bug-bounty457
google361
microsoft312
facebook268
xss250
apple178
malware176
rce165
exploit140
cve111
account-takeover104
bragging-post101
phishing84
privilege-escalation82
csrf81
supply-chain68
stored-xss65
authentication-bypass63
dos62
browser61
reflected-xss57
react52
cloudflare50
reverse-engineering49
input-validation48
cross-site-scripting48
node47
aws47
access-control47
docker46
smart-contract45
ethereum44
sql-injection43
defi43
ssrf42
web-security42
web342
web-application41
writeup37
oauth37
race-condition36
burp-suite35
vulnerability-disclosure34
idor34
info-disclosure34
cloud33
auth-bypass33
html-injection33
lfi32
smart-contract-vulnerability32
0
7/10
vulnerability
A clickjacking vulnerability in Instagram's account management endpoint allowed attackers to iframe AJAX responses containing connected application tokens and steal user credentials. The vulnerability existed because the `__a=1` parameter exposed sensitive token data in JSON format without X-Frame-Options protection, despite the regular UI having protections in place.
clickjacking
instagram
x-frame-options
token-theft
account-hijacking
ajax-vulnerability
ui-redressing
social-engineering
authentication-bypass
facebook-security
Instagram
Facebook
Mohamed A. Baset
Mostafa Kassem
Seekurity
0
3/10
bug-bounty
Blog post describing two vulnerabilities found in Protonmail: a brute-force attack against a 10-digit password reset code for account hijacking, and a stored XSS vulnerability in the email inbox exploitable via malicious email subject lines. Both issues were reportedly patched by Protonmail.
stored-xss
brute-force
account-hijacking
idor
password-reset
email-security
protonmail
bragging-post
Protonmail
Chand Singh