Home » Blog » Sinthetic Labs | Breaking the surface

Sinthetic Labs | Breaking the surface

About Sinthetic Labs

Sinthetic Labs is a security research group which aims to make the web a safer place by taking an offensive approach to security. Focusing mainly on web security, we take on the role of a malicious hacker who wants to destroy your life and cause you financial/emotional ruin. There are millions (billions?) of vulnerabilities and security issues which exist due to years of poor programming, ignorance, and laziness. Watch as we discover, exploit, and disclose these issues.

Along with our web security research we also dabble with reverse engineering, OSINT, penetration testing, software auditing, and software development (primarily security related tools). Every so often we open-source some of our tools for the community to use. These tools can be found on our Github page and you can report bugs there too. For updates, new releases, and lots of other information you can follow us on Twitter.

Often we perform Internet-wide automated scans to gather data on services facing the Internet and vulnerable software. We do try to minimize the impact of these scans, and we do appreciate some organizations don’t want us scanning their IP ranges. We (rightly) view the web as a freely accessible resource for everyone to use. Each IP we scan is public with the implication that it can be accessed by anyone. Services which don’t need to face the Internet shouldn’t face the Internet. If you’re a defense contractor and I can access the control panel for your military drones, you’re doing something wrong. You’re always free to drop our requests but the research we do will help build a better, more secure Internet in the future.

A lot of the data we collect we give back to the security community to help understand, mitigate, and risk assess attacks and vulnerabilities. You can find more information and even download this data on our Twitter for updates. If you’re a security guy and want to share data or collaborate on projects, send us a message. We’d love to see what you’re working on.

A look inside Facebook’s source code

Note: None of the code in this post was obtained illegally, nor given to me directly by any Facebook employee at any time.

I’ve always been a fan of Facebook from a technical point of view. They contribute a lot to the open source community and often open source their internal software too. Phabricator, libphutil, and XHP are great examples of that. For a while I contributed a bit to both Phabricator and XHP, and I ended up finding out a lot more about Facebook’s internals than I intended. Read on…

It was mid-2013 and I was busy fixing a few bugs I had encountered while using Phabricator. If my memory serves me correctly the application was throwing a PhutilBootloaderException. I didn’t have much knowledge of how Phabricator worked at the time so I googled the error message. As you’d expect I came across source code and references, but one specific link stood out. It was a Pastebin link.

