Zomato - HackerOne Reports
View on HackerOne110
Total Reports
16
Critical
17
High
25
Medium
18
Low
Availing Zomato gold by using a random third-party `wallet_id`
Reported by:
pandaaaa
|
Disclosed:
Critical
Weakness: Business Logic Errors
Bounty: $2000.00
HTML injection leads to reflected XSS
Reported by:
haxor5392
|
Disclosed:
Low
Weakness: Code Injection
Bounty: $150.00
[www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss
Reported by:
akhil-reni
|
Disclosed:
High
Weakness: Business Logic Errors
Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json
Reported by:
zzzhacker13
|
Disclosed:
Critical
Weakness: SQL Injection
Bounty: $2000.00
[auth2.zomato.com] Reflected XSS at `oauth2/fallbacks/error` | ORY Hydra an OAuth 2.0 and OpenID Connect Provider
Reported by:
sudi
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day
Reported by:
dertajora
|
Disclosed:
Low
Weakness: Business Logic Errors
Twitter Disconnect CSRF
Reported by:
hussain_0x3c
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
Page has a link to google drive which has logos and a few customer phone recordings
Reported by:
codersanjay
|
Disclosed:
Medium
Weakness: Cleartext Storage of Sensitive Information
Bounty: $200.00
Free food bug done by burp suite
Reported by:
joker7889
|
Disclosed:
Weakness: Man-in-the-Middle
Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com
Reported by:
defparam
|
Disclosed:
Critical
Weakness: HTTP Request Smuggling
Reflected XSS on https://www.zomato.com
Reported by:
strukt
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
[www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s)
Reported by:
pasw
|
Disclosed:
Medium
Weakness: Business Logic Errors
SSRF in https://www.zomato.com████ allows reading local files and website source code
Reported by:
adibou
|
Disclosed:
Critical
Weakness: Server-Side Request Forgery (SSRF)
NexTable: Credentials exposure
Reported by:
mrtuxracer
|
Disclosed:
High
Weakness: Cryptographic Issues - Generic
The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking.
Reported by:
b71728d7009b6664f0e2350
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
[www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at **clients/promoDataHandler.php**
Reported by:
prateek_0490
|
Disclosed:
Weakness: Insecure Direct Object Reference (IDOR)
[www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato
Reported by:
prateek_0490
|
Disclosed:
Weakness: Insecure Direct Object Reference (IDOR)
Reflected XSS on business-blog.zomato.com - Part 2
Reported by:
dsopas
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Generic
XSS in "explore-keywords-dropdown" results.
Reported by:
gcurtiss_
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Reflected
Unvalidated redirect on user profile website
Reported by:
roshanpty
|
Disclosed:
Weakness: Open Redirect