Chaturbate Program Statistics

View program

46 total issues disclosed

$20,750 total paid publicly

Most disclosed (5 disclosures) — Cross-Site Request Forgery (CSRF)

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Stored XSS on (wish list) Cross-site Scripting (XSS) - Stored glc Low 2018-11-06
Passive stored XSS at broadcast room Cross-site Scripting (XSS) - Stored skavans High 2018-11-06
Stored XSS in chat topic due to insecure emoticon parsing on any message type Cross-site Scripting (XSS) - Stored avlidienbrunn Medium 2018-11-01
Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled before adding Ignore via POST Business Logic Errors nismo Low 2018-10-31
Open redirect on (tipping/purchase_success) Open Redirect glc Low 2018-10-25
Open redirection at Open Redirect shailesh4594 Low 2018-10-22
View Failed Approval and Pending videos other users None supplied tismayil Low 2018-10-21
Blind SSRF at Server-Side Request Forgery (SSRF) robin0oklay High 2018-10-21
Add non-existent room moderator Improper Input Validation popeax Low 2018-10-20
Homograph attack on redirect URL Violation of Secure Design Principles sam75434 Low 2018-10-20
No rate limit in affiliate statsapi endpoint Brute Force betterknowme Low 2018-10-19
No rate limit in stats api token endpoint Brute Force betterknowme Low 2018-10-19
Update Chat Allowed By Option ( without age verification ) Business Logic Errors yuvraj_dighe Low 2018-10-18
XSS on secure.chaturbate through SWF Cross-site Scripting (XSS) - Reflected glc High 2018-10-18
No rate limiting in changing room subject. None supplied cunn Low 2018-10-09
No rate limiting in starting up a bot. None supplied cunn Low 2018-10-09
Missing CSRF Protection in /stats EndPoint. Cross-Site Request Forgery (CSRF) kaustubh None 2018-10-09
Unrestricted POST request size on roomlogin endpoint Denial of Service lucach Low 2018-10-07
Missing Rate Limitation at /apps/upload_app/ Business Logic Errors footstep Low 2018-10-07
CSRF on change video thumbnail at Cross-Site Request Forgery (CSRF) avinash_ Low 2018-10-07
Cross-origin resource sharing: arbitrary origin trusted on Improper Access Control - Generic mase289 None 2018-10-04
Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app. Business Logic Errors ninjan None 2018-10-02
A 10GB file is reachable Information Disclosure toth None 2018-10-01
Rate limit missing at room login Brute Force lucky_sen Medium 2018-09-30
CSRF in "send them an email and browser notification" feature Cross-Site Request Forgery (CSRF) encrypt Low 2018-09-27
Bypass subdomain limits using race condition Time-of-check Time-of-use (TOCTOU) Race Condition encrypt Low 2018-09-27
Stats Token doesn't expire after deactivating account Improper Access Control - Generic encrypt Low 2018-09-27
CSRF in REPORT EMOTICON feature Cross-Site Request Forgery (CSRF) encrypt Low 2018-09-27
Private and group tokens per minute endpoint active for disabled users Improper Access Control - Generic encrypt Low 2018-09-27
[] - Reflected XSS in c parameter Cross-site Scripting (XSS) - Reflected kazan71p Medium 2018-09-26
Password protected rooms total number of viewers disclosure to unauthorized members Information Disclosure batee5a Low 2018-09-24
CSRF in cancel group and private show requests Cross-Site Request Forgery (CSRF) encrypt Medium 2018-09-21
Leaking Username and Password in the URLs via Virustotal, can leads to account takeover Information Exposure Through Sent Data smit None 2018-09-21
Users may still able to view chat room panel of password protected rooms Improper Access Control - Generic mikkz Medium 2018-09-20
Forget password link not expiring after email change. Improper Authorization imran_nissar1 Medium 2018-09-20
Login form on non-HTTPS page on Cleartext Transmission of Sensitive Information gujjuboy10x00 Low 2018-09-20
Web cache deception attack - expose token information Information Disclosure memon Medium 2018-09-20
Homograph attack on redirect URL ( Violation of Secure Design Principles ninjan Low 2018-09-20
CSV Injection with the CSV export feature OS Command Injection ninjan Low 2018-09-20
Blind SSRF on image proxy Server-Side Request Forgery (SSRF) ninjan Medium 2018-09-20
Open redirect in / via prejoin_data parameter Open Redirect inhibitor181 Medium 2018-09-20
CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS Cross-site Scripting (XSS) - DOM nahamsec High 2018-09-20
Stored XSS against all Chaturbate users using an application name Cross-site Scripting (XSS) - Stored nahamsec Medium 2018-09-20
Reflected XSS on via player.swf Cross-site Scripting (XSS) - Reflected nahamsec Medium 2018-09-20
[] - CSRF Vulnerability on image upload None supplied corb3nik Medium 2018-09-20
Account Takeover via billing Improper Authorization jolteon Critical 2018-09-20