| Improper Authentication - any user can login as other user with otp/logout & otp/login |
Improper Authentication - Generic |
korniltsev |
Critical |
2021-09-03 |
| Organization Members in Snap Kit may Deactivate Apps |
Privilege Escalation |
mainteemoforfun |
Low |
2021-08-26 |
| Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io |
Information Disclosure |
kiyell |
High |
2021-08-12 |
| Client IP Spoofing using "X-Forwarded-For: 127.0.0.1" on "studio-app.snapchat.com" exposing bucket details |
Improper Access Control - Generic |
damian89 |
High |
2021-08-12 |
| Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header |
Business Logic Errors |
sicarius |
Medium |
2021-08-04 |
| Bitmoji source code is accessible |
Information Exposure Through Directory Listing |
rms |
Medium |
2021-07-31 |
| Exposed Kubernetes API - RCE/Exposed Creds |
OS Command Injection |
txt3rob |
Critical |
2021-07-29 |
| Publicly accessible Continuous Integration Tool |
Improper Access Control - Generic |
apfeifer27 |
Critical |
2021-07-29 |
| Stealing SSO Login Tokens (snappublisher.snapchat.com) |
None supplied |
coolboss |
High |
2021-07-29 |
| CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction |
Cross-Site Request Forgery (CSRF) |
sdushantha |
Low |
2021-07-29 |
| Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata |
Server-Side Request Forgery (SSRF) |
nahamsec |
No rating |
2020-11-30 |
| Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata |
Server-Side Request Forgery (SSRF) |
nahamsec |
No rating |
2020-11-30 |
| Access to multiple production Grafana dashboards |
Information Disclosure |
damian89 |
High |
2020-11-04 |
| Access to multiple production Grafana dashboards |
Information Disclosure |
damian89 |
High |
2020-11-04 |
| Github Token Leaked publicly for https://github.sc-corp.net |
Cleartext Storage of Sensitive Information |
th3g3nt3lman |
Critical |
2018-10-08 |
| Domain Takeover in [obviousengine.com] a snapchat acquisitions |
Privilege Escalation |
malcolmx |
High |
2018-10-07 |
| XSS found on Snapchat website |
Cross-site Scripting (XSS) - Generic |
esnard |
No rating |
2018-05-26 |
| Subdomain Takeover via Unclaimed WordPress site |
Improper Authentication - Generic |
ysx |
Medium |
2017-10-06 |
| Subdomain Takeover via unclaimed UserVoice domain |
Privilege Escalation |
benoculars |
High |
2017-10-04 |
| RCE/LFI on test Jenkins instance due to improper authentication flow |
None supplied |
nahamsec |
Medium |
2017-08-19 |
| Open prod Jenkins instance |
Information Disclosure |
preben |
High |
2017-08-19 |
| [spectacles.com] Bypassing quantity limit in orders |
HTTP Request Smuggling |
hiorws |
Medium |
2017-08-12 |
| CRLF Injection at vpn.bitstrips.com |
CRLF Injection |
wplus |
Medium |
2017-06-16 |
| RTLO char allowed in chat |
UI Redressing (Clickjacking) |
kontez |
Medium |
2017-02-28 |
| [render.bitstrips.com] Stored XSS via an incorrect avatar property value |
Cross-site Scripting (XSS) - Generic |
s_p_q_r |
No rating |
2017-01-04 |
| Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue" |
Improper Authentication - Generic |
marwan |
No rating |
2016-11-25 |
| Subdomain takeover of blog.snapchat.com |
None supplied |
jreynoldsdev |
No rating |
2016-10-05 |
| Incoming email hijacking on sc-cdn.net |
None supplied |
rubyroobs |
No rating |
2016-09-24 |
| Subdomain takeover on http://fastly.sc-cdn.net/ |
Violation of Secure Design Principles |
ebrietas |
No rating |
2016-08-22 |
| Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials |
Improper Authentication - Generic |
notnaffy |
No rating |
2016-07-14 |
| Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition) |
Cross-site Scripting (XSS) - Generic |
harry_mg |
No rating |
2016-02-16 |
| Password Reset - query param overrides postdata |
Privilege Escalation |
reecer |
No rating |
2015-12-24 |
| Vulnerable to JavaScript injection. (WXS) (Javascript injection)! |
Command Injection - Generic |
protector47 |
No rating |
2015-10-22 |
| Captcha Bypass in Snapchat's Geofilter Submission Process |
Violation of Secure Design Principles |
zero |
No rating |
2015-05-04 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles