Researcher bypassed 2FA on a private program by discovering that the 2FA verification endpoint did not validate the Google Captcha header (unlike the login endpoint), allowing brute-force of TOTP codes within the 59-second window using 888 threads in Burp Intruder.
A SQL injection vulnerability was discovered in the login endpoint of bootcamp.nutanix.com where unsanitized user input in the email and password JSON parameters allowed extraction of database version information via error-based SQLi techniques. The vulnerability was exploited using simple quote injection and extractvalue() functions to trigger MySQL errors revealing system details.
An IDOR vulnerability in Facebook Events allowed attackers to add any user—including non-friends and blocked contacts—as co-hosts to personal events by tampering with the co_hosts parameter in the event creation request. The vulnerability was patched by Facebook and rewarded $750 through their bug bounty program.