bug-bounty448
google355
microsoft313
facebook262
xss238
apple180
malware174
rce149
exploit124
bragging-post101
cve99
account-takeover93
phishing83
csrf79
privilege-escalation77
stored-xss65
supply-chain65
authentication-bypass63
dos60
reflected-xss57
browser57
react50
cloudflare49
reverse-engineering48
input-validation48
cross-site-scripting48
access-control47
smart-contract45
docker45
aws45
node44
ethereum43
web343
sql-injection43
web-security42
defi42
web-application41
ssrf38
burp-suite35
vulnerability-disclosure34
idor34
race-condition33
html-injection33
info-disclosure33
smart-contract-vulnerability32
writeup32
buffer-overflow32
cloud32
oauth32
information-disclosure30
0
6/10
A CORS misconfiguration in Twitter's niche platform allowed attackers to bypass origin validation by leveraging subdomain prefix matching (niche.co.evil.net) to steal private user data including images, emails, and CSRF tokens synced from Facebook, Instagram, and Twitter. The vulnerability was exploited via a simple JavaScript POC that exfiltrated sensitive information when visited by logged-in users.
cors-misconfiguration
cors
same-origin-policy
cross-origin-resource-sharing
horizontal-privilege-escalation
sensitive-data-leakage
oauth
api-security
subdomain-takeover-adjacent
browser-security
credentials-leakage
twitter
facebook
instagram
bug-bounty
bragging-post
Twitter
Facebook
Instagram
niche (Twitter product)
Rohan Aggarwal
HackerOne
Burp Suite