Of course, this intrigued me. This is what I found…

[emir@dev3003 ~/devtools/libphutil] arc diff --trace
>>> [0] <conduit> conduit.connect()
<<< [0] <conduit> 98,172 us
>>> [1] <exec> $ (cd '/home/emir/devtools/libphutil'; git rev-parse --show-cdup)
<<< [1] <exec> 13,629 us
>>> [2] <exec> $ (cd '/home/emir/devtools/libphutil/'; git rev-parse --verify HEAD^)
<<< [2] <exec> 17,024 us
>>> [3] <exec> $ (cd '/home/emir/devtools/libphutil/'; git diff --no-ext-diff --no-textconv --raw 'HEAD^' --)
>>> [4] <exec> $ (cd '/home/emir/devtools/libphutil/'; git diff --no-ext-diff --no-textconv --raw HEAD --)
>>> [5] <exec> $ (cd '/home/emir/devtools/libphutil/'; git ls-files --others --exclude-standard)
>>> [6] <exec> $ (cd '/home/emir/devtools/libphutil/'; git ls-files -m)
<<< [5] <exec> 73,004 us
<<< [6] <exec> 74,084 us
<<< [4] <exec> 77,907 us
<<< [3] <exec> 80,606 us
>>> [7] <exec> $ (cd '/home/emir/devtools/libphutil/'; git log --first-parent --format=medium 'HEAD^'..HEAD)
<<< [7] <exec> 16,390 us
>>> [8] <conduit> differential.parsecommitmessage()
<<< [8] <conduit> 106,631 us
Linting...
>>> [9] <exec> $ (cd '/home/emir/devtools/libphutil'; git rev-parse --show-cdup)
<<< [9] <exec> 9,976 us
>>> [10] <exec> $ (cd '/home/emir/devtools/libphutil/'; git merge-base 'HEAD^' HEAD)
<<< [10] <exec> 13,472 us
>>> [11] <exec> $ (cd '/home/emir/devtools/libphutil/'; git diff --no-ext-diff --no-textconv --raw '00645a0aec09edc7f0f1f573032991ae94faa01b' --)
>>> [12] <exec> $ (cd '/home/emir/devtools/libphutil/'; git diff --no-ext-diff --no-textconv --raw HEAD --)
>>> [13] <exec> $ (cd '/home/emir/devtools/libphutil/'; git ls-files --others --exclude-standard)
>>> [14] <exec> $ (cd '/home/emir/devtools/libphutil/'; git ls-files -m)
<<< [11] <exec> 19,092 us
<<< [14] <exec> 15,219 us
<<< [12] <exec> 21,602 us
<<< [13] <exec> 43,139 us
>>> [15] <exec> $ (cd '/home/emir/devtools/libphutil/'; git diff --no-ext-diff --no-textconv -M -C --no-color --src-prefix=a/ --dst-prefix=b/ -U32767 '00645a0aec09edc7f0f1f573032991ae94faa01b' --)
<<< [15] <exec> 28,318 us
>>> [16] <exec> $ '/home/engshare/devtools/libphutil/src/parser/xhpast/bin/xhpast' --version
<<< [16] <exec> 11,420 us
>>> [17] <exec> $ '/home/engshare/devtools/arcanist/scripts/phutil_analyzer.php' '/home/emir/devtools/libphutil/src/markup/engine/remarkup/markuprule/hyperlink'
<<< [17] <exec> 490,196 us
>>> [18] <exec> $ '/home/engshare/devtools/arcanist/scripts/phutil_analyzer.php' '/home/engshare/devtools/libphutil/src/markup'
>>> [19] <exec> $ '/home/engshare/devtools/arcanist/scripts/phutil_analyzer.php' '/home/engshare/devtools/libphutil/src/markup/engine/remarkup/markuprule/base'
>>> [20] <exec> $ '/home/engshare/devtools/arcanist/scripts/phutil_analyzer.php' '/home/engshare/devtools/libphutil/src/parser/uri'
>>> [21] <exec> $ '/home/engshare/devtools/arcanist/scripts/phutil_analyzer.php' '/home/engshare/devtools/libphutil/src/utils'
<<< [18] <exec> 498,899 us
<<< [19] <exec> 497,710 us
<<< [20] <exec> 517,740 us
<<< [21] <exec> 556,267 us
>>> [22] <exec> $ '/home/engshare/devtools/libphutil/src/parser/xhpast/bin/xhpast'
<<< [22] <exec> 10,066 us
 LINT OKAY  No lint problems.
Running unit tests...
HipHop Fatal error: Uncaught exception exception 'PhutilBootloaderException' with message 'The phutil library '' has not been loaded!' in /home/engshare/devtools/libphutil/src/__phutil_library_init__.php:124\nStack trace:\n#0 /home/engshare/devtools/libphutil/src/__phutil_library_init__.php(177): PhutilBootloader->getLibraryRoot()\n#1 /home/engshare/devtools/arcanist/src/unit/engine/phutil/PhutilUnitTestEngine.php(53): PhutilBootloader->moduleExists()\n#2 /home/engshare/devtools/arcanist/src/workflow/unit/ArcanistUnitWorkflow.php(113): PhutilUnitTestEngine->run()\n#3 /home/engshare/devtools/arcanist/src/workflow/diff/ArcanistDiffWorkflow.php(1172): ArcanistUnitWorkflow->run()\n#4 /home/engshare/devtools/arcanist/src/workflow/diff/ArcanistDiffWorkflow.php(225): ArcanistDiffWorkflow->runUnit()\n#5 /home/engshare/devtools/arcanist/scripts/arcanist.php(257): ArcanistDiffWorkflow->run()\n#6 {main}

Okay — so this isn’t exactly source code. It’s just some command line output. But it does tell us some interesting information.

  • The person who, likely, posted this was “emir”. This may be the person’s first name, or it could be their first initial and then their surname (E. Mir). It’s clear this output was intended to be seen by another engineer at Facebook, so posting it on Pastebin probably wasn’t the smartest move. This person may have made other slip ups which could make them a target if an attacker sees an opportunity.
  • “dev3003” is the name of the machine emir was working on at the time. This tells us Facebook has at least 3,000 machines reserved for development (assuming “3003” increments from 1, which I’m quite sure it does).
  • `/home/engshare/devtools/` is the path where libphutil and arcanist are installed. `/home/engshare/` is shared between the development machines via NFS if I remember correctly. Nothing overly interesting here, but there are likely other internal scripts located in that directory.
  • There’s also some information about execution times and Git hashes which could be of use but nothing I’d personally look in to.

