Researchers discovered an SSRF vulnerability on Airbnb by chaining a third-party open redirect in LivePerson's chat integration, leveraging automated JavaScript endpoint discovery and LivePerson's visitorWantsToChat API parameter to redirect internal API requests to attacker-controlled URLs. Additionally, relative path traversal via encoded backslashes in the path parameter enabled access to non-API endpoints on the LivePerson domain.
A Server-Side Request Forgery (SSRF) vulnerability was discovered in DownNotifier that allowed enumeration of local services through XSPA attacks by bypassing loopback address filters using the 0.0.0.0 address. The vulnerability enabled detection of running services like FTP and HTTP on the server.
Ron Chan discovered an SSRF vulnerability in Google Cloud Platform's Stackdriver Debug feature that allowed attackers to intercept OAuth access tokens from Bitbucket, GitHub, or GitLab by exploiting an unvalidated URL parameter in the resource listing endpoint, which forwarded requests with the user's authorization token to arbitrary attacker-controlled servers.
A researcher discovered a Server-Side Request Forgery (SSRF) vulnerability in Google Sites' Caja server that allowed fetching arbitrary resources from Google's internal Borg cluster management network, exposing sensitive information about internal infrastructure including job details, system users, and resource allocation. The vulnerability was reported to Google's VRP and patched within 48 hours.