bug-bounty448
google356
microsoft314
facebook264
xss238
apple180
malware175
rce149
exploit127
bragging-post101
cve99
account-takeover93
phishing83
csrf79
privilege-escalation77
stored-xss65
supply-chain65
authentication-bypass63
dos60
reflected-xss57
browser57
react50
cloudflare49
input-validation48
cross-site-scripting48
reverse-engineering48
access-control47
docker46
aws45
smart-contract45
node44
ethereum43
web343
defi42
web-security42
sql-injection42
web-application41
ssrf38
burp-suite35
idor34
vulnerability-disclosure34
info-disclosure34
race-condition33
html-injection33
buffer-overflow33
writeup32
cloud32
oauth32
smart-contract-vulnerability32
information-disclosure30
0
6/10
A CORS misconfiguration in Twitter's niche platform allowed attackers to bypass origin validation by leveraging subdomain prefix matching (niche.co.evil.net) to steal private user data including images, emails, and CSRF tokens synced from Facebook, Instagram, and Twitter. The vulnerability was exploited via a simple JavaScript POC that exfiltrated sensitive information when visited by logged-in users.
cors-misconfiguration
cors
same-origin-policy
cross-origin-resource-sharing
horizontal-privilege-escalation
sensitive-data-leakage
oauth
api-security
subdomain-takeover-adjacent
browser-security
credentials-leakage
twitter
facebook
instagram
bug-bounty
bragging-post
Twitter
Facebook
Instagram
niche (Twitter product)
Rohan Aggarwal
HackerOne
Burp Suite