Web vulnerabilities

The following is a list of some security vulnerabilities I’ve found on various websites. Some of them contain links to more detailed write-ups. You can also find this list on my personal website.

Also check out the Web Security Cheatsheet.

Website Problems Reward Accepted Fixed References
Google (googleplex.com)
XSS $ Yes Yes Blog
Google (google.org)
XSS (stored) $ Yes Yes
Google (google.org)
XSS (DOM) $ Yes Yes Blog
Google (google.org) IDOR, User data information disclosure $ Yes Yes Blog
Google (googleusercontent.com) Image data leak $ Yes No
Google (admin.googleusercontent.com) Image leak None Yes No
Google (storage.googleapis.com) Image leak / auth bypass $ Yes Yes Blog
Google (google.com) 401 phishing attack vuln None No No
Google (earth.google.com/studio) IDOR, Auth Bypass, Null Byte Filename Injection $ Yes Yes Blog
Google (console.firebase.google.com) Auth Bypass $ Yes Yes Blog
Google Code-in (codein.withgoogle.com) XSS $ Yes Yes Blog
Google Code Jam (codejam.withgoogle.com) XSS $ Yes Yes Blog
Google (android.com)
Rate limit vuln None Yes No
Google (g.co) Unrestricted API endpoint $ Yes No
Google (CloudConnectCommunity.com) XSS (reflected, stored), Auth bypass None Yes Yes
Google (WebComponents.org) XSS $ Yes Yes Blog
Google (business.google.com) Open redirect OBB, YouTube Video
Google (threadit.app) XSS (DOM) $ Yes Yes Blog
Google (threadit.app) User data disclosure / Auth bypass $ Yes Yes Blog
Google (threadit.app) Account deletion via clickjacking $ Yes Yes Blog
Google (threadit.app) ACL auth bypass $ Yes Yes Blog
Google (Threadit Chrome Extension) DOM XSS in Gmail $ Yes Yes
Microsoft (earth.minecraft.net) Reflected POST XSS in earth.minecraft.net None Yes Yes
heureka.cz XSS (reflected, stored, DOM), CSRF, API authorization vulnerability T-Shirt, HQ visit, $ Yes Yes Article Czech
leoexpress.com XSS (reflected), API authorization vulnerability None Yes Yes OBB, Blog
mcdonalds.com XSS (reflected) None No OBB, Blog
uloz.to XSS (stored) T-Shirts
Yes Yes
mall.cz XSS (stored) None Yes Yes OBB, YouTube Video, Blog
southwest.com XSS (reflected) None No
vodafone.cz XSS (reflected) None Yes OBB
stahuj.cz XSS (reflected) None No OBB
aukro.cz XSS (stored), unrestricted system directories None Yes
mapy.cz XSS (Stored) None Yes Yes
api.mapy.cz XSS (DOM) None Yes No
zbozi.cz XSS (Stored) None Yes Yes
karaoketexty.cz XSS (reflected) None No No
databazeknih.cz XSS (reflected) None Yes Yes
hyperinzerce.cz XSS (reflected, stored) None No OBB
blibli.com XSS (reflected) None No OBB
domcop.com XSS (stored) None Yes
maxon-campus.net SQLi None Yes Blog
ceskatelevize.cz XSS (reflected) None Yes OBB
yougapi.com XSS (reflected) None No OBB
mobilmania.cz XSS (reflected) None No OBB
erec.com.hr XSS (reflected) None No OBB
mujsoubor.cz XSS None No OBB
top-prace.sk XSS, Path Traversal, CSFR, File listing $ Yes Yes
hotely.cz XSS (reflected) None No OBB
loupak.fun XSS (reflected, stored) None Yes Yes OBB
topreality.sk XSS (reflected) None No OBB
ceskereality.cz XSS (reflected) None No OBB
centrum.cz XSS (reflected) None No OBB
startupjobs.cz User info disclosure via IDOR None Yes Yes
landi.cz XSS (reflected) None No OBB
libris.to XSS (blind) None Yes Yes
mail-tester.com XSS (reflected) None Yes Yes OBB
cenpac.net.nr XSS (reflected) None No OBB
apollos.cz XSS (reflected) None No OBB

Open Bug Bounty, Google Vulnerability Reward Program, HackerOne