After this find, I went ahead and tried to similiar pastes which had to been made. I was not disappointed.

[25/10/2013] Promoting The Meme Bank (1/1) - Campaign Update Failed: Campaign 6009258279237: Value cannot be null (Value given: null) TAAL[BLAME_files,www/flib/core/utils/enforce.php,www/flib/core/utils/EnforceBase.php]

Now, this looks to be an exception which was caught and logged. What’s interesting here is it shows us file names and paths. “flib” (Facebook Library) is an internal library which contains useful utilities and functions to help with the development. Let’s go deeper..

[ksalas@dev578 ~/www] ./scripts/intl/intl_string.php scan .
Loading modules, hang on...
Analyzing directory `.'
Error: Command `ulimit -s 65536 && /mnt/vol/engshare/tools/fbt_extractor -tasks 32 '/data/users/ksalas/www-hg'' failed with error #2:
stdout:

stderr:
warning: parsing problem in /data/users/ksalas/www-hg/flib/intern/third-party/phpunit/phpunit/Tests/TextUI/dataprovider-log-xml-isolation.phpt
warning: parsing problem in /data/users/ksalas/www-hg/flib/intern/third-party/phpunit/phpunit/Tests/TextUI/dataprovider-log-xml.phpt
warning: parsing problem in /data/users/ksalas/www-hg/flib/intern/third-party/phpunit/phpunit/Tests/TextUI/log-xml.phpt
warning: parsing problem in /data/users/ksalas/www-hg/scripts/sandcastle/local_testing/script_for_test_commits.php
warning: parsing problem in /data/users/ksalas/www-hg/lib/arcanist/lint/linter/__tests__/hphpast/php-tags-script.lint-test
LEXER: unrecognised symbol, in token rule:'
warning: parsing problem in /data/users/ksalas/www-hg/scripts/intern/test/test.php
warning: parsing problem in /data/users/ksalas/www-hg/scripts/intern/test/test2.php
Fatal error: exception Common.Todo
Fatal error: exception Sys_error("Broken pipe")


Type intl_string.php --help to get more information about how to use this script.

Now we’re getting to the good stuff. We have ksalas on dev578 running what seems to be a string parser. `intl_string.php` tries to run `/mnt/vol/engshare/tools/fbt_extractor`, so we know for sure there are some other scripts in `/mnt/vol/engshare/`. We can also see they use PHP Unit for unit testing, and “www-hg” shouts Mercurial to me. It’s well known they moved from Subversion to Git — I’d put money on it that they’ve been expiermenting with Mercurial too at some point.

“That’s still not god damn source code!” I hear you cry. Don’t worry, someone posted some on Pastebin too.

Index: flib/core/db/queryf.php
===================================================================
--- flib/core/db/queryf.php
+++ flib/core/db/queryf.php
@@ -1104,11 +1104,12 @@
  *  @author rmcelroy
  */
 function mysql_query_all($sql, $ok_sql, $conn, $params) {
+  FBTraceDB::rqsend($ok_sql);
   switch (SQLQueryType::parse($sql)) {
     case SQLQueryType::READ:
       $t_start = microtime(true);
       $result = mysql_query_read($ok_sql, $conn);
       $t_end = microtime(true);
       $t_delta = $t_end - $t_start;
       if ($t_delta > ProfilingThresholds::$queryReadDuration) {
         ProfilingThresholds::recordDurationError('mysql.queryReadDuration',

The file in question is `flib/core/db/queryf.php`. At first glance we can tell it’s a diff of a file which contains a bunch of MySQL-related functions. The function we can see here, `mysql_query_all()`, was written by rmcelroy. From what I can see in the code it’s pretty much a simple function which executes a query, with a little custom logging code. It may be more complex but unfortunately we may never know. 🙁

I’ll post a few more example of code I’ve found, all of which (and more) can be downloaded from the bottom of this post.

diff --git a/flib/entity/user/personal/EntPersonalUser.php b/flib/entity/user/personal/EntPersonalUser.php
index 4de7ad8..439c162 100644
--- a/flib/entity/user/personal/EntPersonalUser.php
+++ b/flib/entity/user/personal/EntPersonalUser.php
@@ -306,13 +306,15 @@ class EntPersonalUser extends EntProfile

   public function prepareFriendIDs() {
     require_module_lazy('friends');
-    // TODO: add privacy checks!
     DT('ReciprocalFriends')->add($this->id);
     return null;
   }

   public function getFriendIDs() {
-    return DT('ReciprocalFriends')->get($this->id);
+    if ($this->canSeeFriends()) {
+      return DT('ReciprocalFriends')->get($this->id);
+    }
+    return array();
   }

