Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3378540 by theokeen
I received an email from the new points and rewards system stating that I had reached Level 4, and the reward was a 3-month Burp Suite Pro license (sponsored by PortSwigger). The email included a “Redeem it here” button, which redirected me to a Google Form. After filling out the form, I received a valid license in my email.
The issue is that there is no validation or verification tied to the user’s account, which allows an attacker to obtain multiple licenses simply by using different email addresses.
Evidence
Email content (relevant section):
Hi theokeen, You’ve reached Level 4!
heroxo9868After an initial 2FA bypass vulnerability was “fixed” by removing the isVerifyAuth cookie from local storage, the application still trusted this value if it existed.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3370430 by hossam25
hidalg0dWhat started as a simple JavaScript analysis ended in a broken OAuth flow that allowed unauthenticated access to protected APIs — and a €1500 bug bounty reward.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In