bug-bounty448
google357
microsoft314
facebook265
xss240
apple181
malware167
rce149
exploit129
bragging-post101
cve99
account-takeover91
phishing79
csrf79
privilege-escalation77
stored-xss64
supply-chain62
authentication-bypass62
dos59
reflected-xss57
browser56
react51
cloudflare49
reverse-engineering48
input-validation48
access-control47
docker46
cross-site-scripting46
smart-contract45
aws45
node45
web344
ethereum43
sql-injection42
defi42
ssrf40
web-security40
web-application39
burp-suite35
vulnerability-disclosure34
idor34
race-condition33
html-injection33
info-disclosure33
writeup33
buffer-overflow32
cloud32
oauth32
smart-contract-vulnerability32
information-disclosure30
0
6/10
bug-bounty
Researcher exploited missing X-FRAME-OPTIONS headers on API endpoints disclosing sensitive user data (credit cards, emails, addresses) by embedding them in invisible iframes within a fake lottery page, using social engineering to trick users into copying and pasting their data, earning $1800 across multiple reports.
clickjacking
x-frame-options
sensitive-data-disclosure
api-security
social-engineering
bug-bounty
html-injection
iframe-abuse
Osama Avvan
Bugcrowd
0
8/10
vulnerability
A stored XSS vulnerability in webcomponents.org allowed attackers to inject malicious JavaScript via repository homepage URLs, enabling theft of GitHub OAuth authorization codes and account hijacking to star repositories on behalf of authenticated users.
stored-xss
oauth-attack
github-integration
account-takeover
polymer
webcomponents
same-origin-bypass
iframe-abuse
authorization-code-interception
webcomponents.org
GitHub
Thomas Orlita
Polymer