   /**
@@ -397,6 +399,7 @@ class EntPersonalUser extends EntProfile
       $this->viewerCanSee,
       array(
         PrivacyConcepts::EXISTENCE,
+        PrivacyConcepts::FRIENDS,
         // Note that we're fetching GENDER here because it's PAI
         // so it's cheap and because we don't want to add a prepareGender
         // call here if we don't have to.
@@ -418,6 +421,10 @@ class EntPersonalUser extends EntProfile
     return must_prepare($this->viewerCanSee)->canSee();
   }

+  protected function canSeeFriends() {
+    return must_prepare($this->viewerCanSee)->canSeeFriends();
+  }
+
    
# update your local master branch
  git checkout master
  git pull --rebase

# never do any work on master branch
# create & switch to new branch instead
  git checkout -b my_branch

# rebase 'my_branch' onto master
  git checkout my_branch
  git rebase master

# list branches
  git branch

# delete 'my_branch' branch
  $ git branch -d my_branch

# shows status
$ git status

stage file, also remove conflict
  $ git add <file>

revert file to head revision
  $ git checkout -- <file>

commit change
  $ git commit -a --amend
    -a       stages all modified files
    --amend  overwrites last commit

show all local history (amend commits, branch changes, etc.)
  $ git reflog

show history (there is lot of options)
  $ git log
  $ git log --pretty=oneline --abbrev-commit --author=plamenko
  $ git log -S"text to search"

show last commit (what is about to be send for diff)
  $ git show

get the version of the file from the given commit
  $ git checkout <commit> path/to/file

fetch & merge
  $ git pull --rebase

resolving conflicts:
  use ours:
    $ git checkout --ours index.html
  use theirs:
    $ git checkout --theirs index.html

commit author:
  $ git config --global user.name "Ognjen Dragoljevic"
  $ git config --global user.email plamenko@fb.com

  After doing this, you may fix the identity used for this commit with:
  $ git commit --amend --reset-author

commit template:
  /mnt/vol/engshare/admin/scripts/templates/git-commit-template.txt

rename a branch:
  $ git branch -m old_branch new_branch

interactive rebase
  $ git rebase -i master
  pick
  edit
    make changes
    ...
    $ git commit -a --amend
    $ git rebase --continue
  exec
    $ arc diff
    $ arc amend
    $ git push --dry-run origin HEAD:master // remove dry-run to do actual push
    ...

to update commit message in phabricator
  $ arc diff --verbatim
#!/bin/bash
#
# Creates a new www sandbox managed by git.
#
# Usage: git-clone-www [dirname]
#
# dirname defaults to "www-git".
#

DIRNAME=${1:-www-git}

NFS_REPO=/home/engshare/git/tfb

# Are we running on a machine that has a local shared copy of the git repo?
if [ -d /data/git/tfb ]; then
  # Yes. Reuse its objects directory.
  echo "Cloning the local host's shared www repository..."
  PARENT=/data/git/tfb
  SHARE=-s
else
  # Nope, copy the NFS server's objects locally so as not to be dog slow.
  echo "Copying from the shared www repository on the NFS server..."
  PARENT=$NFS_REPO
  SHARE=
fi

if [ ! -d $HOME/local ]; then
  echo "You don't seem to have a 'local' symlink in your home directory."
  echo "Fix that and try again."
  exit 1
fi

cd $HOME/local
if [ -d "$DIRNAME" ]; then
  echo "You already have a $DIRNAME directory; won't overwrite it."
  echo "Aborting."
  exit 1
fi

# We clone the shared repository here rather than running "git svn clone"
# because it's much, much more efficient. And the clone has some options:
#
# -n = Don't check out working copy yet.
# -s = Reference the origin's .git/objects directory rather than copying.
#      Saves gobs of disk space and makes the clone nearly instantaneous.
#      We don't do this if there's no local-disk shared repo.

git clone $SHARE -n "$PARENT" "$DIRNAME"

cd "$DIRNAME"

# If we're sharing a local repository's objects, use the NFS server as a
# fallback so stuff doesn't break if we use this repo from another host
# that doesn't have a /data/git/tfb directory.
ALTERNATES=.git/objects/info/alternates
if [ -s $ALTERNATES ]; then
  echo $NFS_REPO/.git/objects >> $ALTERNATES
fi

