by:
madguyyy
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $300.00
Potential server misconfiguration leads to disclosure of vendor/ directory
Reported by:
h4ckninja
|
Disclosed:
Medium
Weakness: Forced Browsing
Visibility Robots.txt file
Reported by:
akshay_raj
|
Disclosed:
Weakness: Information Disclosure
Add upto 10K rupees to a wallet by paying an arbitrary amount
Reported by:
ashoka_rao
|
Disclosed:
High
Weakness: Business Logic Errors
Bounty: $2000.00
Lack of Password Confirmation for Account Deletion
Reported by:
cybrot
|
Disclosed:
Weakness: Violation of Secure Design Principles
User Profiles Leak PII in HTML Document for Mobile Browser User Agents
Reported by:
chriszielinski
|
Disclosed:
Medium
Weakness: Privacy Violation
URL is vulnerable to clickjacking
Reported by:
hacker_one_one
|
Disclosed:
Weakness: UI Redressing (Clickjacking)
Mathematical error found in meals for one
Reported by:
nikhar123
|
Disclosed:
Weakness: Business Logic Errors
[api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query
Reported by:
zzzhacker13
|
Disclosed:
Low
Weakness: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Bounty: $150.00
[www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users
Reported by:
riya
|
Disclosed:
Low
Weakness: Insecure Direct Object Reference (IDOR)
Bounty: $100.00
[Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2
Reported by:
inferno-
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Reflected
Bounty: $100.00