bug-bounty457
google360
microsoft310
facebook264
xss250
apple176
malware175
rce165
exploit140
cve111
account-takeover104
bragging-post102
phishing84
privilege-escalation82
csrf81
supply-chain68
stored-xss65
authentication-bypass64
dos62
browser60
reflected-xss57
react52
cloudflare50
reverse-engineering49
access-control48
input-validation48
cross-site-scripting48
aws47
node46
docker46
smart-contract45
ethereum44
sql-injection43
defi43
web-security43
ssrf42
web342
web-application41
writeup37
oauth37
race-condition36
burp-suite35
info-disclosure34
idor34
vulnerability-disclosure34
auth-bypass33
cloud33
html-injection33
buffer-overflow32
smart-contract-vulnerability32
0
8/10
A Salesforce API access token was exposed to users' browsers during file uploads on IKEA.com's customer support forms, allowing attackers to access unrestricted customer data via the Salesforce REST API. The token lacked proper permission scoping and revealed 465 object types accessible, including customer account names and phone numbers.
api-token-exposure
credential-leakage
salesforce
crmapi
insufficient-access-controls
data-exfiltration
bug-bounty
responsible-disclosure
rest-api-abuse
web-form-exploitation
reconnaissance
ikea
IKEA.com
Salesforce
Jonathan Bouman
Zerocopter
Amass
Burp Suite
Param Miner
CVE-like-equivalent-not-assigned