# We want to use the same remote branch name ("remotes/trunk") for git-svn
# and for fetches from the shared git repo, so set that up explicitly.
git config remote.origin.url "file://$PARENT/.git"
git config remote.origin.fetch refs/remotes/trunk:refs/remotes/trunk
git config --remove-section branch.master

# Enable the standard commit template
git config commit.template /home/engshare/admin/scripts/templates/git-commit-template.txt

# Enable recording of rebase conflict resolutions
git config rerere.enabled true

# Now fetch from the shared repo. This mostly just creates the new "trunk"
# branch since we already have the objects thanks to the initial "git clone".
git fetch origin

# Blow away the "origin/" branches created by "git clone" -- we don't need them.
rm -rf .git/refs/remotes/origin

# Now it's time to turn this plain old git repo into a git-svn repo. Really
# all we need is the svn-remote configuration (installed above) and a
# metadata file with some version information. git-svn is smart enough to
# rebuild the other stuff it needs.

echo ""
echo "Synchronizing with svn..."

git svn init -itrunk svn+ssh://tubbs/svnroot/tfb/trunk/www

# Now tweak the git-svn config a little bit so it's easier for someone to
# go add more "fetch" lines if they want to track svn-side branches in
# addition to trunk. This doesn't affect any of the existing history.
git config svn-remote.svn.url svn+ssh://tubbs/svnroot
git config svn-remote.svn.fetch tfb/trunk/www:refs/remotes/trunk

# Let git-svn update its mappings and fetch the latest revisions. This can
# spew lots of uninteresting output so suppress it.
git svn fetch > /dev/null

echo ""
echo "Checking out working copy..."

# We use git reset here because the git svn fetch might have advanced trunk
# to a newer revision than the master branch created by git clone.
git reset --hard trunk

if [ ! -d "$HOME/$DIRNAME" ]; then
  echo ""
  echo "Making home dir symlink: $HOME/$DIRNAME"
  ln -s "local/$DIRNAME" "$HOME/$DIRNAME"
else
  echo ""
  echo "$HOME/$DIRNAME already exists; leaving it alone."
fi

echo ""
echo "All done. To make this your new main sandbox directory, run"
echo ""
echo "    rm -rf ~/www"
echo "    ln -s ~/$DIRNAME ~/www"
echo ""

Lastly, I wanted to share something which I found quite amusing. Facebook’s MySQL password. This came from what seems to be a `print_r()` of an array which made its way in to production a few years ago.

array ( 'ip' => '10.21.209.92', 'db_name' => 'insights', 'user' => 'mark', 'pass' => 'e5p0nd4', 'mode' => 'r', 'port' => 3306, 'cleanup' => false, 'num_retries' => 3, 'log_after_num_retries' => 4, 'reason' => 'insights', 'cdb' => true, 'flags' => 0, 'is_shadow' => false, 'backoff_retry' => false, )
Host: 10.21.209.92 (Private IP)
Database Name: insights
User: mark
Password: e5p0nd4

Okay, so it’s not the most secure password. But Facebook’s database servers are heavily firewalled. Though if you do manage to break in to Facebook’s servers, there’s the password.

Edit: Mark Zuckerberg was an officer at the Jewish fraternity Alpha Epsilon Pi. The motto on their coat of arms is “ESPONDA”. 🙂

So what have we learnt today? I think the main thing to take away from this is you shouldn’t use public services such as Pastebin to post internal source code. Some creepy guy like me is going to collect it all and write about it. Another thing is to make sure debug information is never pushed to production. I didn’t put much effort in to this but there will be more of Facebook’s source code floating around out there.

Again I’d like to stress that everything I have posted here was already available on the Internet. All I needed to do was search for it. And here’s the download:

URL: facebook_source_code.zip
Password: sintheticlabs.com

If you enjoyed this post and want to see more, follow @SintheticLabs on Twitter.

Public HackerOne bug reports.

Public HackerOne bug reports.

