A researcher discovered a reflected XSS vulnerability in a language parameter that was cached by the web server, escalating it to account takeover by leveraging web cache poisoning to persist the malicious payload across all users visiting the site, exploiting missing HttpOnly/Secure cookie flags and lack of CSP.
A security researcher discovered a rate-limiting vulnerability in Microsoft's password reset flow that could be exploited via concurrent requests to brute-force 7-digit security codes, bypassing encryption and rate limits to enable account takeover even on accounts with 2FA enabled. Microsoft patched the vulnerability and awarded a $50,000 bounty.
A vulnerability in Instagram's account reactivation process allowed attackers to reactivate deactivated accounts using only credentials, bypassing two-factor authentication that should have been required. The issue was fixed by Instagram after being reported through their bug bounty program, resulting in a $500 bounty award.
A comprehensive writeup documenting multiple race condition vulnerabilities discovered across major platforms including Cobalt.io, Facebook, Mega, and Keybase, demonstrating how concurrent requests can bypass security controls for unauthorized financial transactions, account confirmations, and resource redemptions. The article includes detailed exploitation techniques and timelines of responsible disclosure across various bug bounty programs.
A developer at Stripe relied on client-side HTML class disabling during account lockout/session timeout, allowing an attacker with a logged-in session to use browser inspect element to remove the disabled class and bypass authentication checks to invite themselves as an administrator. The vulnerability was fixed after responsible disclosure with a $500 bounty.
A CSRF vulnerability was discovered in a web application's address deletion feature that lacked CSRF token protection, compounded by a predictable numeric addressId parameter that could be brute-forced via JavaScript to delete arbitrary user addresses. The researcher developed a proof-of-concept that sends hundreds of requests with sequential addressId values from a victim's browser to identify and delete their saved addresses.
Cybercriminals steal airline miles and loyalty account credentials, converting them into flights and hotel stays for resale on underground markets as discounted travel packages.