Instacart


34 total issues disclosed

$3,175 total paid publicly


Most disclosed (6 disclosures) — Information Disclosure

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
View & add to cart unlisted items via IDOR Insecure Direct Object Reference (IDOR) bigshaq High 2018-05-25
Get all instacart emails - missing rate limit on /accounts/register None supplied 003random Medium 2017-12-02
Bruteforcing password reset tokens, could lead to account takeover Brute Force 003random Medium 2017-11-06
Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url= None supplied ak1t4 No rating 2017-05-30
XSS at in instacart.com/store/partner_recipe Cross-site Scripting (XSS) - Generic ak1t4 Low 2017-05-30
WordPress Authentication Denial of Service Denial of Service clizsec No rating 2017-05-26
Login with Google Not Authenticated on iOS App Improper Authentication - Generic bhavukjain1 Low 2017-05-21
XSS in instacart.com/store/partner_recipe Cross-site Scripting (XSS) - Generic karel_origin Medium 2017-05-11
READ .svg files by changing .svg into .png extension Violation of Secure Design Principles codertom No rating 2017-03-29
Authentication Bypass in Updating Personal Information Improper Authentication - Generic footstep No rating 2017-01-17
Access private list metadata Information Disclosure sameoldstory Low 2016-12-24
User Information sent to client through websockets Information Disclosure archers123 No rating 2016-12-07
Full access to any list Privilege Escalation sameoldstory No rating 2016-11-18
Seemingly sensitive information at /api/v2/zones Information Disclosure sameoldstory No rating 2016-11-16
Authorization Bypass in Delivery Chat Logs Privilege Escalation michiel No rating 2016-11-04
Reflected File Download on recipe list search Command Injection - Generic dsopas No rating 2016-10-18
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) malcolmx No rating 2016-10-13
Server side request forgery on image upload for lists Code Injection eboda No rating 2016-10-12
Cross-Site Scripting Reflected On Main Domain Cross-site Scripting (XSS) - Generic hussain_0x3c No rating 2016-09-30
Issues with uploading list images Denial of Service cablej No rating 2016-09-26
Cookie-Based Injection Cross-site Scripting (XSS) - Generic hussain_0x3c No rating 2016-09-26
[Critical] Subdomain Takeover Privilege Escalation gorkhali No rating 2016-09-21
Brute force login and bypass locked account restrictions via iOS app Violation of Secure Design Principles cablej No rating 2016-09-19
shopper login_code's can be brute forced Improper Authentication - Generic kenan No rating 2016-09-17
CSRF To change Email Notification Settings Cross-Site Request Forgery (CSRF) trad_zero_h No rating 2016-09-15
API OAuth Public Key disclosure in mobile app Information Disclosure cablej No rating 2016-09-15
Race Condition in Redeeming Coupons Violation of Secure Design Principles cablej No rating 2016-09-12
Fetch private list metadata and any user's personal name Information Disclosure sameoldstory No rating 2016-09-12
Hyperlink Injection in Friend Invitation Emails Open Redirect corb3nik No rating 2016-09-12
Missing rel=noreferrer tag allows link in list to change url of currently open tab Violation of Secure Design Principles cablej No rating 2016-09-12
Image Upload Path Disclosure Information Disclosure mefkan No rating 2016-09-12
Host Header Injection/Redirection in: https://www.instacart.com/ Open Redirect clarckowen_ No rating 2016-09-11
Stored XSS Cross-site Scripting (XSS) - Generic s44mux No rating 2016-09-09
CSRF with redeem coupon request Cross-Site Request Forgery (CSRF) introvertmac No rating 2016-08-13