IRCCloud Program Statistics


View program

40 total issues disclosed

$6,850 total paid publicly

Most disclosed (12 disclosures) — Cross-Site Request Forgery (CSRF)



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
IDOR with Geolocation data not stripped from images Insecure Direct Object Reference (IDOR) do_some_hack High 2020-07-26
[IRCCloud Android] Theft of arbitrary files leading to token leakage Privacy Violation bagipro High 2017-11-15
[IRCCloud Android] XSS in ImageViewerActivity None supplied bagipro Medium 2017-11-03
[IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity None supplied bagipro Medium 2017-11-03
Missing robots exclusion header for user uploads Improper Access Control - Generic d0rkerdevil Low 2017-10-27
Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE Memory Corruption - Generic cha5m No rating 2016-10-15
Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution) Cross-site Scripting (XSS) - Generic rohitdua No rating 2016-07-09
Inadequate input validation on API endpoint leading to self denial of service and increased system load. Denial of Service mantis No rating 2015-10-12
Email verification links still valid after changing it 2x Violation of Secure Design Principles jackds No rating 2015-03-13
Weak password policy Improper Authentication - Generic internetwache No rating 2014-11-27
Missing Character Restriction Violation of Secure Design Principles harikrishnan_c No rating 2014-11-17
Password type input with auto-complete enabled Violation of Secure Design Principles harikrishnan_c No rating 2014-11-17
Bruteforce protection not enabled on the login page https://www.irccloud.com/ Cryptographic Issues - Generic born2hack No rating 2014-10-08
Unvalidated Channel names causes IRC Command Injection Cross-Site Request Forgery (CSRF) mantis No rating 2014-10-01
Persistent Cross Site Scripting within the IRCCloud Pastebin Cross-site Scripting (XSS) - Generic mantis No rating 2014-10-01
CSRF to Account Take Over Bug Cross-Site Request Forgery (CSRF) defmax No rating 2014-09-08
Host Header Injection - irccloud.com Violation of Secure Design Principles ethicalhacker No rating 2014-07-08
Reflected XSS in Pastebin-view Cross-site Scripting (XSS) - Generic pseudochu No rating 2014-06-28
User Account Creation CSRF Cross-Site Request Forgery (CSRF) chandrakant No rating 2014-06-25
Log Out Cross site Request Forgery Cross-Site Request Forgery (CSRF) gunda No rating 2014-06-13
Bruteforcing irccloud login Violation of Secure Design Principles eronx No rating 2014-05-26
iOS application does not destroy session upon logout. Improper Authentication - Generic uname No rating 2014-05-23
Login CSRF can be bypassed (Similar approach to previous one). Cross-Site Request Forgery (CSRF) uname No rating 2014-05-20
Unwanted Spamming Using CSRF [LOGGED IN USER] Cross-Site Request Forgery (CSRF) ashesh No rating 2014-05-17
Session cookie can be leaked over an unencrypted HTTP connection Violation of Secure Design Principles melvin No rating 2014-05-15
Unsecure cookies, cookie flag secure not set Violation of Secure Design Principles eronx No rating 2014-05-15
Bug in iOS application which could lead to unauthorised access. Improper Authentication - Generic uname No rating 2014-05-15
Missing X-Content-Type-Options Violation of Secure Design Principles shipcode No rating 2014-05-15
CSRF - Creating accounts Cross-Site Request Forgery (CSRF) internetwache No rating 2014-05-14
HTML Form without CSRF protection Cross-Site Request Forgery (CSRF) robin No rating 2014-05-14
Sign up CSRF Cross-Site Request Forgery (CSRF) eronx No rating 2014-05-14
Dangerous Persistent xss Cross-site Scripting (XSS) - Generic reporter No rating 2014-05-13
"SESSION" Cookie without HttpOnly flag set Improper Authentication - Generic ashesh No rating 2014-05-11
Login page password-guessing attack(Brute-force attack-High). Improper Authentication - Generic xss No rating 2014-04-26
Host Header is not validated resulting in Open Redirect Violation of Secure Design Principles anshuman_bh No rating 2014-04-24
Session Token is not Verified while changing Account Setting's which Result In account Takeover Cross-Site Request Forgery (CSRF) exploitprotocol No rating 2014-04-23
Login CSRF Cross-Site Request Forgery (CSRF) eronx No rating 2014-04-21
Full account takeover using CSRF and password reset Cross-Site Request Forgery (CSRF) melvin No rating 2014-04-14
Leaking Referrer in Reset Password Link Violation of Secure Design Principles eronx No rating 2014-04-12
DNS Misconfiguration None supplied chmosama No rating 2014-04-11