4,419 Bug Reports – $2,030,173 Paid Out
Last Updated: 12th September, 2017
★ 1st Place: shopify-scripts ($441,600 Paid Out)
★ 2nd Place: Uber ($208,700 Paid Out)
★ 3rd Place: HackerOne ($142,700 Paid Out)

Highest Bounty Paid: $20,000 by shopify-scripts for Type confusion in mrb_exc_set leading to memory corruption

Show Bounties Only

Team Bounty Title
Legal Robot design issue exists on login page
Legal Robot Coding error !
TTS Bug Bounty {REDACTED}.data.gov subdomain takeover.
Legal Robot Insufficient Security Configurability-Weak Registration Implementation-Allows Disposable Email Addresses
Legal Robot I cant login to my account
TTS Bug Bounty Email Spoofing – SPF record set to Neutral
TTS Bug Bounty Email Spoofing – SPF record set to Neutral
Legal Robot Improper error message
Legal Robot Email Length Verification
TTS Bug Bounty federalist.18f.gov vulnerable to Sweet32 attack
TTS Bug Bounty Subdomain take-over of {REDACTED}.18f.gov
Legal Robot Name can’t be numbers or email
Gratipay Reflected XSS – gratipay.com
HackerOne ★ IDOR on HackerOne Feedback Review
Gratipay Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Legal Robot Password Restriction On Change
Legal Robot UX: JS error on Password Safety link
Gratipay xss
Unikrn $200 HTML injection in email in unikrn.com
Legal Robot Information disclosure
Rockstar Games $500 dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass)
Legal Robot Special characters are not filtered out on profile fields
Legal Robot Change password session fixed
Legal Robot Weak Cryptography for Passwords
Legal Robot $20 No length limit in invite_code can cause server degradation
Legal Robot $20 CSP script-src includes “unsafe-inline”
Legal Robot $20 Improper validation of parameters while creating issues
Legal Robot $100 Update any profile
Legal Robot Invalid Email Verification
Legal Robot $20 first name and last name restrictions bypass
Legal Robot $20 TabNabbing issue (due to taget=_blank)
Legal Robot Tampering the mail id on chatbox
Legal Robot $20 Incorrect error message
Legal Robot $20 Incorrect email content when disabling 2FA
Legal Robot $20 Lengthy manual entry of 2FA secret
Trello $128 A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to
Udemy No password length restriction
ownCloud owncloud.com open redirect
Quora $500 [Quora Android] Possible to steal arbitrary files from mobile device
WordPress Clickjacking – https://mercantile.wordpress.org/
Snapchat $5,000 RCE/LFI on test Jenkins instance due to improper authentication flow
Gratipay Sub domain take over in gratipay.com
Ruby Open aws s3 bucket s3://rubyci
Udemy CSRF Token
Legal Robot $40 Code injection
Khan Academy Weak Bithdate Validation Implemented on Sign Up
WakaTime Impersonation of Wakatime user using Invitation functionality.
ownCloud This is not the security issue.
Legal Robot $20 User enumeration from failed login error message
Udemy Violation of secure design principle
Udemy Weak Password
Legal Robot Mixed Content over HTTPS
Brave Software $200 URL Spoof / Brave Shield Bypass
Khan Academy Password Functionality not working correctly
Legal Robot $20 Change password logic inversion
Legal Robot $20 Profile fields validation bypass
arxius No Email Verification and No email sent on Forget Pasword
Phabricator Credential gets exposed
Legal Robot LUCKY13 (CVE-2013-0169) effects legalrobot.com
WakaTime Failure to check password history
Legal Robot Create Api Key is not working
Legal Robot $20 Profile shows incorrect account creation date
Legal Robot Password Reset page Session Fixation
Legal Robot Lack of input validation in e-mail & user name, job title, company name field
Legal Robot SSL : breach compression attack (CVE-2013-3587) effects legalrobot.com
Coinbase Device confirmation Flaw
Rockstar Games $500 dom based xss in https://www.rockstargames.com/GTAOnline/
Bitvise $100 The POODLE attack (SSLv3 supported)
Unikrn $50 Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename
Boozt Fashion AB $60 Password reset token issue
Legal Robot $20 [Cross-domain Referer leakage] Password reset token leakage via referer
Automattic $225 XSS Vulnerability in WooCommerce Product Vendors plugin
Rockstar Games $600 CSRF Vulnerability allows attackers to steal SocialClub private token.
Dropbox Missing URL sanitization in comments can be leveraged for phishing
Phabricator Hyper Link Injection In email and Space Characters Allowed at Password Field.
Tor [Android org.torproject.android] Possible to force list of bridges
Legal Robot $20 Token leakage by referrer header & analytics
Zomato $500 Restaurant payment information leakage
Unikrn $40 Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg]

Leave a Comment