Chaturbate Program Statistics


View program

46 total issues disclosed

$20,750 total paid publicly

Most disclosed (5 disclosures) — Cross-Site Request Forgery (CSRF)



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Stored XSS on chaturbate.com (wish list) Cross-site Scripting (XSS) - Stored glc Low 2018-11-06
Passive stored XSS at broadcast room Cross-site Scripting (XSS) - Stored skavans High 2018-11-06
Stored XSS in chat topic due to insecure emoticon parsing on any message type Cross-site Scripting (XSS) - Stored avlidienbrunn Medium 2018-11-01
Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled before adding Ignore via POST Business Logic Errors nismo Low 2018-10-31
Open redirect on chaturbate.com (tipping/purchase_success) Open Redirect glc Low 2018-10-25
Open redirection at https://chaturbate.com/auth/login/ Open Redirect shailesh4594 Low 2018-10-22
View Failed Approval and Pending videos other users None supplied tismayil Low 2018-10-21
Blind SSRF at https://chaturbate.com/notifications/update_push/ Server-Side Request Forgery (SSRF) robin0oklay High 2018-10-21
Add non-existent room moderator Improper Input Validation popeax Low 2018-10-20
Homograph attack on redirect URL Violation of Secure Design Principles sam75434 Low 2018-10-20
No rate limit in affiliate statsapi endpoint Brute Force betterknowme Low 2018-10-19
No rate limit in stats api token endpoint Brute Force betterknowme Low 2018-10-19
Update Chat Allowed By Option ( without age verification ) Business Logic Errors yuvraj_dighe Low 2018-10-18
XSS on secure.chaturbate through SWF Cross-site Scripting (XSS) - Reflected glc High 2018-10-18
No rate limiting in changing room subject. None supplied cunn Low 2018-10-09
No rate limiting in starting up a bot. None supplied cunn Low 2018-10-09
Missing CSRF Protection in /stats EndPoint. Cross-Site Request Forgery (CSRF) kaustubh None 2018-10-09
Unrestricted POST request size on roomlogin endpoint Denial of Service lucach Low 2018-10-07
Missing Rate Limitation at /apps/upload_app/ Business Logic Errors footstep Low 2018-10-07
CSRF on change video thumbnail at https://chaturbate.com Cross-Site Request Forgery (CSRF) avinash_ Low 2018-10-07
Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com Improper Access Control - Generic mase289 None 2018-10-04
Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app. Business Logic Errors ninjan None 2018-10-02
A 10GB file is reachable Information Disclosure toth None 2018-10-01
Rate limit missing at room login Brute Force lucky_sen Medium 2018-09-30
CSRF in "send them an email and browser notification" feature Cross-Site Request Forgery (CSRF) encrypt Low 2018-09-27
Bypass subdomain limits using race condition Time-of-check Time-of-use (TOCTOU) Race Condition encrypt Low 2018-09-27
Stats Token doesn't expire after deactivating account Improper Access Control - Generic encrypt Low 2018-09-27
CSRF in REPORT EMOTICON feature Cross-Site Request Forgery (CSRF) encrypt Low 2018-09-27
Private and group tokens per minute endpoint active for disabled users Improper Access Control - Generic encrypt Low 2018-09-27
[chatws25.stream.highwebmedia.com] - Reflected XSS in c parameter Cross-site Scripting (XSS) - Reflected kazan71p Medium 2018-09-26
Password protected rooms total number of viewers disclosure to unauthorized members Information Disclosure batee5a Low 2018-09-24
CSRF in cancel group and private show requests Cross-Site Request Forgery (CSRF) encrypt Medium 2018-09-21
Leaking Username and Password in the URLs via Virustotal, can leads to account takeover Information Exposure Through Sent Data smit None 2018-09-21
Users may still able to view chat room panel of password protected rooms Improper Access Control - Generic mikkz Medium 2018-09-20
Forget password link not expiring after email change. Improper Authorization imran_nissar1 Medium 2018-09-20
Login form on non-HTTPS page on http://stream.highwebmedia.com/auth/login/ Cleartext Transmission of Sensitive Information gujjuboy10x00 Low 2018-09-20
Web cache deception attack - expose token information Information Disclosure memon Medium 2018-09-20
Homograph attack on redirect URL (https://chaturbate.com/external_link/?url) Violation of Secure Design Principles ninjan Low 2018-09-20
CSV Injection with the CSV export feature OS Command Injection ninjan Low 2018-09-20
Blind SSRF on image proxy camo.stream.highwebmedia.com Server-Side Request Forgery (SSRF) ninjan Medium 2018-09-20
Open redirect in securegatewayaccess.com / secure.chaturbate.com via prejoin_data parameter Open Redirect inhibitor181 Medium 2018-09-20
CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS Cross-site Scripting (XSS) - DOM nahamsec High 2018-09-20
Stored XSS against all Chaturbate users using an application name Cross-site Scripting (XSS) - Stored nahamsec Medium 2018-09-20
Reflected XSS on ssl-ccstatic.highwebmedia.com via player.swf Cross-site Scripting (XSS) - Reflected nahamsec Medium 2018-09-20
[chaturbate.com] - CSRF Vulnerability on image upload None supplied corb3nik Medium 2018-09-20
Account Takeover via billing Improper Authorization jolteon Critical 2018-09-20