Snapchat


Program Statistics


34 total issues disclosed

$173,100 total paid publicly

Most disclosed (4 disclosures) — Privilege Escalation



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Improper Authentication - any user can login as other user with otp/logout & otp/login Improper Authentication - Generic korniltsev Critical 2021-09-03
Organization Members in Snap Kit may Deactivate Apps Privilege Escalation mainteemoforfun Low 2021-08-26
Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io Information Disclosure kiyell High 2021-08-12
Client IP Spoofing using "X-Forwarded-For: 127.0.0.1" on "studio-app.snapchat.com" exposing bucket details Improper Access Control - Generic damian89 High 2021-08-12
Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header Business Logic Errors sicarius Medium 2021-08-04
Bitmoji source code is accessible Information Exposure Through Directory Listing rms Medium 2021-07-31
Exposed Kubernetes API - RCE/Exposed Creds OS Command Injection txt3rob Critical 2021-07-29
Publicly accessible Continuous Integration Tool Improper Access Control - Generic apfeifer27 Critical 2021-07-29
Stealing SSO Login Tokens (snappublisher.snapchat.com) None supplied coolboss High 2021-07-29
CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction Cross-Site Request Forgery (CSRF) sdushantha Low 2021-07-29
Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata Server-Side Request Forgery (SSRF) nahamsec No rating 2020-11-30
Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata Server-Side Request Forgery (SSRF) nahamsec No rating 2020-11-30
Access to multiple production Grafana dashboards Information Disclosure damian89 High 2020-11-04
Access to multiple production Grafana dashboards Information Disclosure damian89 High 2020-11-04
Github Token Leaked publicly for https://github.sc-corp.net Cleartext Storage of Sensitive Information th3g3nt3lman Critical 2018-10-08
Domain Takeover in [obviousengine.com] a snapchat acquisitions Privilege Escalation malcolmx High 2018-10-07
XSS found on Snapchat website Cross-site Scripting (XSS) - Generic esnard No rating 2018-05-26
Subdomain Takeover via Unclaimed WordPress site Improper Authentication - Generic ysx Medium 2017-10-06
Subdomain Takeover via unclaimed UserVoice domain Privilege Escalation benoculars High 2017-10-04
RCE/LFI on test Jenkins instance due to improper authentication flow None supplied nahamsec Medium 2017-08-19
Open prod Jenkins instance Information Disclosure preben High 2017-08-19
[spectacles.com] Bypassing quantity limit in orders HTTP Request Smuggling hiorws Medium 2017-08-12
CRLF Injection at vpn.bitstrips.com CRLF Injection wplus Medium 2017-06-16
RTLO char allowed in chat UI Redressing (Clickjacking) kontez Medium 2017-02-28
[render.bitstrips.com] Stored XSS via an incorrect avatar property value Cross-site Scripting (XSS) - Generic s_p_q_r No rating 2017-01-04
Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue" Improper Authentication - Generic marwan No rating 2016-11-25
Subdomain takeover of blog.snapchat.com None supplied jreynoldsdev No rating 2016-10-05
Incoming email hijacking on sc-cdn.net None supplied rubyroobs No rating 2016-09-24
Subdomain takeover on http://fastly.sc-cdn.net/ Violation of Secure Design Principles ebrietas No rating 2016-08-22
Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials Improper Authentication - Generic notnaffy No rating 2016-07-14
Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition) Cross-site Scripting (XSS) - Generic harry_mg No rating 2016-02-16
Password Reset - query param overrides postdata Privilege Escalation reecer No rating 2015-12-24
Vulnerable to JavaScript injection. (WXS) (Javascript injection)! Command Injection - Generic protector47 No rating 2015-10-22
Captcha Bypass in Snapchat's Geofilter Submission Process Violation of Secure Design Principles zero No rating 2015-05-04