Grab


19 total issues disclosed

$34,301 total paid publicly


Most disclosed (4 disclosures) — Information Disclosure

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Subdomain Takeover Via Insecure CloudFront Distribution cdn.grab.com Array Index Underflow todayisnew Medium 2021-02-24
[Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure Cross-site Scripting (XSS) - Generic bagipro High 2019-03-16
Leaking sensitive information on Github lead full access to all Grab Slack channels Information Disclosure xsam Critical 2018-09-11
[growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite Cross-site Scripting (XSS) - Reflected ysx Medium 2018-03-02
Registration enabled on ███grab.com Information Disclosure grouptherapy Medium 2018-02-28
Unrestricted access to https://██████.█████myteksi.net/ Improper Access Control - Generic reptou Medium 2018-02-12
Unrestricted access to Eureka server on ██████ Improper Access Control - Generic reptou Medium 2018-02-06
Leak ██████████ information in real time through API request Improper Authentication - Generic severus High 2018-02-03
stored xss in comments : driver exam Cross-site Scripting (XSS) - Generic paresh_parmar Medium 2017-11-30
Access Grab_Road BigData Database via Open Presto coordinator Information Disclosure vinothkumar Critical 2017-11-30
www.drivegrab.com SQL injection SQL Injection jouko High 2017-11-17
CSV Injection https://hub.grab.com Command Injection - Generic poison Medium 2017-10-27
Blind stored xss [parcel.grab.com] > name parameter Cross-site Scripting (XSS) - Stored paresh_parmar Critical 2017-09-14
Private Grab Messages on Android App can be accessed and cached by Search Engines None supplied sp1d3rs Medium 2017-09-14
Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App Improper Authentication - Generic sp1d3rs High 2017-09-14
Two-factor authentication bypass on Grab Android App Improper Authentication - Generic sp1d3rs Medium 2017-09-12
Dom based xss affecting all pages from https://www.grab.com/. Cross-site Scripting (XSS) - DOM netfuzzer Medium 2017-08-17
[parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/ Cross-site Scripting (XSS) - DOM vagg-a-bond Medium 2017-08-16
Git repository found Information Disclosure linkks High 2017-08-13